Drop pyOpenSSL dependency

[kislyuk]

SignXML uses two major bits of pyOpenSSL functionality:

• X.509 parsing
• Certificate chain validation

I've identified two strategies so far:

• Get Add x509 Certificate Validation pyca/cryptography#2381 resolved
• Use https://github.com/wbond/certvalidator / https://github.com/wbond/oscrypto (for consistency, this would prompt a wholesale switch from cryptography+pyopenssl to certvalidator/oscrypto, which may bring other advantages including better platform compatibility)

[kislyuk]

For additional context see: wbond/certvalidator#33 (comment)

[kislyuk]

wbond/certvalidator is unmaintained and we will only be using it as inspiration. However there has been some movement on cryptography: the verify_directly_issued_by() API will be released in cryptography 40.0. So the path to retiring pyOpenSSL looks like this:

• Replace pyOpenSSL.crypto.verify() with cryptography's X509 public key loader (this will also allow us to support ed25519 keys Support keys with ED25519 algorithm #216) WIP #218
• Replace signxml.util.verify_x509_cert_chain() with a mixin (or separate library, since our sister library tsp-client needs the same functionality) that can build a chain using verify_directly_issued_by and verify point-in-time validity and extensions using an API inspired by certvalidator.context.ValidationContext. The logic here would have to be inspired by a close reading of certvalidator code and any code referenced by Add x509 Certificate Validation pyca/cryptography#2381.