…, and support in principle selecting which signer to use for which purpose. (#539)

- Add a dependency on the backoff crate for retry support.
- Add a dependency on the r2d2 crate for connection pooling support.
- Uses GitHub versions of the bcder and rpki crates for the DER Unsigned Integer support needed by the KMIP signer.
- Refactor signers to crypto::signers and replace the Dummy signer with a KMIP signer.
- Added a "hsmtest" job to the GitHub Actions CI workflow that runs all Krill tests using the KMIP signer against PyKMIP.
- Added a "hsm-tests" Cargo feature flag for configuring Krill to use ONLY KMIP as a signer, not OpenSSL at all.
  Currently building without the "hsm-tests" feature flag set will fail if the "hsm" feature flag is set.
  Krill isn't ready to be used in "hsm" mode yet.
- Changes SignerProvider to implement the Signer trait so that it can be passed to builders so that their invocation of a signer also goes via SignerProvider dispatching to the correct signer.

… the write lock while switching to using the server as part of finishing a successful probe.

…mplementation

…mplementation

… PyKMIP.

…er. Previously some Krill logic when invoked was given the same signer as handling the current purpose to invoke later even if for a different purpose. If the initial purpose required the KMIP signer as the key owning signer but the later purpose was one-off signing then that should be able to be routed if desired to the OpenSslSigner, for example. Introduces another layer of indirection: RouterSigner.

"router", not "dispatcher", and don't lock the entire SignerRouter for create/delete key operations.

…ner and from KeyIdentifier to Signer specific key id. Stores mapping using a new SignerInfo AggregateStore impl backed by a 'signers' subdirectory of the Krill data dir.. Krill can now be built with the `hsm` feature active without also requiring the `hsm-tests` feature to be active. Needs code cleanup and tests and docs.

… in HSM test usage mode (use the HSM as much as possible).

…r operation when using the PyKMIP signer instead of OpenSSL doesn't invoke refresh single too soon.

…asn't intended to securely guarantee that and other mechanisms for that exist such as TLS server certificate verification.

…der crypto::signing.

…crate version for new ItemNotFound suberror. Make the signer registration public key non-optional. Remove no longer used get_handle() signer fn. Deduplicate signers added to the pending set. Improvements to the binding process: bind by same name first, then try other signer store public keys; detect fatal failures and abort testing ready signers; detect key not found separately to other KMIP errors; cleanup the logic; don't panic if KMIP signer doesn't yet have a signer handle; just unwrap() locks consist with other Krill code.

… suberror code.

…of 0.6.0 so that Krill compiles.

…tinier RwLock around the signer handle held by each SignerProvider.

…nd() is an impl of a trait fn which is not supported.

I also cannot further modify KrillSigner fns to use the new Sign and SignWithKey rpki-rs traits as SignedObjectBuilder::finalize() needs a Signer that we don't want to pass to it and it cannot be replicated as it uses rpki-rs private internals.

…hsm-tests-pkcs11.

… to (a) drop the redundant Signer prefix in the variant name and (b) to indicate the duration/severity of the issue, particularly that Unavailable is a transient error as it is used to guide retry logic.

…rating random numbers to something non-KMIP specific as the concept also applies to other signers and this will make code across signers more consistent and more amenable to factoring out later.

…s what it does and for consistency across signers.

… for using some of the same logic/code in the PKCS#11 signer but without the pool. Hopefully later the common code can be factored out.

…tter.

…t KMIP code and prototype PKCS#11 code. Uses some of the ideas and code from the KMIP signer to prevent Krill startup blocking or failing if the PKCS#11 signer is unavailable or unusable and for retrying requests if the cause of failure appears to be transient. Also contains initial support for multiple active PKCS#11 signers using the same and/or different libraries (by filesystem path) unlike the prototype which could only load one library at a time. Configuration is hard-coded at present. Also unlike the prototype the Pkcs11Session type handles passing the session handle to the PKCS#11 library instead of requiring the caller to do so. Hopefully lots of code in common with KmipSigner can be factored out later.

- Log all Cryptoki calls at trace level and log all Cryptoki errors.
- Implement all Signer functionality except random number generation and key deletion.
- Wire up integration with the SignerMapper.
- Correct KMIP copy-pasted references that should say PKCS#11.
- Support locating theslot ID by label.
- Support reporting Cryptoki and token details.
- Support logging in (required to make many Cryptoki calls).

…reating the second Alice publisher and for any other tests needing two signer different configurations (as configuration is hard-coded at present). Disable the migrate repository test which fails for a similar reason. This is all caused by SoftHSMv2 not supporting more than one user or that one user to be logged in more than once at a time. Cargo test --features hsm,hsm-tests-pkcs11 passes with these temporary hacks.

- Rename temporary second_signer_hack flag to alternate_config flag. Document the reason for the flag.
- Added some code comments.
- Support login without user pin.
- Support token use without login.
- Include signer name in log messages.
- Dump full Cryptoki, slot and token info at trace level.

…be module with its own tests.

… Actions builds can compile.

…ort against SoftHSMv2.

… Actions builds can compile.

…ss_command() is an impl of a trait fn which is not supported."

This reverts commit 0bb4300.

…tory-objects' into issue-547-pkcs11-walking-skeleton

… other signer implementations.

… other signer implementations and remove unnecessary #[cfg(feature = "hsm")] guards.

…rcises registering and using it.

… to be more consistent with how other keys are stored by Krill.

…nal key id, and store the signer identity details more explicitly in the SignerInfo.

…initialized.

…y unavailable signer.

…CKR_ARGUMENTS_BAD` error from SoftHSMv2 when calling `C_Initialize()` in a `--release` build with SoftHSMv2 logging "pReserved must be set to NULL_PTR".

…mplementation

…ion' into hsm-persistent-signer-key-mappings

…on-of-rpki-rs-163-async-signing-of-repository-objects

…tory-objects' into issue-547-pkcs11-walking-skeleton