Audit for use of CTAP2 canonical CBOR encoding

[jschanck]

We need to review our serialization routines to ensure that we use CTAP2 canonical CBOR encoding form. Martin Kreichgauer noticed that the keys in our AttestationObjects maps are in the order (authData, fmt, attStmt) instead of the correct (fmt, attStmt, authData). I'll fix that issue, but we should do an audit and add tests as well.