Validate CSR signatures and check signature type

[mcpherrinm]

With the deprecation of SHA1 signatures on CSRs, we should ensure Pebble rejects them as well. As well, ensure the signature itself is valid. Unlike Boulder, which currently allows SHA1 to be configurably accepted, Pebble will always reject SHA1.

There's no tests for the WFE code in this repository, so I didn't add a unit test ensuring SHA1 is rejected. However, I tested this by running an ACME client against Pebble that was patched to use SHA1 signatures and verifying they were successfully rejected, as well as ensuring SHA256 was still accepted

Fixes #384

[osirisinferi]

Boulder rejects SHA1 hashes in its ca "module", not wfe. Could that matter regarding ACME client behavior differences between Pebble and Boulder?

[mcpherrinm]

I don't think where exactly the messages are rejected matters: Pebble is a much smaller codebase with less modules than boulder so it won't ever align the same exactly. Pebble only handles the CSRs within the WFE (web frontend) code here so it would require restructuring more code to have the check occur elsewhere.

[aarongable]

Overall LGTM, just a few formatting comments

[mcpherrinm]

Design question: Should either of these checks be gated on Pebble's "strict mode"?

[aarongable]

LGTM. I wouldn't gate rejecting SHA1 behind "strict mode": half the reason we want to remove it is that Go itself is going to remove support, so Pebble needs to deprecate it just as much as Boulder does. Validating the signature could be behind the strict-mode flag but I don't feel strongly either way.

[mcpherrinm]

I don't think it's likely to be helpful to anyone to allow invalid CSR signatures, especially since Let's Encrypt and presumably other CAs always require valid CSR signatures. So I think we can leave it as-is and merge this.