Add more negative tests

[dlongley]

We need more negative test cases for http signatures, particularly with dereferencing, etc. Our tests should confirm that misrepresenting key ownership, etc. results in a failure to authenticate.

[dlongley]

Assigning to you for now, @mattcollier, but lower priority than other items -- and you may reassign to someone else.

[dlongley]

@aljones15 Not sure what negative tests we still need but some of this module has been simplified so the above doesn't necessarily apply.