Improve device authentication via trezorctl

[matejcik]

Currently, trezorctl device authenticate will just spit out some hashes and raw certificates at you.

Ideally, it should also validate that everything goes well together with everything else. We even have code to do it: https://github.com/trezor/trezor-firmware/commit/1db2a424b8918289b921b8c31aa4c4c165b76896 the problem that needs to be solved here is what to do about the cryptography dependency, which is rather heavy for just this one feature. Maybe we can detect it and ask the user to install manually if missing?

as a start, we might want to implement this as a separate script in tools/ directory, so that power users can run it.

Another issue we should resolve is synchronisation with Suite side whitelist/blacklist for known public keys. With the naive implementation, if we revoke a signing key, the device will still pass authentication with Trezor.

[prusnak]

My 2 cents:

Let's wrap the code added in 1db2a42 into:

try:
    from cryptography import x509
    ...
except ImportError:
    click.echo("Certificate validation skipped, because cryptography module is not installed.")

And add cryptography as an optional dependency.