Support HSM signing

[lukpueh]

Supersedes #569 and #864
Related to #1109 (out-of-band signing)
Groundwork available in secure-systems-lab/securesystemslib#229

Description of issue or feature request:

python-tuf (or rather securesystemslib) should provide an implementation to sign metadata with hardware security modules, like Yubikey, plus functions for public key export and signature verification.

Current behavior:

The sign method in the new Metadata API takes a Signer parameter which generates the actual signature. Currently, secureystemslib has one standard Signer implementation in SSlibSigner, which encapsulates securesystemslib-style private keys (rsa, ed25519, ecdsa) and generates a Signature that can be verified with a python-tuf Key using its verify_signature method.

Expected behavior:

• Implement HSMSigner that can generate a signature on an HSM
  -> see SSlibSigner and GPGSigner (WIP) for inspiration, and sslib#229 for groundwork
• Provide functionality to export the corresponding public key as python-tuf Key
  -> see from_securesystemslib_key for inspiration
• If necessary, update Key.verify_signature so that it can verify the corresponding signatures
  -> with sslib#229 verification should work out of the box

[trishankatdatadog]

@d-niu, you might be interested in this 🙂

[lukpueh]

Securesystemslib provides an HSMSigner, which is compatible with the TUF Metadata API, since v0.26.0.

It is used e.g. to support YubiKeys in TUF-on-CI.