atls: move validators into dedicated package

[burgerdev]

My overall plan is to consolidate the attestation validation logic into one package. We currently construct validators (at least) here:

contrast/sdk/common.go

Lines 27 to 29 in 41ae00c

	func ValidatorsFromManifest(kdsGetter *certcache.CachedHTTPSGetter, m *manifest.Manifest, log *slog.Logger) ([]atls.Validator, error) {
	var validators []atls.Validator

contrast/coordinator/internal/stateguard/credentials.go

Line 74 in 41ae00c

var validators []atls.Validator

contrast/e2e/atls/atls_test.go

Lines 153 to 156 in 41ae00c

	opts, err := manifestParsed.SNPValidateOpts(kdsGetter)
	require.NoError(err, "getting SNP validate options")
	var validators []atls.Validator
	for i, opt := range opts {

Since the manifest is the authoritative source for admission policy, I would like to move all of this into the manifest package.

Such a refactoring is currently hard to do, because what were supposed to be validation internals leak throughout the code base.

• The reportSetter is a special purpose implementation for aTLS only, but leaves its traces in validator constructors and duplicated implementations. If validators returned a report struct it would not be necessary, as the Coordinator could just wrap the validator.
• The OID Getter design only makes sense in this particular loop over validators:

  contrast/internal/atls/atls.go

  Lines 249 to 254 in 41ae00c

  	foundExtension = true
  	for _, validator := range validators {
  	// Optimization: Skip the validator if it doesn't match the attestation type of the document.
  	if !ex.Id.Equal(validator.OID()) {
  	continue
  	}

  Now we're forced to present an exact list of validators that can each only validate one type of document. But the Coordinator can't wrap a list.
• Something that's been bothering me for quite some time: an empty list of validators means "skip validation", while a populated list means "at least one validator must pass". The logic should not surprise people assuming vacuous truth . I want my sums of empty lists to be 0.

  contrast/internal/atls/atls.go

  Lines 399 to 404 in 41ae00c

  	// don't perform verification of attestation document if no validators are set
  	if len(c.validators) == 0 {
  	return nil
  	}
  	return verifyEmbeddedReport(ctx, c.validators, cert, pubBytes, c.clientNonce)

  If we did not deal in lists, this would be trivial to fix in a validators package.

---

That being said, this PR takes an initial step into this direction.

• Clean up around the existing validator definition (first two commits).
• Move the Validator into its own package.

No functional change, but this paves the way for above plan.