runtime: Stop using webpki to verify the IAS cert chain

[Yawning]

It's German for "The Ring The".

This removes the webpki (and consequently) ring dependency by switching to manually verifying the IAS AVR certificate chain, and AVR signature. It makes a number of assumptions about how IAS does things (that are part of the API specification), so it is probably ok, though if Intel ever decides to change this, we will be rather sad.

The unfortunate thing about this is that I personally like ring/webpki as far as libraries go for the most part, but, having to carry around a fork just to get SGX support due to a trivial patch not being merged is not worth the hassle.

• Implement our own IAS AVR signature validation
• Make it more paranoid
• Add one of those changelog fragments

Fixes #2683

[codecov]

Codecov Report

Merging #4021 (18bf728) into master (0036da8) will increase coverage by 0.22%.
The diff coverage is 48.76%.

❗ Current head 18bf728 differs from pull request most recent head e42dd0f. Consider uploading reports for the commit e42dd0f to get more accurate results

@@            Coverage Diff             @@
##           master    #4021      +/-   ##
==========================================
+ Coverage   66.78%   67.01%   +0.22%     
==========================================
  Files         391      410      +19     
  Lines       38138    42183    +4045     
==========================================
+ Hits        25472    28270    +2798     
- Misses       9017     9928     +911     
- Partials     3649     3985     +336     

Impacted Files	Coverage Δ
go/beacon/api/api.go	38.88% <ø> (ø)
go/common/badger/migrate.go	0.00% <0.00%> (ø)
go/common/crypto/mrae/api/api.go	20.00% <ø> (ø)
...ommon/crypto/signature/signers/file/file_signer.go	52.05% <ø> (ø)
...n/crypto/signature/signers/memory/memory_signer.go	62.85% <0.00%> (-13.01%)	⬇️
go/common/namespace.go	77.77% <ø> (ø)
go/common/sgx/common.go	58.53% <ø> (-4.88%)	⬇️
go/consensus/api/api.go	14.28% <ø> (ø)
go/common/badger/helpers.go	35.64% <11.94%> (-46.71%)	⬇️
go/beacon/api/grpc.go	17.31% <17.31%> (ø)
... and 233 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fdc1639...e42dd0f. Read the comment docs.

[kostko]

Only some minor nits, otherwise I think this looks good! 🎉

[kostko]

Suggested change

	let anchor = match parse_x509_certificate(&cert_ders[1]) {
	Ok((_, cert)) => cert,
	Err(_) => return Err(AVRError::MalformedCertificateDER.into()),
	};
	let (_, anchor) = parse_x509_certificate(&cert_ders[1])
	.map_err(|_| AVRError::MalformedCertificateDER.into())?;

[Yawning]

error[E0282]: type annotations needed
   --> runtime/src/common/sgx/avr.rs:397:10
    |
397 |         .map_err(|_| AVRError::MalformedCertificateDER.into())?;
    |          ^^^^^^^     ---------------------------------------- this method call resolves to `T`
    |          |
    |          cannot infer type for type parameter `F` declared on the associated function `map_err`