Rewrite x509 modules using cryptography (v2 with breaking changes)

[lkubb]

What does this PR do?

• Rewrites the x509 modules using cryptography instead of M2Crypto
• There are some breaking changes, so it has to be explicitly enabled in the minion config
• Addresses current bugs, especially the repeated signing of certificates during state checks
• Adds Elliptic Curve/Edwards Curve keys support
• Adds DER/PKCS7/PKCS12 serialization support (PKCS12/PKCS7 requires cryptography release 36/37)

• make sure subject does not override signing policies
• include tests for inherited functions
• polish the documentation a bit
• figure out why pylint is crashing on the state module -> AttributeError: 'ClassDef' object has no attribute 'value' pylint-dev/pylint#6366

Open questions for the reviewer

• Do I mark issues related to v1 as fixed and include those in the changelog? How do I submit feature requests for what is essentially a new module?
• Would it make more sense to not XOR v1 and v2, but simply deprecate v1? That would help justify the list of breaking changes (see the execution module docstring).
• Is it sensible to directly require cryptography [and increase the required version]? As far as I can tell, it is always part of Salt's indirect requirements (through pyopenssl).

What issues does this PR fix or reference?

Not sure if a breaking v2 counts as a fix, so not marking some of those as fixed for the time.

References:
Fixes: #59169
Fixes: #52167
Fixes: #58165
Fixes: #59315
Fixes: #63103
Fixes: #57535 (tested manually, works)
Fixes: #63248
Fixes: #63249
#63066 (would contribute to eventual fix)
#63085 (would contribute to eventual fix)

Previous Behavior

• repeatedly signs certificates only to check for changes, aggravated by [BUG] Test mode does not propagate to __states__ when using prereq #62590
• only RSA support
• no support for PKCS12
• generates invalid CSR by default (v3 does not exist for CSR, only certificates)
• reversed ordering of NameAttributes in encoded Distinguished Names (no spec, but consensus is wide to small scope, e.g. C>ST>L>O>OU>CN. This encoded ordering is reversed when output as a RFC4514 string [this is spec'd]).

New Behavior

• certificates are only signed when necessary, includes a workaround for prereq
• additionally support for ECDSA with SECP(256|384|521)R curve keys, EdDSA with ED25519 and ED448 schemes
• manages PKCS12-embedded keys and certificates
• generates valid CSR only (only v1 allowed)
• ordering of encoded NameAttributes from wide to small scope by default (can be overridden). Note: this will cause changes when a certificate/CSR from the previous module is introduced to this one

Merge requirements satisfied?

• Docs
• Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
• Tests written/updated

Commits signed with GPG?

Yes

[whytewolf]

I like this. however it needs a bunch of changelogs. to reflect the changes this is bringing in. also might need to start working through decommissioning the old x509 in favor of this. not just the flag change but calling out that people should start moving over in the logs with a decommission version.

[lkubb]

From what you wrote, I deduce that I should treat this as the x509 module and mark the issues as fixed as well as write feature requests for the big features. Will update this PR soonish with changelog and deprecation.

[Ch3LL]

This will indeed get into 3006.0 :) Thanks for your quick follow up on this PR to get it over the line