client certificate verification: builder style API

[jsha]

Over in rustls/rustls-ffi#324 (review) we talked a bit about the current API for the built-in implementations of ClientCertVerifier:

AllowAnyAnonymousOrAuthenticatedClient

AllowAnyAuthenticatedClient

NoClientAuth

The naming of these is a little verbose and confusing, and now that they take a CRLs argument, they are a bit redundant. Instead, we could adopt a builder-style API that could construct these, like ServerConfig. E.g.:

ClientVerifier::builder()
  .with_roots(root_store)
  .with_crls(crls)
  .allow_unauthenticated()
  .build()

ClientVerifier::builder()
  .with_roots(root_store)
  .without_crls()
  .build()

// equivalent to NoClientAuth; or we could keep NoClientAuth as a shortcut for this
ClientVerifier::builder()
  .allow_unauthenticated()
  .build()

[cpu]

Happy to take a crack at this one.

[jsha]

By the way, as mentioned on #1361, using CRLs for client cert verification in practice requires (a) using the Acceptor API, and (b) constructing a new verifier object on each handshake.

The current impls take ownership of a RootCertStore, which is a Vec<OwnedTrustAnchor>. That might get a little expensive to clone on each handshake, particularly if it's large. As long as we are making changes in this code it's probably a good idea to take an Arc<RootCertStore>.

[cpu]

The webpki client cert verifiers are created w/ a builder-style API and take Arc<RootCertStore> as of #1368