Verify TSA message imprint against recomputed canonical event digest.
Only checks events that have TSA evidence. Events without TSA evidence pass
(backward compat — legacy events). Stored canonicalEventDigest is cross-check
evidence only; it is not the digest authority during verification.
Trust model:
When tokenDerBase64 is present: mutable timestampEvidence.tsa.messageImprint
cannot be trusted. Returns needsTokenVerification=true to signal that async
cryptographic token verification is required.
When tokenDerBase64 is absent (mock/internal TSA): messageImprint is the
trusted internal imprint and is compared against the recomputed canonical digest.
Verify TSA message imprint against recomputed canonical event digest.
Only checks events that have TSA evidence. Events without TSA evidence pass (backward compat — legacy events). Stored canonicalEventDigest is cross-check evidence only; it is not the digest authority during verification.
Trust model: