Merge changes Ia748b6ae,Id8a48e14,Id25ab231,Ie26eed8a,Idf48f716, ... into integration

* changes:
  refactor(auth): partially validate SubjectPublicKeyInfo early
  fix(auth): reject padding after BIT STRING in signatures
  fix(auth): reject invalid padding in digests
  fix(auth): require at least one extension to be present
  fix(auth): forbid junk after extensions
  fix(auth): only accept v3 X.509 certificates