Certomancer

This is a maintenance release to address a number of bugs and development setup issues.

What's Changed
* password type is Optional[bytes] not str by peteris-zealid in https://github.com/MatthiasValvekens/certomancer/pull/3
* provide example for key generation by peteris-zealid in https://github.com/MatthiasValvekens/certomancer/pull/1
* AIO test upgrades by MatthiasValvekens in https://github.com/MatthiasValvekens/certomancer/pull/6
* Reinstate asn1crypto registration of AA types by MatthiasValvekens in https://github.com/MatthiasValvekens/certomancer/pull/5 (see also #4)
* Miscellaneous issues: `tzlocal` import was corrected, key loading errors were consolidated.

New Contributors
* peteris-zealid made their first contribution in https://github.com/MatthiasValvekens/certomancer/pull/3

**Full Changelog**: https://github.com/MatthiasValvekens/certomancer/compare/0.8.2...0.8.3

This is a maintenance release to upgrade `asn1crypto` to `1.5.0`, which allows us to drop the compatibility shims for EdDSA and attribute certificate encoding.

This is a bugfix release for `0.8.0`, addressing an issue with Certomancers mock TSA server. Previously, sending a timestamp request without a nonce would result in an error. This patch release addresses that issue.

**Note:** Certomancer's initially planned set of features is now more or less complete. While some reorganisation, minor enhancements and bugfixes may still occur, no major new features will be added between this release and `1.0.0`.

This release introduces pluggable _certificate profiles_ as a more convenient way of setting up certificate extensions across many certificates at once. Further details and examples are in the documentation.

The following miscellaneous changes are also part of this release:

- The `certomancer.registry` module was refactored into a package. Since not all original members are reexported at the package level, there may be some degree of breakage in existing calling code.
- Certomancer now attempts (by default) to ensure that it generates only one copy of any given extension on a given certificate (taking into account templates and profiles), since that's typically what you want when generating test certificates. If you really need duplicate extensions, set `unique-extensions: false`.
- There was a minor bug with the auto-assignment of `authorityKeyIdentifier` extension, which could fail in some cases if the issuer's certificate did not have a `subjectKeyIdentifier` extension. Since Certomancer always provides a value for that extension, this bug could only be triggered on user-imported CA certificates that do not conform to RFC 5280.

This bugfix release bumps `pyhanko-certvalidator` to `0.19.2`, and patches a bug with the tagging of the `issuer` field in attribute certificates.

This update adds the following features:

- Attribute certificate support.
- A new subcommand (`certomancer seance`) to interact with Certomancer's mock OCSP responders from the CLI.

In addition, there are a number of miscellaneous tweaks & bug fixes:

- Fix OCSP request handling for requests without the `nonce` extension.
- Avoid leaving the `extensions` field in an OCSP response empty when there are no extensions, and just omit it entirely in that case.
- Improved service merging when using existing PKI architectures as templates.
- Detect instances of self-referential `issuer-cert` and throw immediately instead of blowing up the stack.
- Be more careful not to pollute certificate templates by storing template information before deriving default values for entries that depend on other entries.