Refactor s2n_x509_validator_validate_cert_chain to support an async callback

[goatgoose]

Resolved issues:

Part of https://github.com/aws/s2n-tls/issues/3499

Description of changes:

This PR refactors s2n_x509_validator_validate_cert_chain to support adding the async CRL callback.

A new validator state has been added, PRE_VALIDATE, which splits this function into two stages: INIT, and PRE_VALIDATE. In the INIT stage, when the function is first called, the cert chain is read, the host name is validated, and the CRL callback will be triggered. After triggering the CRL callback, the function may returned blocked. After unblocking, the function will continue and enter the PRE_VALIDATE stage, which will skip everything in the INIT stage and proceed to validate the certificate chain.

Splitting up this function into stages ensures that work is not duplicated after blocking due to invoking the async callback.

Call-outs:

A lot of pkey_types were set to S2N_PKEY_TYPE_UNKNOWN in this PR. This is because the default value for s2n_pkey_type is S2N_PKEY_TYPE_RSA, which is the value being checked in the tests. Setting the value to unknown ensures this value is actually changing.

Additionally, checks for S2N_PKEY_TYPE_RSA were removed in tests where s2n_x509_validator_validate_cert_chain is expected to fail. This is because public_key_out is now set later in this function, and is no longer set before this function fails in these tests.

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? Are there any testing steps to be verified by the reviewer?

Is this a refactor change? If so, how have you proved that the intended behavior hasn't changed?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.