Add certificates checks

[dolmen]

Add Go tests in package embedded to check:

• validity of each certificate in 1 month (failure)
• validity of each certificate in 3 months (warning)
• certificate declared usage (warning)

GH Actions workflow is updated to run the tests.

Note: I had written an earlier version of those checks for gocertifi in certifi/gocertifi#28.

[breml]

@dolmen thanks for your PR.

I am not yet convinced, that this test is actually helpful. This repo has a recurring job (runs weekly, https://github.com/breml/rootcerts/blob/master/.github/workflows/update.yml#L21), that checks, if there has been a change in the upstream certificates, that are embedded, which are served by the Mozilla Foundation. If the certificates provided by the Mozilla Foundation are no longer up to date (or do contain certificates, that are out of validity), then the wider ecco system does have a serious problem anyway with all the Firefox, Thunderbrid, etc. installations in the wild. We have to trust the Mozilla Foundation to do the right thing. If we don't, the validity is our least problem.

I made sure, that this GH action is kept active and it has run for the past 4 years.

Do I miss something? Where exactly do you see the additional value of this test?

[dolmen]

1. Those checks add our own level of trust. They include some checks of certificates options (such as usage bits) and we could add more.
2. The checks include validity checks. If the Mozilla URL stops being updated (this happened in the past when Mozilla switched to Mercurial and their older repo was still online but not updated), the lack of update will trigger a failure.
3. The checks verify that the certificates bundle works (parsing by crypto/x509 works) with the Go version being tested. We could add a workflow that runs the test with the development build (tip) of Go to detect future failures earlier. We could also add workflows that run the test with various GODEBUG options (ex: x509usepolicies=0).
4. Last but not least, I have a patch ready to switch the storage from PEM (text) to PER (binary) for a smaller footprint. These tests are an obvious requirements for regression testing.

[breml]

I looked at this PR and I am fine with merging it.
I have sent you some changes in a PR (looks like you have not allowed the maintainer to update your branch).

[dolmen]

dolmen-go#1

[dolmen]

@breml I've accepted and pushed your changes.

[breml]

LGTM

[breml]

@dolmen The check now fails in https://github.com/breml/rootcerts/actions/runs/14425557364/job/40453882801, but the certificate is still valid until May. Can you please have a look?