feat: HSM auth - c8y connection init & built in bridge

[Bravo555]

TODO

• add documentation wrote a reference doc and the draft of a user guide, subject to change because details related to the UNIX socket setup are still being hashed out
• resolve current hacks and workarounds in places where we assume private key always comes from a file there were some hacks but they're now removed
• Add new cargo feature called "cryptoki" where all of the dependencies related to the cryptoki are hidden below it (and the feature is not activated by default). Configuration can be marked as hidden until configuration names are agreed upon

Follow-up items

• return a config error before connecting (i.e. at the config parsing stage) if device.cryptoki.enable is true, but module path is not set
• include the HSM configuration in the tedge connect summary
• refactor TLS configuration setup 2c27e33
• upstream libloading musl patch
• extend support to aws and azure clouds
• testing: use softHSM for mocking HSMs and testing of the signing flow

Proposed changes

Allow the use of Hardware Security Modules for MQTT client authentication when using c8y cloud.

We add the following config settings:

     device.cryptoki.enable  Use a Hardware Security Module for authenticating the MQTT connection with the cloud.  When set to true, `key_path` option is ignored as PKCS#11 module is used for signing. 
                             Examples: true, false
device.cryptoki.module_path  A path to the PKCS#11 module used for interaction with the HSM. 
                             Example: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
        device.cryptoki.pin  Pin value for logging into the HSM. 
                             Example: 123456
     device.cryptoki.serial  A serial number of a Personal Identity Verification (PIV) device to be used.  Necessary if two or more modules are connected. 
                             Example: 123456789

which are then used for configuring HSM authentication parameters.

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3363

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 13.34792% with 396 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...n/certificate/src/parse_root_certificate/pkcs11.rs	0.00%	243 Missing ⚠️
...g/src/tedge_config_cli/tedge_config/mqtt_config.rs	14.01%	90 Missing and 2 partials ⚠️
...mmon/certificate/src/parse_root_certificate/mod.rs	21.21%	25 Missing and 1 partial ⚠️
crates/core/tedge/src/cli/connect/command.rs	0.00%	20 Missing ⚠️
crates/core/tedge_mapper/src/c8y/mapper.rs	0.00%	7 Missing ⚠️
.../tedge_config/src/tedge_config_cli/tedge_config.rs	79.16%	0 Missing and 5 partials ⚠️
...ore/tedge/src/cli/connect/c8y_direct_connection.rs	0.00%	3 Missing ⚠️

Additional details and impacted files

📢 Thoughts on this report? Let us know!

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
583	0	3	583	100	1h38m56.929774999s

[reubenmiller]

@Bravo555 We need to check the naming of the device.cryptoki.* settings, and get a clear idea on how to configure multiple cloud connection which use different certificates.

Some thoughts on the subject:

• Enforcing the usage of the HSM for all cloud profiles might be worth while so that if it is used for cloud A, that people don't forget to use it for cloud B.
• Support configuring different certificate serial numbers per cloud profile (as we already support using independent cloud certificates so we should support the same thing when using a HSM)

[didier-wenzek]

Now that PKCS#11 support is behind a feature, I see no blockers to merge this PR.

It would be good to fix the many TODO(marcel) added along this work. And to remove dead code.

[reubenmiller]

Approved.

I've tested the latest changes using a Yubikey 5C and inside a container (using p11-kit server to setup a unix socket which is passed into the container)..the test was done using https://github.com/reubenmiller/hsm-research/tree/main/tedge.

Overall a nice addition to lay the groundwork for the next phase of implementation.

[didier-wenzek]

Approved. Thank you for taking on this PKCS#11 integration challenge. A first step but a decisive one.

[Bravo555]

failed due to flaky test #3399; retrying merge