The test should not need to sanitise the environment of this test in
particular (if we do not trust the environment then there would be a lot
more to sanitise for the python part of the test as well), and the intent
was just to add the CAUCASE_PYTHON variable so caucase.sh runs the expected
python executable and not one possibly picked from PATH.
So copy environment, edit the copy and pass this to the caucase.sh
subprocess.

This codebase must remain py2 compatible for some more, so do not complain
about backward-compatible code.

Fixes cli.updater crashing when one of the locally-stored CA is expired.
Also, explicitly raise when there are CAs in the local trust store but all
fail loading.

If an unverifiable CRL is present (ex: its CA expired), then it can be
ignored in the computation of the next wake-up time.
Also, factorise with similar code in client.CaucaseClient.updateCRLFile .

Preserve py2.7 compatibility.
Also, make pylint happier with the result.

Otherwise, the expired CA causes an error when it is being loaded, before
the time comparison.
Also, CRL signed by that CA also causes an error (as its signature cannot
be checked).
Catch these errors so the corresponding unusable PEMs are discarded.

Make python3 resource leak detector happy.

Prevent the (very unlikely at a 10MB given the manipulated data structures)
risk of a partial read accidentally containing producing a well-formed
result.
Also, only accept base-10 content lengths.

This fixes late-trust-bootstrap clients' ability to trust certificates
issued by an older CA.

Emit Certificate Revocation Lists signed by all valid CAs.
Apparently openssl (or at least how it is used in stunnel4) fails to
validate a certificate when CRL validation is enabled and the key which
signed the CRL differs from the key which signed the certificate.
Also, add Authority Key Identifier CRL extension, required to be standard-
compliant.
Also, fix revocation entry expiration: the RFC requires them to be kept
at least one renewal cycle after the certificate's expiration.
As a consequence of this whole change:
- the protocol for retrieving the curren CRL changes to return the
  concatenated list of CRLs, which breaks the CRL distribution (...but
  the distributed CRLs were invalid anyway)
- stop storing the CRL PEM in caucased's database so that it gets
  re-generated with fresh code. As caucased is not expected to be
  restarted very often, the extra CRL generation on every start should
  not make a difference.

So it can be reused elsewhere.

Also, some word-wrapping.

Makes the code easier to read.

The only one present is not intended to be internally assigned.

datetime.datetime.fromtimestamp applies timezones, which is unintended.
Fixes a time drift on revoked certificates.

Also, this provides a handy location to log all queries when debugging.
Also, some minor cleanups.

So they can be reused for more PEM-encoded types.

Because this is not the job of an import/export tool.