Match req CLI behavior with OpenSSL

[nhatnghiho]

Description of changes:

Some of our current implementation doesn't match the OpenSSL default behavior, resulting in some package failures. The fixes include:

• Suppress private key write when -keyout is not provided and the config has no default output path
• Use default extensions when no valid extension section is found in config
• Add a fallback when no req section is found in config

Testing:

Cleaned up and added extra tests

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 49.75610% with 103 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.24%. Comparing base (bfd0825) to head (fe43741).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
tool-openssl/req_test.cc	42.35%	98 Missing ⚠️
tool-openssl/req.cc	85.71%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2836      +/-   ##
==========================================
- Coverage   78.25%   78.24%   -0.02%     
==========================================
  Files         683      683              
  Lines      117241   117347     +106     
  Branches    16484    16487       +3     
==========================================
+ Hits        91749    91815      +66     
- Misses      24608    24646      +38     
- Partials      884      886       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[WillChilds-Klein]

do we know that out_path will always be non-null/non-empty? looks like prior logic had a default value for this case. should we consider erroring out?

i see we move some of that logic below to L904, but are there any other call sites for WritePrivateKey?

[nhatnghiho]

I added a condition to only call WritePrivateKey when keyout is non-empty