Add proper support for emailAddress name constraints

[briansmith]

webpki considers email addresses to be an "unsupported" name type and thus we reject any certificate that contains an email address if there are any email address name constraints. But, there are real-life certificates with email address name constraints. Thus we should implement proper email address name constraint validation.

webpki presently requires that there be a subjectAltName extension in the certificate. If we were to ever relax that requirement then we must make sure we follow the special-case handling for certificates lacking a subjectAltName. Just one example from RFC 5280:

When constraints are imposed on the rfc822Name name form, but the certificate does not include a subject alternative name, the rfc822Name constraint MUST be applied to the attribute of type emailAddress in the subject distinguished name.

[briansmith]

RFC 5280 further implies (but not using RFC 2119 language) that if there is an emailAddress in the subject then that same name should/must also be present in subjectAltName as an rfc822Name.