Add hooks for injecting custom logic into the pathbuilding/verification process.

This mechanism should be able to support things like:
* Revocation check using CRLSet
* Baseline requirement enforcements -- like max TTL, SHA1 cert validity time
* Rejecting certificates with weak keys and signatures
* Verifying HPKP pins

Some of the above are currently layered on differently in Chromium's cert verifiers so may not in practice use the mechanism, but are reasonable motivating examples.

As a strawman, the API shape could be something simple like a callback to answer the question “Are you OK with this cert chain?” after constructing a possible chain, or more generally a callback for each certificate added to the chain during building.

The mechanism will need to play nicely with the error reporting, and also prioritizaiton in the case of rejection.