(#2848) Reject unknown (== all) extensions on the CSR.
If we get a CSR with a request extension that we don't recognize, we used to
just ignore those. This can lead to dangerous situations, or at least
surprising behaviour, since we wouldn't copy those extensions into the final
certificate.
This changes that, by establishing an internal policy that we will whitelist
acceptable request extensions, and will hard-reject anything that isn't on
that.
Once something passes the whitelist we will have further policy, which will
enforce sanity in the request => certificate path.
Signed-off-by: Daniel Pittman <daniel@puppetlabs.com>