refactor: ca and cert packages

[mrjoelkamp]

Summary

• Combines the original ca and cert packages into one ca package with tests
• Uses more generic CreateX509Cert(pkToken *pktoken.PKToken, signer crypto.Signer) ([]byte, error) for the cert package
  • taken from feat: add transparency log and dsse extension signed-attestation#4

This PR doesn't meet any goals for the smuggler interface but moves us in the right direction. The main motivation for this change is to move this common reusable CreateX509Cert() from the signed-attestation repo into openpubkey

[whalelines]

Looks good. Thanks for the tests. A couple questions.

[EthanHeilman]

I have one comment, but it isn't a blocker as the original CA didn't do any verification of the PK Token. You are welcome to address it or not.

The PR oidcClaim struct this adds will be very nice to have.

[EthanHeilman]

Not a code review comment just curious. Is there a name for this pattern you are using here?

        type Alias OidcClaims
	aux := &struct {
		Audience any `json:"aud"`
		*Alias
	}{
		Alias: (*Alias)(id),
	}

[mrjoelkamp]

Not a code review comment just curious. Is there a name for this pattern you are using here?

Not sure if there is a name for it but it is necessary to avoid recursive unmarshaling of OidcClaims when trying to unmarshal the aud field separately in a custom UnmarshalJSON function. By casting the receiver (id *OidcClaims) to the Alias type you can unmarshal the OidcClaims struct without calling the custom UnmarshalJSON function recursively (since it is now of type Alias instead of OidcClaims). This embeds the original struct in a new auxiliary struct that you can add additional fields to for separate handling during the unmarshaling process.