Prefer CRLs with specific IDP match

[nhatnghiho]

Issues:

Addresses D435946985

Description of changes:

When multiple CRLs are candidates during revocation checking, AWS-LC did not distinguish between a CRL whose IDP specifically matches the certificate's distribution point and a CRL with no IDP or an empty IDP. A broad CRL that is newer or loaded first could outrank a specific CRL, causing a revoked certificate to verify as valid.

This change introduces a new score bit CRL_SCORE_IDP_MATCH so that a CRL with a specific IDP match is always preferred over a broad no-IDP/empty-IDP CRL. crl_crldp_check now reports whether the match was specific via an idp_match out-parameter, and get_crl_score uses this to set the new bit. The bit is placed below CRL_SCORE_TIME so that an expired or unprocessable specific-IDP CRL cannot outrank a valid broad CRL.

Testing:

Unit tests added covering: specific vs. broad CRL preference regardless of freshness or load order, expired specific CRL losing to valid broad CRL, and specific CRL with unknown critical extension losing to processable broad CRL.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 97.14286% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.12%. Comparing base (b31b37d) to head (1a5583f).

Files with missing lines	Patch %	Lines
crypto/x509/x509_test.cc	96.77%	2 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3264   +/-   ##
=======================================
  Coverage   78.11%   78.12%           
=======================================
  Files         689      689           
  Lines      123460   123526   +66     
  Branches    17196    17198    +2     
=======================================
+ Hits        96442    96504   +62     
- Misses      26097    26103    +6     
+ Partials      921      919    -2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.