Lead verifier: Veraison Plugin

[thomas-fossati]

This issue tracks the implementation of Lead verifier's "Veraison client plugin".

The plugin must satisfy the following interface:

type IComponentVerifierClientHandler interface {
	plugin.IPluggable

	AppraiseComponentEvidence(
      evidence []byte,
      mediaType string,
      nonce []byte,
      clientCfg []byte,
  ) (*ear.Appraisal, error)
}

The plugin will implement a Veraison challenge-response API client in RP mode using the veraison/apiclient package.

The plugin is tasked with the following actions:

1. Receive component evidence and the nonce from the CE handler.
2. Get the verifier's public key and C-R session endpoint by querying the well-known interface.
3. Initiate a challenge-response session in RP mode with the configured verifier, supplying the component evidence and nonce.
4. Obtain an EAR from the verifier.
5. Verify the signature of the EAR.
6. Return the EAR appraisal to the CE Handler.

Configuration

The clientCfg parameter supplied by the CE handler contains the relevant connectivity and trust settings as a serialised JSON byte string.

When de-serialised, the JSON object contains the following keys:

• "url" (mandatory): the verifier’s discovery URL
• "ca-certs" (optional): one or more files containing the trust anchors used to authenticate server certificates
• "insecure" (optional): whether certificate verification can skip the trust-related settings

Example:

{
  "url": "https://downstream-verifier.example:8443/.well-known/veraison/verification",
  "ca-certs": [ "/path/to/ca1.pem", "/path/to/ca2.pem" ]
}