Simplify X509CredentialValidator after generic validation refactor

[stevenvegt]

Parent PRD

#4079

What to build

After CRL/cert-time validation has moved to the did:x509 resolver (#4083), key time-based checks have moved to the key resolver (#4084), and issuer attribute matching has moved to the generic Verify function (#4085), the X509CredentialValidator contains only duplicated logic.

• Remove the remaining duplicated logic from X509CredentialValidator
• Either simplify it to delegate to defaultCredentialValidator or remove it entirely
• Simplify the FindValidator dispatch in resolver.go — remove the X509CredentialType case if the validator is removed
• Verify all existing tests pass with no behavior changes

Acceptance criteria

• X509CredentialValidator no longer contains CRL, cert-time, or policy assertion logic
• FindValidator dispatch is simplified or the X509 case is removed
• All existing X509Credential tests pass unchanged
• All existing s2s flow tests pass unchanged
• No regression in credential validation behavior for any credential type

Blocked by

• Blocked by did:x509 resolver: CRL check and set expires/revoked on keys #4083 (CRL/cert-time in did:x509 resolver)
• Blocked by Key resolver: check expires/revoked against reference time #4084 (key resolver time checks)
• Blocked by Generic issuer-to-credentialSubject attribute matching for did:x509 #4085 (generic attribute matching)

User stories addressed

• User story 7: existing behavior preserved
• User story 8: validation architecture follows PSA layered model