Client cert selection: allow matching any one value in the case of name attributes with multiple values

[kenjenkins]

#381 added the ability to search the system trust store on macOS and Windows for a client certificate based on one attribute of the Issuer or Subject name in the certificate. We'd like to tweak this search capability slightly to allow filtering on certificate name attributes containing multiple values.

The proposal is to keep all existing syntax for the --client-cert-issuer and --client-cert-subject command-line flags, but to change the semantics in the case of certificate names containing multiple values for the same attribute. Currently, we require an exact match: if a search filter is specified, the corresponding name in the certificate must match exactly to be selected by that filter. Instead, let's change this so that when a certificate contains multiple values for a particular attribute, the certificate will match if any value matches the filter.

As an example: say we have a certificate where the subject includes both OU=MyOrgUnit and OU=Pomerium. Currently, this certificate would not be selected by the filter option --client-cert-subject "OU=Pomerium". After this proposed change, it would be.