There is one notable type of trust assertions that is not implemented in
gcr: those where `CK_X_ASSERTION_TYPE` equals
`CKT_X_DISTRUSTED_CERTIFICATE`.

This is actually also something needed by Seahorse, as that is showing
the infamous "null" certificates due to distrusted certificates being
present on the machine, but not having any DER data stored with them.