Check that the ECDSA point is on the curve

[infinisil]

This check was accidentally removed in #80 because no specification that we implement mentioned anything of it. This only just came to my attention when stumbling upon this note from the webauthn spec:

Note: There are many checks neccessary to correctly implement signature verification using these algorithms. One of these is that, when processing uncompressed elliptic-curve points, implementations should check that the point is actually on the curve. This check is highlighted because it’s judged to be at particular risk of falling through the gap between a cryptographic library and other code.

I am however still not sure if we actually need to implement this check, and where. I can't find any vulnerability due to this check missing (just for signature verification), but it is clearly mentioned as a check that needs to be performed to validate a public key in documents describing ECDSA, among other checks. I can neither find anything about this check in COSE nor cryptonite. Should this be fixed in cryptonite? Does it need to be fixed? I am not sure yet

[infinisil]

I quote from section 6.2 from https://link.springer.com/article/10.1007/s102070100002:

[infinisil]

Openssl also implements these checks here, which references https://csrc.nist.gov/publications/detail/sp/800-56a/rev-3/final

[infinisil]

As discussed with @ErinvanderVeen:

• Move this check to COSE decoding, maybe provide smart public key constructor (probably better to use Integer fields for ECDSA keys then, instead of ByteStrings)
• Talk to various people from webauthn, COSE and cryptonite to figure out what is wrong here and where

[infinisil]

Superseded by #136 for now, which introduces this and other public key checks