Stapled signature checks should support EKU constraints

Normally, EKU constraints can be set on an X.509 cert that's part of the cert chain in the TLS handshake, but this isn't sufficient if the entity in charge of the EKU constraints is a smart contract (since X.509 certs only have a standard keypair controlling them). Setting the EKU constraints as part of the stapled signature check would avoid this problem.