Sigstore bundle support

[woodruffw]

Description

As identified in #274: this client should support the bundle format defined in protobuf-specs for both signing and verification!

This will also unblock integration with the conformance suite, which tests for bundle support.

It looks like https://docs.rs/protobuf/latest/protobuf/ is the most mature protobuf library for Rust, so we'll probably want to go with that.

[woodruffw]

CC @jleightcap

[woodruffw]

This may be blocked on #83 -- @lkatalin or @lukehinds might have some more details 🙂

[lukehinds]

@woodruffw I don't think there is anything more to update since that was raised. It should not be hard to implement though (verify locally). I am absolutely slammed out with other stuff at the moment, not sure if @lkatalin has any cycles to take this on. I will add it to my tracking notes though as getting sigstore-rs protobuf aligned would be definite a step forwards.

[woodruffw]

Okay, thanks for the update @lukehinds! I've asked @jleightcap to take a look at this.

[jleightcap]

Thanks, now in progress -- I'll add comments/questions to this issue as I get further.

[jleightcap]

CC @tnytown

[tnytown]

As part of this work, I took another look at the client's certificate validation logic. It looks like both webpki and picky were considered for validation as part of #32, but webpki was dropped as it didn't support checking EKUs against custom non-TLS profiles at the time. Now that rustls/webpki has implemented a new verify_is_valid_cert, I'll refactor the validation logic with webpki.