Validate the freshness of session nonce

According to the RMM spec, A7.2.3 Attestation token format [1], the CCA token
has a client challenge sealed in the token, the challenge is generated
when the CCA token is got from AA (attestation agent).

When the CCA token is validated by the veraison, a session nonce is created as well,
semantically, the session nonce should be equal with the client challenge, this logic
has been validated inside veraison service [2].

While the freshness also implies the session nonce key should equal with the nonce
enveloped in the ear which is the format of attestation result [3], by this, we have:
```
client challenge in token == session nonce == ear's nonce
```
and thus avoid the replay attack.

NOTE: If the "client challenge in token != session nonce", vts service from Veraison
takes it as a warning, this is debatable and should be further discuss with Veraison
team, `rust-client` should return an error instead.

fix: https://github.com/confidential-containers/attestation-service/issues/127

> WARN    vts     {"detail":["freshness: realm challenge (00000000000...) does not match session nonce
> ... "detail-type":"error","error":"bad evidence"}

Signed-off-by: Dave Chen <dave.chen@arm.com>

[1] https://documentation-service.arm.com/static/63a16f163f28e5456434c719?token=
[2] https://github.com/veraison/services/blob/dfb068204473cad9c412337d5abef7ad88b8bc3b/scheme/cca-ssd-platform/evidence_handler.go#L120-L126
[3] https://github.com/veraison/docs/blob/main/architecture/verifier/freshness.md

Author: chendave