Allow root to create sub-certificates in x509

[zanebeckwith]

We should expand the functionality of the build_x509_skeleton function (and the various wrappers of it) to allow non-self-signed certificates to be created.

This should only require:

• Make build_x509_skeleton take two common_name_as_string parameters, one for the subject of the certificate and one for the signer (see the build_tbs_certificate function for where those two uses occur).
• xtt_x509_from_ecdsap256_keypair can remain the same, but renaming it and its parameters might make things clearer (e.g. the public key and the private key aren't necessarily linked). Or perhaps keeping (with just one common name input, to be used for self-signed certs) it but making a clone, that's renamed and has differently-named parameters.
  • A similar renaming/cloning for the tool

[drbild]

@zanebeckwith Could you explain why this change is needed / how it will be used?

I'm not disagreeing with expansion --- just want the implementor to know where/how it will be used.

[zanebeckwith]

Sorry for the delay responding to this.

The intention here is to allow someone to stand up an XTT server deployment using just XTT (i.e. not requiring openssl for the creation of the server sub-certificates).

So a user could use XTT tools to not only generate a keypair and x509 and XTT certs for the root, but also do the same for any servers.