Add support for signing and verification

[stevespringett]

CycloneDX SBOMs can be signed at the root bom level and can also be signed on a component level.

This enhancement request is to add support for applying signatures to the bom level or to a component level. Signing should support XML Signature and JSON Signature Format.

When signing a component, it will be necessary to include the bom-ref of the component. If a bom-ref does not exist or cannot be found for the component, signing should fail.

Signing verification should ideally validate that ALL signatures in the bom regardless of where they're located. This includes the root bom level signatures as well as individual component signatures. All occurrences of failed verification should be logged to to STDERR.

Proposed input parameters:

• Private key (used for signing)
• The filename of the bom to sign or verify (e.g. bom.xml or bom.json)
• The component bom-ref to sign (optional)

[dmeibusch]

BOM XML signing added by #177

[sahil3112]

using Cdxgen we can sign the SBOM using in JWS format, but there is one limitation we cannot sign the SBOM that is already generation via Different tool or downloaded from Dependency Track with VEX

[prabhu]

Related to this ticket, I have added a section in the readme with a snippet to verify the json signature.

https://github.com/CycloneDX/cdxgen/#verifying-the-signature-nodejs-example

It would be nice for the cli to support verifying all types of signatures - multisignature, signaturechain, and signaturecore. While the information is lacking, verifying against a chain usually involves checking a revocation list. We could piggyback on recent inventions such as CRLite (CRLsets) from the browser world or propose our own.

[andrew-m-leonard]

@stevespringett Are there plans to add support for JSON signing and verification please?