Limit e_registration_scheme_id_matches_subject_country to no longer apply to LEI or INT organizationIdentifiers

[robplee]

Following on from the comments on #768 and cabforum/smime#216 this PR limits the organizationIdentifier country code lint to no longer compare the country codes in LEI and INT organizationIdentifiers to the subject:countryName. This should prevent zlint 3.6.0 breaking some SMIME issuance that is considered valid by the SMIME WG.

I think this PR, or something like it, is needed before #776

Regarding the change, I assume the SMIME WG are only expecting certs to contain a single organizationIdentifier but zcrypto/x509 supports having more than one in the certs it parses so I implemented accordingly. The discussion on the SMIME BR was saying that for INT/LEI schemes that the "XG" isn't part of identifying the scheme so need not match the countryName so I'm skipping the lint execution if all organizationIdentifiers are INT and/or LEI and if there are some organizationIdentifiers for which the check applies then it's applied but I skip the actual check against the countryName for any INT/LEI organizationIdentifiers. I don't think this is a realistic case, I'm pretty sure SMIME certs should only contain one organizationIdentifier but I think it makes the lint better this way?

[christopher-henderson]

I'm pretty sure SMIME certs should only contain one organizationIdentifier but I think it makes the lint better this way?

Indeed, there is commonly a mismatch between what the ASN1 can technically encode and what requirements actually refer to. A best-effort attempt to at least consider these unlikely edge cases is always welcomed (although, sometimes we get bogged down with well, actually, technically... when considering some of these edge cases precisely because their behavior is not defined by the governing body in question...).