[WIP] Sigstore bundle support

[tnytown]

Sigstore Bundle generation and associated machinery, following sigstore-python API design where practical.

New functionality by crate:

• tuf: SigstoreRepository: Trusted Root based TUF client.
• verify: VerificationMaterials, Verifier: Sigstore bundle deserializer and verifier.
• sign: SigningSession, SigningContext, SigningArtifact: Bundle signing machinery patterned off of sigstore-python.
• fulcio: Support for the v2 signingCert API in FulcioClient, which now takes an X.509 CSR.
• oauth: IdentityToken convenience type for OIDC tokens.

Changed:

• crypto: CertificatePool overhaul for chain building based on rustls_webpki.
• cosign, examples: Various adaptations to get things building with the changed API surfaces.
• The sigstore-conformance client now plumbs into the bundle machinery :)

TODOs (not comprehensive, grep for TODO(tnytown), todo!, and unimplemented!):

• SCT, SET, Root Hash Verification
• PrecertificateSignedCertificateTimestamps is not in x509_cert
• Implement verification policies
• Investigate certificate validation in VerificationMaterials::from_bundle and manually implement what isn't covered by webpki
• Clean up error handling: Figure out where best to propagate and chain errors to aid debugging.
  • Examine use of unwrap and expect, replace where appropriate
  • Errors for VerificationMaterials::from_bundle: do we want to set up error types?
• Async safety: change FulcioClient's new endpoint to async, look into making async variants of SigstoreRepository, Verifier, SigningSession, and SigningArtifact.
• Investigate better sigstore_protobuf_specs generation?
• sig/crt flow?

Low priority TODOs (not necessary for upstreaming this work):

• Look into cleaning CosignVerificationKey up
• clean up Fulcio client see if we can use OpenAPI to generate those