Handle SPIFFE trust bundle rotation

[mikhailswift]

Currently the root and intermediates to establish a functionary’s chain of trust are part of the layout. The layout is then signed and used during verification that all functionaries belong to the established chain of trust.

Since SPIRE can rotate all parts of a trust domain’s bundle, including its root, it’s possible that the chain of trust in a layout may not actually match the chain of trust provided by our SPIRE server.

Not having any part of the chain of trust as part of our signed layout is incredibly insecure as anyone would be able to create a set of certificates that could satisfy the constraints and fraudulently act as functionaries.

If our SPIRE server uses an upstream root, we could add the root to the layout and provide the set of intermediates in the trust bundle at verification time to establish functionaries chain of trust to the root.

If our SPIRE server does not use an upstream root, then I am unsure of a good solution. Signing a layout on the fly feels bad and opens more potential to attack.

[mikhailswift]

Going to start work on grabbing trust bundle and using that to establish the signer's chain of trust to the layout's root at verification time.

This won't handle the case where our bundle has expired and was rotated between signing and verification, will punt on that til we solve #23