Enable certification verification using CRL-DP

Currently certificates can be validated only using OCSP with a configured
responder or using the AIA certificate extension. If the responder
cannot be used verification is not possible. This is the case for the
startup certificates of the responder.

The new policy add a verification using the CRL-DP extension defined in
the certificate. If this extension is defined it has precedence over the
OCSP and if it pass no other check are performed. If CRL cannot be
retrieved then the OCSP responder is used.
This new method takes place when OCSP is configured without a default
responder and the PKIX verification method is adopted (with the policy
OCSP_LEAF_AND_CHAIN_POLICY).

At least a verification method has to return success to accept the
certificate.

Author: fmarco76

native/src/main/native/org/mozilla/jss/ssl/common.c

@@ -945,22 +945,22 @@ JSSL_verifyCertPKIXInternal(CERTCertificate *cert,
      * we construct the policy ourselves. */
     PRUint64 ocsp_Enabled_Hard_Policy_LeafFlags[2] = {
         /* crl */
-        CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
+        CERT_REV_M_TEST_USING_THIS_METHOD,
         /* ocsp */
         CERT_REV_M_TEST_USING_THIS_METHOD |
             CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
     };
 
     PRUint64 ocsp_Enabled_Hard_Policy_ChainFlags[2] = {
         /* crl */
-        CERT_REV_M_DO_NOT_TEST_USING_THIS_METHOD,
+        CERT_REV_M_TEST_USING_THIS_METHOD,
         /* ocsp */
         CERT_REV_M_TEST_USING_THIS_METHOD |
             CERT_REV_M_FAIL_ON_MISSING_FRESH_INFO
     };
 
     CERTRevocationMethodIndex ocsp_Enabled_Hard_Policy_Method_Preference[1] = {
-        cert_revocation_method_ocsp
+      cert_revocation_method_crl
     };
 
     CERTRevocationFlags ocsp_Enabled_Hard_Policy = {