Fix/replace openssl shellout with aws lc rs

[jeremydosborn]

Issue: #627

gen-rsa-key was shelling out to the system openssl binary to generate RSA keys. When #825 migrated the crypto backend from ring to aws-lc-rs, this shell-out was not addressed — RSA key generation via aws-lc-rs may not have been available at the time.

This PR replaces the std::process::Command openssl shell-out with aws-lc-rs, which is already a dependency.

Changes:

• gen_rsa_key now uses aws_lc_rs::rsa::PrivateDecryptingKey for key generation
• --bits restricted to 2048, 3072, 4096 — other values return a clear error
• --exp retained for CLI compatibility but ignored if non-65537, with a warning
• Removes dead error variants CommandExec, CommandStatus, CommandUtf8
• Removes OpenSSL installation requirement from README
• Adds base64 = "0.22" as a new dependency for DER-to-PEM encoding
• Adds two new tests: gen_rsa_key_and_sign_root and gen_rsa_key_unsupported_size_fails

Testing: cargo test passes (full workspace).

Note: the snakeoil test fixtures in tests/data/ could be regenerated using the new code path to provide additional coverage, if the maintainers wish to do so in a follow-up.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[webern]

Yay 🎉

[jmt-lab]

LGTM

[bcressey]

Code changes look fine to me. Can you run cargo fmt? CI is failing for that reason.

[jeremydosborn]

Done

[yeazelm]

Thanks for the contribution @jeremydosborn !

[jeremydosborn]

Of course! Thanks everyone.

[sam-berning]

LGTM!