Reject CONTEXT-SPECIFIC tag class in serial number parser

[afldl]

Problem

parse_serial() checks that the tag number equals Tag::Integer but does not verify the tag class. A CONTEXT-SPECIFIC [2] tag byte (0x82) has the same tag number as UNIVERSAL INTEGER (0x02) but a different class per X.690 §8.1.2. This makes the parser accept certificates with mismatched tag classes.

13 of 14 tested X.509 implementations reject this mutation. Only x509-parser and mbedTLS accept. See #248.

Fix

Check any.class() == Class::Universal before comparing the tag number.

     let (rem, any) = Any::parse_der(input).map_err(|_| X509Error::InvalidSerial)?;
+    if any.class() != Class::Universal {
+        return Err(Err::Error(X509Error::InvalidSerial));
+    }
     any.tag()
         .assert_eq(Tag::Integer)

Test

Single-byte PoC: offset 0x0d of a standard RSA-2048 self-signed cert, tag byte changed from 0x02 to 0x82.

Test added: test_serial_rejects_context_specific_tag. All 66 existing tests pass.

[cpu]

You can ignore the clippy & audit failings in CI. I believe both are going to be fixed by #223 Please just keep the commits related to the issue/fix.