Feature request: fetch/HttpClient additions for public key pinning

[callionica]

Public key pinning is important for IOT access and security in general. Having just got public key pinning working for accessing the Philips Hue API, here's a list of features that are missing from Deno's fetch/HttpClient API:

1. Being able to fetch an IP address (there's another bug on this already)
2. Being able to skip verifying the SSL certificate chain (vendors don't always provide all necessary certs and public key pinning and custom certificate verification is a suitable and safe replacement). This is equivalent to curl's --insecure command line argument.
3. Being able to supply a name-to-IP-address resolver: the certificate may not contain any host name or IP address that is directly addressable, so if there's any validation that compares the CN in the cert with the hostname of the URL, there has to be a way of overriding this. curl uses --resolve arguments to handle this: you supply a URL where the hostname matches the subject name in the cert then use --resolve to map that name to the IP address of the server. (Also curl's --connect-to)
4. Being able to provide a hash of the public key to fetch so that it can fail if the key hash doesn't match. This is public key pinning. curl uses --pinnedpubkey.
5. Being able to retrieve certificates and extract a hash of the public key that can be stored and passed to fetch later.

In my implementation I ended up with an HttpClient that looked like this:

export type HttpClient = {
    caFile?: string,
    skipVerifyingCertificateChain?: boolean,
    nameResolver?: NameResolver;
    publicKeyHashProvider?: { getPublicKeyHash(url: URL): Promise<PublicKeyHash> };
};

I also validate when skipVerifyingCertificateChain is true that a publicKeyHashProvider is provided and that it returns a hash for the specific URL being fetched (as a runtime check even though the types already require the hash to be provided).