Synchronous, "pure" signature verification should be possible

[glasserc]

The hypothetical/proposed SignatureVerifier class does more than just verifying signatures, but also retrieves X509 chains from URLs. It would be nice to have two classes, one which does the verification itself and another which is network-connected.

What do we do with the certificate chain validity checks? (Stuff like -- verifying that it chains up to the root hash, verifying that dates are correct, verifying that the cert chains correctly.) Do we do them on every signature check? Do we cache results?

[glasserc]

Here's a potential API:

class SignatureVerifier:
    "Pure verifier"
    def __init__(self, cache):
        self.cache = cache

    def verify(self, data, signature, cert_chain):
        "cert_chain is bytes, retrieved for an x5u"
        ending_cert = self.cache.get(cert_chain)
        if not ending_cert:
            ending_cert = self.validate_cert_chain(cert_chain)
            self.cache.set(cert_chain, ending_cert)

        return self._verify_signature(data, signature, ending_cert)

    def _verify_signature(self, data, signature,  cert):
        "Private function. Do not call this from outside this class"
        pass

class X5UVerifier:
    "Network-attached verifier"
    def __init__(self, network_cache, signature_verifier):
        self.network_cache = network_cache
        self.signature_verifier = signature_verifier

    async def verify_signature(self, data, signature, x5u):
        pass