Improve ICAO CSCA handling

Neither using the subject hash nor the authority key id is unique even in
just a single CSCA certificate list, so we need to try all certificate
candidates for a given authority key id.

This also adds a script to extract CSCA "master list" files and convert
them into a format easier to consume for us. This only adds CSCA keys for
countries known to actually issue ICAO VDS vaccination certificates (AU,
JP), and it takes those from the German BSI CSCA list as the official ICAO
file is considered invalid by OpenSSL. This still needs further automation.