Add u2f attestation support

[briansmith]

• Add support for U2F trust anchors.
• Make it easy to parse the u2f attestation certificate out of the U2F message.
• Maybe add a workaround for the encoding issue described at Yubico U2F attestation cert with failing test #34 (comment).
• Write documentation, including an example, about how to verify attestations.
• Compare AAGUID from the certificate via the id-fido-gen-ce-aaguid extension and comparing it to the expected AAGUID.
• Packed Attestation Certificates
  • Don't require a subjectAltName extension.
• TPM Attestation Certificates
  • Subject must be empty
  • There must be a SAN as specified in the TPM specs.
  • EKU = "2.23.133.8.3" OID.
• Android Attestation Certificates
  • dNSName = attest.android.com

AFAICT, Yubico's attestation certificates don't include any EKU or key usage fields. Presumably we shouldn't verify for an EKU and the key usage should be digitalSignature.

/cc @wisespace-io @robn

[briansmith]

See also https://fidoalliance.org/specs/fido-v2.0-ps-20150904/FIDO-COMPLETE-v2.0-ps-20150904.pdf.

[briansmith]

See also #40 (comment)

/cc @cmsd2

[targodan]

Just wanted to poke at this.

Apparently this issue prevents me from using my YubiKey with bitwardenrs. See #bitwarden_rs/272