Add support for static (not extracted under wrap) PKCS#11 keys
This is the simplest case of using an HSM: it doesn't cover generating
keys in the HSM, just manually registering keys that have been generated
separately. However, this is enough for parity with dak's code-signing
tool. To use this, the signing machine will need to have the necessary
PKCS#11 module installed (e.g. yubihsm-pkcs11
) plus any supporting
software needed to use the hardware device (e.g. yubihsm-connector
).
I'd previously tried to lay out the pydantic model for Key.private_key
in a way that would be compatible with future use of a discriminated
union, but while writing this I discovered that I'd got it wrong. As a
result, this commit includes a migration to change the layout of any
existing keys in the signing database.