control: select a signer that covers the segment

[lukedirtwalker]

When extending a segment we should select a signer that covers the whole validity of the segment. So far we only checked the end date, but with the introduction of enforcing that the AS certificate covers the whole AS entry (#4492) the verifier checks that the start date of the certificate also covers the whole segment lifetime. However for signing we so far only used the latest certificate, which might have a later start date than the timestamp of the segment.

This is a problem because between creation of a segment and the signing of a AS entry in a downstream AS there can be quite some time.

This commit now makes sure to select a signer/certificate that covers the start of the segments.

[matzf]

This change is 

[oncilla]

Reviewed 11 of 18 files at r1, 13 of 13 files at r2, all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @lukedirtwalker and @matzf)

---

control/mgmtapi/api.go line 698 at r2 (raw file):

		return
	}
	now := time.Now()

nit: I think that should use s.now() for consistency

[lukedirtwalker]

Reviewable status: 22 of 24 files reviewed, all discussions resolved (waiting on @matzf and @oncilla)

---

control/mgmtapi/api.go line 698 at r2 (raw file):

Previously, oncilla (Dominik Roos) wrote…

nit: I think that should use s.now() for consistency

Done.

[oncilla]

Reviewed 2 of 2 files at r3.
Reviewable status: all files reviewed (commit messages unreviewed), all discussions resolved (waiting on @matzf)

[oncilla]

Reviewed all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on @matzf)