Check which JWS signature algorithms we allow

[jsha]

For instance, we should not allow signatures using SHA-1.

[rolandshoemaker]

According to square/go-jose these are the only supported signature algorithms, we might want to add an explicit check in Boulder incase they plan on growing this list...

const (
    A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128)
    A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192)
    A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256)
    A128GCM       = ContentEncryption("A128GCM")       // AES-GCM (128)
    A192GCM       = ContentEncryption("A192GCM")       // AES-GCM (192)
    A256GCM       = ContentEncryption("A256GCM")       // AES-GCM (256)
)

[bifurcation]

Actually, those are encryption algorithm. The "signature algorithms" there refers to the table above :)

const (
    HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256
    HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384
    HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512
    RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256
    RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384
    RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512
    ES256 = SignatureAlgorithm("ES256") // RCDSA using P-256 and SHA-256
    ES384 = SignatureAlgorithm("ES384") // RCDSA using P-384 and SHA-384
    ES512 = SignatureAlgorithm("ES512") // RCDSA using P-521 and SHA-512
    PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256
    PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384
    PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512
)

In any case, there are no JOSE algorithm identifiers defined for SHA-1, so since they would have to go outside of spec to add them, I am considering this low risk. Since SHA-2 algorithms are acceptable, we have no issue here.