feat: add PrincipalId and ic_pem_identity crate

[hansl]

Sign messages and allow for PEM files to be read and used to sign.

In order to reduce dependencies, MessageWithSender and SignedMessage
now are not generics.

Notes

This PR actually does not work because the replica isn't up to spec. But it can serve as a starting point once the replica is fixed.

[eftychis]

Notes to discuss:

1. We place the code that touches keys all around. If we want to do a review, we can't focus on one or two places.
2. We don't always sign or authenticate. We can not go back to the replica and say, remove those Optionals and start enforcing that validation functionality. Also, our main path is the non-default option. (Although I do see an Id.pem created locally?)
3. Everything seems focused around PEM files. Users pass a PEM key file, right? Won't the average user just generate the file and store inside the project directory, which is a git repo? Also as it is passed, we will have to ask for a passphrase, as the next step would be to support encrypted key files as the default. I am not sure how to make this painless for the user, as the argument is the key (the path, but you get the idea), not a profile id or something along those lines.
4. Changes related to user identity now have to be spread all around dfx. I am not sure e.g. how to keep them focused, or how to provide the same functionality to e.g. rust-sdk or similar efforts. It is already bad enough we have to write this code twice, but the browser was always a special snowflake case.

Other notes (to self mainly): When receiving a key file we usually validate it on the spot as containing the right curve etc.

P.S. I would prefer we do not block ourselves or code on the replica behaviour. Adding more blockers does not help.

[eftychis]

P.S. Thank you for the time you took to share this example, Hans, with your thoughts!

[eftychis]

Hmm, also the principal should only be constructible by the signer -- hence placing it internally originally. The agent similarly to the handler see it as a Blob.

[hansl]

also the principal should only be constructible by the signer

I don't agree with that. They are blobs, so they can be constructed by anyone. They're also part of the public spec so they should be in ic_http_agent.

VALID principal IDs should be constructible by either the signer or the public API (e.g. when you get one from IDL). But the type itself should still be part of the crate responsible for exchanging with the replica. It's an agent type.

[hansl]

Let me take some time to answer your points;

We place the code that touches keys all around.

Keys are touched only in the ic_pem_identity crate. If you are talking about the PrincipalId type it's an API type and should be put with the rest of the API (like RequestId and Blob). We don't touch keys in there (but there is an argument named key which comes from the spec).

We don't always sign or authenticate.

That's fine for this PR. Stay focused. We can add this PR, which took me 3 hours, then add error messaging for users in another PR if they don't use identity, then add the dfx.json configuration for identity, then make identity mandatory. That's 5 PRs that should be spaced on 2 releases (we probably want to tell the user identity will be required).

Right now we have none of that, not even in an optional manner.

Users pass a PEM key file, right? Won't the average user just generate the file and store inside the project directory, which is a git repo?

We can change that code later, and have the PEM in the global ~/.cache/dfinity folder. We can have dfx id create and such. But we don't have to have that now.

we will have to ask for a passphrase

A prompt can be added later.

support encrypted key files as the default

Not default. If SSH does not have that as default, I think we'll be fine.

Changes related to user identity now have to be spread all around dfx.

There are 2 files changed: the argument which is part of all canister commands (and honestly that's all we need), and generating a new key which is in the new command. The environment changes are for allowing overloading the signer.

[eftychis]

support encrypted key files as the default
Not default. If SSH does not have that as default, I think we'll be fine.

It is actually. You get prompted for a passphrase. You can pick it to be empty, but I hope we don't promote that.

[eftychis]

We can change that code later, and have the PEM in the global ~/.cache/dfinity folder. We can have dfx id create and such. But we don't have to have that now.

I agree. I do that in #438 though. Can you look?