Support simultaneous verification of CSR and Challenge Password

[directionless]

Add a WithCombinedVerifier option, and associated interface, to verify the CSR and challenge password together. This allows the password to be a signature on the csr.

Additionally cleanup the logic around verification. This preserves the existing precedence, but should be more clear.

Question for the maintainers: I think it would be valuable in allowing something to modify the CSR before signing. I think there's an obvious hook for it, right here. What do y'all think? Should that be a different interface? Should this become ValidateAndRewrite ?

[directionless]

These days, bolt fails tests with -race. So there's some bitrot in the test suite.

[jessepeterson]

We changed the server service significantly in #113. By wrapping challenge password verification as a chained CSRSigner we can now do both at the same time. Does this address what you were attempting here?

Regarding your second request — modification of the CSR — what do you mean by this? Do you mean doing things to resulting certificate that aren't explicitly set in the CSR? I.e. setting add'l/different attributes and such? That sort of thing I would push towards the CA which, in #113's case, has now been moved into the depot pacakge. But in any case curious what you were thinking here; maybe an example would help.

[jessepeterson]

I think your first concern is now possible under #113 and your second concern is spoken to in issues like #103. Feel free to re-open this or another PR if not though. Thanks!