Add `-key-encipherment-selector` and use CA certs for verification

[hslatman]

When a SCEP server returns multiple certificates, it is possible that not all certificates can or should be used for encryption. There already was a KeyEnciphermentsSelector, but that wasn't readily usable with the provided SCEP client. A new flag was added to enable this selector: -key-encipherment-selector. It will filter out certificates that aren't marked as being usable for key or data encryption.

When verifying the PKIMessage from the CA only the Recipients in the outgoing message were being looked through when selecting a certificate to verify the signature. This commit changes that by including all certificates returned by the CA when the client performs the GetCACerts operation.