Changing signature schemes without rotating the keys

[danixeee]

Description of issue or feature request:

This PR added support for using pkcs#1v1.5 signature scheme for RSA keys.

Key-id represents a hash of keytype, key_value and scheme values (def _get_keyid) which now allows us to use one same key with multiple signature schemes.

If we just want to change signature schemes we need to do a key rotation (although private keys didn't change), which can be tricky in some cases.

For e.g. (rotating a root keys - changing schemes)

We have 3 root keys with scheme rsassa-pss-sha256:

• 123
• 456
• 789

Now we need to add same keys with different scheme rsa-pkcs1v15-sha256:

• 321
• 654
• 987

NOTE: Key id 123 and 321 both have the same private key!

If root threshold is set to 2 (num of keys - 1), someone will be able to use just one key and to sign metadata file twice (with different schemes) with that key. Increasing a threshold to 3 solves this problem, but should we add a feature to change signature schemes without rotating the keys?

Does scheme value still make sense to be used when calculating key-id hash?

[lukpueh]

The current implementation:

1. does not require or check canonical keyids (although it still uses them via securesystemslib key creation and import interfaces)
2. checks signature thresholds based on unique keyids only (see @jku's 48b58d9)

This means keyids no longer depend on the used signature scheme and metadata owners are responsible to choose the keyid<->key mappings such that thresholds can not be subverted.

---

For context, while both items above go against the current spec...

(wrt 1)

Clients MUST calculate each KEYID to verify this [the canonical form] is correct for the associated key

(wrt 2)

Clients MUST ensure that for any KEYID represented in this key list and in other files, only one unique key has that KEYID

... this strategy does align with the general direction of the spec (see the recently accepted TAP 12).