SevVerification tidy

[cjen1-msft]

SevVerification needs to be fixed up for a 1.0 release.

Things which would be useful:

• kds fetcher doesn't cache across generations #22 kds fetcher only caches one generation
• The requests to amd could probably be done later/on-demand which would make the creation sync rather than async
• It may be worthwhile to be more careful with 'when' certificates are checked.
• Should it return json? should it return anything?

[Camelron]

• I think KDS fetcher already does cache multiple generations, no? chains_cache: Vec<(Generation, Chain)>
• Currently we could make the instantiation of SevVerifier synchronous. I don't think there is much benefit to doing so though since the subsequent verify calls must be async.
• I think what we do currently is a little bit confusing but essentially correct--we cache chains that were previously verified, yes. Maybe they should be considered stale after a set time? A TTL?

[Camelron]

As for what a successful verification result should look like from the user's perspective I think we could do some sort of typed result with the authenticated claims. However right now the SevVerifier::verify_attestation flow is aligned with the sync/async verification kernels as best as we can do without somehow exporting the error (and future successful claims) type for wasm environments. They all return Result<(), VerificationError> or Result<(), String>.