Derive revocation bits from root_certs, etc. #29
Description
Refactoring the image signing routines (#28) left as an open TODO deriving the CFPA KeyStatus bits from root_certs (and whatever else we might need). If we pass the signing root (i.e., signing_certs[0]) then we can check that it occurs in root_certs, and maybe mark as Revoked? (I admit not understanding the difference between Revoked1 and Revoked2) the ones before that. But this appears to be partly a matter of policy rather than a stricly technical decision, so feedback would be welcome on how we intend to set and use these bits.