Token fixes

[jku]

trafficstars

I'm not too confident with rust or this code base yet so advice is welcome: I can see there are many ways to implement something like the "signing identity" here but I don't think I have a feel for best practices yet...

Summary

Support more types of OIDC tokens -- specifically support the "Sub" field used as the signing identity by some issuers.

• Make email optional when parsing JWT (e.g. GitHub actions does not use it)
• Add IdentityToken.identity field: this is the identity claim that we believe Fulcio uses for this issuer
• Fix the bundle signing so it uses the new identity field
• Add tests with two tokens (interactive and GHA)

Note that signing with a "Sub" identity now works (the CSR will use the email OID for everything as before but apparently that works: sigstore-python does that too) in places like Github actions but there are no tests yet.

I was planning to

• add a test that runs on GH actions: manually fetch the token and test if signing works (see 9f50501df9b)
• a bit longer term, search for a https://github.com/di/id style project for rust or write one if that does not exist (I think this model worked great for sigstore-python)

... but neither is part of this PR.

Fixes #413