fix(security): prevent DNS-rebind SSRF via AIA/OCSP/CRL hostnames

[danielewood]

Summary

AIA/OCSP/CRL URL validation allows hostnames without resolving them, enabling DNS rebinding to private networks and SSRF‑style access.

Why this matters

If a certificate contains attacker‑controlled AIA/OCSP/CRL URLs, certkit can be induced to fetch internal endpoints (metadata services, intranet HTTP services), which is a security risk for CLI and library consumers.

Evidence

• ValidateAIAURL explicitly allows hostnames without resolving to an IP, citing DNS rebinding risk: bundle.go:169-199.
• The URL validation is used for AIA and OCSP/CRL fetches: bundle.go:391-399, ocsp.go:57-62, connect.go:592.

Acceptance criteria

• Hostnames are resolved at connection time and blocked if they resolve to loopback/private/link‑local ranges by default.
• If private/internal CA endpoints must be supported, provide an explicit opt‑in flag or allow‑list.
• Tests cover hostname that resolves to private IP and ensure it is blocked by default.

Suggested approach

• Resolve the hostname immediately before fetch and enforce private‑range checks on each resolved IP.
• Add a CLI flag (and library option) to allow private-network endpoints when explicitly requested.

Dedupe notes

Checked open issues #88–#92 and gh search issues "repo:sensiblebit/certkit" with relevant keywords; no overlapping issue found. Classified as new.

[danielewood]

Implemented in #108 and included in #110, now merged to main. Closing as complete.