fix: normalize ASN.1 BIT STRING key usage bits

[leanthebean]

Summary

• Fix CAT finding cb302161-be6b-49b6-bb87-c0d5cc3d5d60.
• Normalize ASN.1 BIT STRING integer decoding so the first payload octet stays in the low byte across one- and multi-octet encodings.
• Validate BIT STRING unused-bit metadata and reject non-zero unused padding bits.
• Add regression tests for 2-byte X.509 KeyUsage encodings where decipherOnly must not alias digitalSignature, and keyCertSign | decipherOnly must still satisfy the CA keyCertSign mask.

Security

CertManager._verifyKeyUsageExtension intentionally checks X.509 KeyUsage bits with 0x80 for digitalSignature and 0x04 for keyCertSign. Before this change, Asn1Decode.bitstringUintAt returned multi-byte BIT STRING payloads as a big-endian integer, so those masks targeted the last content octet when the KeyUsage BIT STRING had more than one payload byte.

This change keeps the first KeyUsage payload octet in the least significant byte, preserving the existing masks for both one-byte and multi-byte KeyUsage encodings. It also enforces DER-style unused-bit padding, so malformed trailing padding cannot influence the decoded value.

Tests

• forge test --match-path test/Asn1Decode.t.sol -vvv
• forge test