Move timeliness check out of tor_cert_checksig, or into tor_cert_get_checkable_sig
There's a mismatch in our certificate API: When we're doing single verification, we check the expiration time, but when we are doing batch verification, we rely on the caller to do so. We should make these functions do the same thing.