image signature verification does not verify certificates

Cinder supports image signature verification, as described in this spec: https://specs.openstack.org/openstack/cinder-specs/specs/rocky/support-image-signature-verification.html

This implementation, however, does not support strong certificate validation for certificates used to generate image signatures. In other words, while cinder will verify that the retrieved image data has been signed by the cert that's available in Barbican, cinder doesn't verify that the certificate is that of someone whom the user trusts, which enables an attack vector outlined in this nova spec:
https://specs.openstack.org/openstack/nova-specs/specs/rocky/implemented/nova-validate-certificates.html

So you'll note that Nova has already implemented certificate validation for image signature verification. Cinder should implement similar functionality. In particular, the Block Storage API changes should be consistent with Compute API v.2.63. Also, Cinder should probably implement Nova's 'enable_certificate_validation' and 'default_trusted_certificate_ids' configuration options.

Certificate utils were added to the cursive library, which cinder uses, by change I8d7f43fb4c0573.

The entire set of nova implementation patches is here:
https://review.opendev.org/q/topic:bp%252Fnova-validate-certificates

(though I don't think the cinder implementation will need to be so elaborate).

Since fixing this will require a REST API change, this will need a spec. See
https://docs.openstack.org/cinder/latest/contributor/contributing.html#new-feature-planning
if you're not familiar with the specs process.