Timestamp authority response verification during signing

[haydentherapper]

Description

We should verify the response from the timestamp authority when it's received, as per RFC 3161:

Upon receiving the response (which is or includes a TimeStampResp
   that normally contains a TimeStampToken (TST), as defined below), the
   requesting entity SHALL verify the status error returned in the
   response and if no error is present it SHALL verify the various
   fields contained in the TimeStampToken and the validity of the
   digital signature of the TimeStampToken.

We'll need to add the timestamp-cert-chain flag for signing.

[znewman01]

+1 overall

-1 to the name timestamp-cert-chain for the reasons I describe in #2472

[haydentherapper]

We can refactor that. This flag will also be unnecessary if you ship the TSA trust roots with TUF.

[znewman01]

@haydentherapper and I discussed this; we decided go with --timestamp-cert-chain for now, then rename both this and --cert-chain as part of #2472.

[hectorj2f]

@znewman01 I remember we initially used --timestamp-cert-chain but we recently renamed to --timestamp-certificate-chain. Do we still want to change it ?

[haydentherapper]

I’m working on this now. Yea, I will use certificate-chain

[haydentherapper]

Removing myself from this if anyone else wants to take it on