Go 1.25 is released! Move testing to 1.24 and 1.25.

This also makes the branch selection the same for everything - just
'**'. That should help simplify some handling of branches, which I've
been a bit annoyed at before.

With Go 1.25 released, we can drop compatibility with Go 1.23.

This removes the requirement for golang.org/x/crypto, making go-jose now
free of libraries outside the standard library.

The only critical header that go-jose supports is b64 from RFC7797.

go-jose correctly only respects that header if it appears in a protected
header. go-jose correctly rejects unknown critical headers.

However, go-jose does not reject a JWS which contains a critical b64
unprotected header.

I don't believe this has any security impact, as the only place this is
exposed is via the Signature header members which expose unprotected
headers, and so a library user is already aware they are not to be
trusted. The 'critical' behavior (of not base64-encoding the value,
defined in RFC7797) is not influenced here.

Return a new ErrUnsupportedCriticalHeader error exported as a constant.

Reported by: Muhammad Noman Ilyas @AL-Cybision

---------

Co-authored-by: Jacob Hoffman-Andrews <github@hoffman-andrews.com>

* cipher: fix panic on KeyUnwrap of too-short slice

* jwe: don't call KeyUnwrap on empty (encrypted) key

Also don't call `aead.decrypt` on an empty key.

* test: make asymmetric_test more precise

These two test cases were passing a nil recipient, and checking for "any error"
instead of a specific error, which meant that introducing a nil recipient check
in `decryptKey` caused the test to stop testing what it meant to test, but
continue passing. Now we check for a specific error.

* test: TestKeyUnwrapShort

* jwe: TestEmptyEncryptedKey

* test: add `shorten` and `empty` corruptors