Refactor public verification API into a state machine

[briansmith]

Right now there are three steps involved in verifying a peer's certificate chain, as documented at https://briansmith.org/rustdoc/webpki/struct.EndEntityCert.html. Instead of telling people that they need to do all three steps, we should provide an API that doesn't give a "yes, valid" answer until all three steps have been done.

The tricky part is that we want to support these steps being done in parallel and/or out of the natural order, for performance reasons. The interaction between coordinating the parallel tasks and avoding dynamic memory allocation could make this tricky.

Also, we may want to have two state machines: One for verifying a peer's identity, and another for verifying our own identity, which is like identifying a peer's identity as well as checking that the cert is consistent with our private key.

[Demi-Marie]

Some users may be using just one of these steps on purpose. #113 is an example ― in the context of libp2p, there is no hostname to validate against, and IP addresses may be ephemeral.

Doing this in the absence of dynamic allocation will require unsafe code, unless I am missing something. If Arc is available, this is trivial, so we might only expose this when it is.