add PKCS11 support

[JackDoanRivian]

Adds PKCS11 support for the P256 curve. It could probably be generalized for curve 25519 as well, but this is what our HSMs support, and therefore what I could easily test.

I've tested very thoroughly against the difficult-to-obtain Microchip TA100, and did a quick verification with a Yubikey 5C.

Here's some quick examples of how this change can be exercised on a TA100. I'll follow up with Yubikey instructions when time permits:

This change requires building with CGO, so here's the exact invocation we used (adjust as needed for your target architecture of course):

CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOARCH=arm64 go build -buildvcs=false -ldflags="${LDFLAGS}" -o nebula.arm64.${COMMIT_HASH} ./cmd/nebula
CC=aarch64-linux-gnu-gcc CGO_ENABLED=1 GOARCH=arm64 go build -buildvcs=false -ldflags="${LDFLAGS}" -o nebula-cert.arm64.${COMMIT_HASH} ./cmd/nebula-cert

Unfortunately static linking with musl doesn't work, because musl doesn't implement dlopen for statically-linked binaries. :disappointed:

./nebula-cert keygen -out-pub test.pem -pkcs11 'pkcs11:slot-id=0;object=device;token=00ABC;type=private?module-path=/tmp/libcryptoauth.so'

A config file's pki section would look like this:

pki:
  ca: /path/to/ca.pem
  cert: /path/to/cert.pem
  key: 'pkcs11:slot-id=0;object=device;token=00ABC;type=private?module-path=/tmp/libcryptoauth.so'

Please let me know what you think! I'm very open to making adjustments to make this fit in better with the existing code.