Properly verify delegated metadata signatures

[wellsie1116]

Since the delegating targets defines the valid keys a delegated targets can be signed by, it is possible for delegated targets to be valid when accessed via one target path and invalid when accessed via another. tuf::Tuf currently stores a mapping of role to the delegated targets metadata, but that information is insufficient to know which keys should be used to verify metadata given to update_delegation.

Additionally, tuf::Tuf currently depends on tuf::Client correctly calling update_delegation for every link in the delegation chain when resolving a target. Ideally, tuf::Tuf wouldn't depend on tuf::Client calling APIs in the correct order.