filling in the testing gaps

[loosebazooka]

Now that aaron converted java conformance as a server, we can run easy code coverage on conformance over java looking for gaps in our testing, things we could add

bundle

• fail if a bundle with no dsse or hashedrekord
• fail on empty inner timestamp data (timestamp.rfc3161timestamp)
• unexpected types? mashedrekor:1.0.0 dsse:3.0.0
• certificate id/issuer matching? or other fields

hashedrekord

• mismatched signature (actual vs logged)
• mismatched hash (actual vs logged)
• mismatched cert (actual vs logged)

dsse

• unsupported payload type
• provided artifact hash is not in subjects
• fail if multiple signatures provided (sigstore limitation)
• mismatched cert (not sure if this is actually reachable)

checkpoints

• fail if more than 20 sigs
• fail if no matching signature found

There's more tests related to unsupported algorithms that would still be useful to check that we don't fail open when we hit unparseable information.

[aaronlew02]

The checkpoint test for no matching signature has been added in #250. The test for excessive signatures will not be implemented in conformance due to the subjectivity of such a check (see comments in #250).