Set default certificate validation policy to require digitalSignature key usage

[U-238]

signxml.util.X509CertChainVerifier currently uses the default extension policy from x509.verification.PolicyBuilder().build_client_verifier(), which requires the signer's certificate to have the "TLS Web Client Authentication" extended key usage extension. However, this extension is not a requirement to sign documents using XMLDSig. It should be sufficient for the signer's certificate to have only the "Digital Signature" key usage extension.

This is causing validation failures on valid XML signatures where the certificate lacks the "TLS Web Client Authentication" extended key usage extension.

This pull request:

1. Sets the default ExtensionPolicy to require only that the signer's certificate has the "Digital Signature" key usage extension.
2. Adds ee_policy and ca_policy kwargs to XMLVerifier.verify() to allow the ExtensionPolicy to be overridden if desired.

[kislyuk]

This is great, thanks! Release coming up.

[kislyuk]

While the ability to set this requirement is useful, I am going to have to set this to off by default because there are plenty of uses out there that use certificates without this key usage set.

[U-238]

Thank you for the very quick turnaround! I agree with your change to not require the "Digital Signature" key usage in order to avoid breaking existing implementations, however, the default should not require the "TLS Web Client Authentication" extended key usage either. I have submitted #293 to use a more permissive default that does not require the certificate to contain either of these extensions.