authorize: implement client certificate CRL check (#4439)

Update isValidClientCertificate() to also consult the configured
certificate revocation lists. Update existing test cases and add a new
unit test to exercise the revocation support. Restore the skipped
integration test case.

Generate new test certificates and CRLs using a new `go run`-able source
file.

integration/policy_test.go

@@ -393,8 +393,6 @@ func TestDownstreamClientCA(t *testing.T) {
 		assert.Equal(t, "/", result.Path)
 	})
 	t.Run("revoked client cert", func(t *testing.T) {
-		t.Skip("CRL support must be reimplemented first")
-
 		// Configure an http.Client with a revoked client certificate.
 		cert := loadCertificate(t, "downstream-1-client-revoked")
 		client, transport := getClientWithTransport(t)