Enable signing and verifying using keys stored in Hashicorp Vault

[joshuagl]

Description of issue or feature request:

@trishankatdatadog did a preliminary implementation of Hashicorp Vault integration with the TUF reference implementation in theupdateframework/python-tuf#1060, but such functionality seems a better fit for securesystemslib. Particularly as having such functionality in securesystemslib would also make it more widely usable, such as by TUF's sibling project in-toto.

One model for implementing Vault support would be to mimic the patterns in the proposed securesystemslib PKCS11-based HSM interface in PR #229.

Current behavior:

Unable to sign or verify with keys stored in Vault.

Expected behavior:

Able to sign and verify with keys stored in Vault.

[joshuagl]

theupdateframework/python-tuf#1263 breaks down how to do this work with:

1. an abstract signing interface in securesystemslib
2. methods in python-tuf's new metadata API will take an optional object implementing this interface
3. securesystemslib can grow multiple implementations of this interface, i.e. the securesystemslib/JSON format, GPG, HSM, and (to the point of this issue) Hashicorp Vault.

I believe @woodruffw plans to work on the Vault support once the first two items are complete.

[joshuagl]

The first two items are complete. Abstract signing interface, Signer, is implemented in securesystemslib (#319) and tuf.api.metadata methods take an optional Signer (theupdateframework/python-tuf#1272).

[d-niu]

Hi. D from Datadog here. Will start work on Vault support if that is still needed.

[joshuagl]

Work on the Vault support would be great, thanks @d-niu ! Last I heard @woodruffw was planning to implement within warehouse, but AFAIK that work has not started yet. Even if the code did exist in warehouse, it would still be good to have it in securesystemslib so that more folks can make use of it.