Verify location of alg and crit header parameters

[letmaik]

COSE requires that alg must be authenticated (external_aad or protected header) and crit must be in the protected header. pycose reads both parameters from the unprotected header if missing in the protected header.

https://github.com/TimothyClaeys/pycose/blob/5a08c024fefd7656db7c476f868e1ac82bf44459/pycose/messages/signcommon.py#L40-L50

https://github.com/TimothyClaeys/pycose/blob/5a08c024fefd7656db7c476f868e1ac82bf44459/pycose/messages/cosebase.py#L61-L81

The get_attr method should be extended to check whether a parameter is required to be in the protected bucket. This requires another field in the attribute class.