Support in-toto final product verification

[lukpueh]

Currently in-toto-java may be used by functionaries to generate and sign in-toto link metadata, as evidence for steps in the software supply chain.

This is a feature request to support full final product verification as described in section "5.2 Verifying the final product" of the in-toto specification.

See verifylib.in_toto_verify in the reference implementation and verifylib.InTotoVerify in the golang implementation for two fully compliant examples.