kdc: Add param to derive max_life from client cert

This adds a KDC configuration parameter that can be used to indicate
that a PKINIT client's certificate's notAfter overrides the client
principal's HDB entry's max_life.  This parameter is a relative time
parameter, and it enables this only if set to a non-zero value (defaults
to zero).  The value of this parameter caps the max_life inferred from
the certificate.

kdc/pkinit.c

@@ -799,6 +799,12 @@ out:
     return ret;
 }
 
+krb5_timestamp
+_kdc_pk_endtime(pk_client_params *pkp)
+{
+    return hx509_cert_get_notAfter(pkp->cert);
+}
+
 /*
  *
  */