[experimental] Validate that the public key generated from `createKeyPairFromBytes()` belongs to the private key

[steveluscher]

Motivation

Presently, when you pass 64 bytes of key material to createKeyPairFromBytes(), we don't validate that the public key part of the key pair actually belongs to the private key.

Signing a message using a public key other than that which belongs to the private key can result in a leak of the private key bytes to someone.

This is generally not a problem with our APIs because they only take the private key and message as an argument, and derive the public key internally; the worst thing that can happen is for verification of the resulting message to fail because you're holding a public key that doesn't correspond to the private key you signed the message with.

Someone who uses a mismatching key pair from createKeyPairFromBytes() with other code though could end up in the scenario described above.

Details

1. Throw unless the public key and private key produced by createKeyPairFromBytes() form a pair. Since there's no API in SubtleCrypto to derive an Ed25519 public key from a private key, the best we can do here is to sign a message with the private key and ensure that it verifies with the public key.
2. Offer a createKeyPairFromBytes_DANGEROUSLY_SKIP_VALIDATION() method that performs no validation.