SET_CERT: no full certificate chain verification for device with Alias certs

[rw8896]

The current implementation verified the certificates received from SET_CERTIFICATE command but it didn't provide a mechanism for device with Alias certs to compose and then verify the full cert chain.
We could work around this issue by adding the verification in libspdm_write_certificate_to_nvm(), but I think it would be better to provide an official interface to allow customized verification similar to the one designed for peer certchain verification below?

I found there is a callback function

libspdm/include/internal/libspdm_common_lib.h

Line 108 in 525ba87

libspdm_verify_spdm_cert_chain_func verify_peer_spdm_cert_chain;

[steven-bellock]

Related issue: #873.

Since the Responder is generating the certificates hopefully it's not going to generate invalid ones. The Integrator will need to populate the certificate slots after a reset, before which it can verify the full certificate chain. Maybe have libspdm_verify_peer_cert_chain_buffer_integrity be publicly available to Integrator?

[rw8896]

The certificates to be provisioned are generated by the requester so the responder still needs to verify if the full cert chain (to-be-provisioned certificates + Alias certificates) is valid.
While we could set CERT_INSTALL_RESET_CAP and simply save the certificates into NVARM and leave the verification to be done in the next reset, it would be better to verify the full cert chain without reset and prevent overwriting the existing ones in NVRAM in case of the verification failure.
libspdm_verify_peer_cert_chain_buffer_integrity by naming is to verify peer's certificates, but for SET_CERT it's to verify the certificate for self use. We could probably make libspdm_set_cert_verify_certchain to be a callback function but keep the current implementation as the default if no callback is registered?