Fix CRL selection by cRLNumber and scope

[xyzzyz]

Fixes the issue in #488.

Previously, we used the first CRL with applicable scope on the passed list, without checking that it's the newest one we have.

In the new logic, once we find a CRL with applicable scope, we find the newest available CRL in the same scope, and use that for revocation check. We decide which is newest by CRL number, as RFC 5280 explicitly requires these to be present, and offers them for exactly this purpose:

5.2.3. CRL Number
The CRL number is a non-critical CRL extension that conveys a
monotonically increasing sequence number for a given CRL scope and
CRL issuer. This extension allows users to easily determine when a
particular CRL supersedes another CRL. CRL numbers also support the
identification of complementary complete CRLs and delta CRLs. CRL
issuers conforming to this profile MUST include this extension in all
CRLs and MUST mark this extension as non-critical.

There are some design considerations for handling scenarios when multiple scopes are applicable, and when some CRLs are invalid. These apply to pre-existing code too, so I'm not resolving these in this fix, and instead I'll open a separate issue to discuss them.

I used Codex GPT-5.5 on xhigh while working on this change, but I must say that it while it was very helpful with writing tests, it didn't do a good job on implementing the actual logic: its implementation was overly complicated, with extra unnecessary variables and unnecessarily nested match cases. I basically entirely rewrote it.

[codecov]

Codecov Report

❌ Patch coverage is 96.55172% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 97.67%. Comparing base (ce0d2e1) to head (b5951c6).

Files with missing lines	Patch %	Lines
src/crl/mod.rs	92.85%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #491      +/-   ##
==========================================
- Coverage   97.68%   97.67%   -0.02%     
==========================================
  Files          20       20              
  Lines        3971     3995      +24     
==========================================
+ Hits         3879     3902      +23     
- Misses         92       93       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[xyzzyz]

Regarding the code coverage results:

For this one:

it would be difficult to add coverage for this line in test: it would require deliberately creating an invalid CRL (one with missing CRL number). I made CRL number optional, because the library has not previously rejected CRLs without CRL number (even though RFC 5280 requires it). I could simplify code by requiring CRL number to be present. Should I do it? I think it's a good idea, because the change would only be observable on CRLs that we should be ignoring anyway.

For this one:

The library already didn't have coverage for hash, so I'm not sure if I should add this in this PR.

[xyzzyz]

Any chance this could get merged?

[djc]

No need to ping again so soon.

[xyzzyz]

Sorry, didn't know if anyone is looking at this.

[ctz]

Otherwise, this is looking alright to me.

[xyzzyz]

I rebased this change on top of main, should be ready for review/merge.

[xyzzyz]

Thanks for merging this!