Allow storing CA cert bundles

[letmaik]

Currently, set_ca_cert allows to store single named certs, which are used for the JWT auto-refresh feature.
It makes sense to generalize this to allow storing named lists of CA certs. This supports scenarios where a trusted/curated Root CA list is imported wholesale, e.g. from the Microsoft Trust Root Program or the Mozilla CA Cert Program. Note that the existing use case of a single cert will be supported as before (as that is just a special case).

The following changes are necessary:

• set_ca_cert proposal: Store PEM as-is (multiple certs are a concatenation, no change to payload) instead of converting to DER (there is no such thing as concatenated DER certs, see also docs on mbedtls_x509_crt_parse)
• Rename proposal {set|remove}_ca_cert to {set|remove}_ca_cert_bundle
• Rename kv table from public:ccf.gov.jwt.ca_certs_der to public:ccf.gov.tls.ca_cert_bundles
• Rename ca_cert_name in JWT Issuer metadata to ca_cert_bundle_name

Note that there won't be a performance impact from this change since JWT key auto-refresh is not on the critical path.

[achamayou]

In general we tend to default to PEM where we can, and being text with recognisable headers, it requires less documenting that DER, so I think we should just go to public:ccf.gov.jwt.ca_certs.

[letmaik]

I agree, I would like to avoid using the jwt namespace though which was introduced recently. CA cert lists likely have a wider field of use in the future.

[letmaik]

For future reference, OpenSSL doesn't come with a convenience function equivalent to mbedtls_x509_crt_parse to read a list of concatenated CA cert PEMs from memory. It does have a function to do the same from a file though and which is easy to adapt: https://github.com/openssl/openssl/blob/f16f363a85baa6338744e20671c5a227844f2847/crypto/x509/by_file.c#L89.

Also, it seems the word "bundle" is more common than "list" in this context.