Test RFC 4945 PKI Profile for IKE/ISAKMP/PKIX's Basic Constraints

https://datatracker.ietf.org/doc/html/rfc4945#section-5.1.3.9
5.1.3.9.  BasicConstraints

   The PKIX certificate profile mandates that CA certificates contain
   this extension and that it be marked critical.  IKE implementations
   SHOULD reject CA certificates that do not contain this extension.
   For backwards compatibility, implementations may accept such
   certificates if explicitly configured to do so, but the default for
   this setting MUST be to reject such certificates.

Which is a bit vague.  It's interpreted as:

  - CAs (intermediate and root)

    Need CA=y, and preferably critical (but critical doesn't really
    matter as NSS supports Basic Constraints).

  - END

    CA=? is ignored (again critical doesn't matter as NSS supports it,
    allowing it to ignore it).

This test plays with CAs:

  - a broken cert chain

       mainca
       -> west-bc-missing-chain-int
       -> west-bc-missing-chain-end

    since the intermediate cert lacks CA=y, it can't be used for
    authentication and the connection should be rejected.

  - a broken root cert

      bc-n-ca -> bc-n-ca-west

    since the root cert, bc-n-ca, installed on east, is invalid,
    authentication should fail
