allow untrusted certs to manage own pastes

Split authentication into two functions:
- get_client_fingerprint(): Identity for ownership (any cert)
- get_client_id(): Elevated privileges (trusted certs only)

Behavior:
- Anonymous: Create only, strict limits
- Untrusted cert: Create + delete/update/list own pastes, strict limits
- Trusted cert: All operations, relaxed limits (50MB, 5x rate)

Updated tests to reflect new behavior where revoked certs
can still manage their own pastes.

tests/test_pki.py

@@ -283,9 +283,10 @@ class TestRevocationIntegration:
         # Revoke the certificate
         client.post(f"/pki/revoke/{serial}", headers={"X-SSL-Client-SHA1": issuer})
 
-        # Try to delete paste with revoked cert - should fail
+        # Revoked cert can still delete their own paste (ownership by fingerprint)
+        # They just lose elevated rate/size limits
         delete_resp = client.delete(f"/{paste_id}", headers={"X-SSL-Client-SHA1": cert_fingerprint})
-        assert delete_resp.status_code == 401
+        assert delete_resp.status_code == 200
 
 
 class TestPKICryptoFunctions:

tests/test_security.py

@@ -237,7 +237,7 @@ class TestSizeLimits:
         assert response.status_code == 413
         data = json.loads(response.data)
         assert "error" in data
-        assert data["authenticated"] is False
+        assert data["trusted"] is False
 
     def test_authenticated_larger_limit(self, app, client, auth_header):
         """Authenticated users have larger size limit."""