Add PKCS11 interface for HSM integration into DNSSEC ownership proof signing

[pinheadmz]

Closes #29

This PR enables ICANN TLD holders to claim their reserved names on Handshake by signing offline with an HSM. This was an explicit ask by such an interested party that keeps their DNSSEC keys on a hardware signing module that has a PKCS#11 interface. They can not use their production system to sign arbitrary TXT records like Handshake requires, so we need to offer them custom software that still works with their hardware.

Unfortunately this required adding a dependency: https://github.com/PeculiarVentures/pkcs11js
This library could be vendored, but it also contains native code because the PKCS11 interface is literally a C header file. HSM manufacturers provide this library file to their customers who pass it directly into their software clients like OpenDNSSEC and now also, bns-prove ;-)

Great docs about the standard: https://www.cryptsoft.com/pkcs11doc/v230/
I used this HSM emulator with PKCS11 support for testing: https://github.com/opendnssec/SoftHSMv2
The test suite in this PR will skip automatically if it is not installed (it expects the pkcs11 interface library to exist at /usr/local/lib/softhsm/libsofthsm2.so).

I added an extra doc PROVE.md explaining all the bns-prove options, and linked to it from the main README.

I have a few test names reserved in a hard-fork of hsd that I've been using to integrate claims in Bob Wallet. The test for this PR actually reads that ZSK private key from a file and inserts it into the SoftHSM database as a PKCS11 token. After running the test once, I successfully claimed the name on regtest using the command-line utility:

$ bns-prove --hsm-module /usr/local/lib/softhsm/libsofthsm2.so --hsm-slot 1966884096 --hsm-pin 1234 hns-claim-test-2.xyz hns-regtest:aakgpzi7wgivq75qmq377rraojtj6curztl73wcpn2r62zx3tjtl3ry56orj
wonppjdru3p2uirlbyglvvtcepoqbhdacaaaadaytgy6


;; DNSSEC OWNERSHIP PROOF: HNS-CLAIM-TEST-2.XYZ.
;; SIZE: 4024

;;
;; ZONE: .
;;
; KEYS:
. 172800 IN DNSKEY 256 3 8 AwEAAa+HvD7XXjmL+1htThUQyZW7oWGnjzKHJASg3TSR5Bmu5LfnSVW7 fxqZa2oAYo2ionIQWyqAj/loApzg8GNMhyIibftPJso54uWRQ2GaoMrw LD5SLu676kf7urJq6nqdjNC0aJM/C888li69lVH6tiu2tZm1NH3cmgfn MUJpD60bsrDUqs7XwftmNkdkHa4ltQbM3UNPyfTaNBQYoH3wpOpSjdk3 tyDRnreBO6Idrw+DGf/rve4sL3qiSaXfYIkcwAwozxR34iHU5dbCDs8S 6FmZYhoSVKVgNSUkudxhd9/6RrZkYRgvwRsQXl3UwsacU1DsXcORqIC+ 7NlQ6M2OJVU=  ; ZSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 14631
. 172800 IN DNSKEY 256 3 8 AwEAAbDEyqdwu2fqAwinPCFwALUCWfYYaLrNhnOrMxDorLBYMipEE1bt lK1XnigTRMeb0YQ8/LCopb3CN73hYDhCHFsNk+GtukBB+gWLcg+2FZXb hLXIheQm8x2VfOHy2yYQG+18wjx3HY9Mj/ZEhXbZNrDMvpFKKVihWXa0 /cHNg4ZcIHD9KkMlKzK+my1K/vz8fq5cFCFOu7wgM+kKbOikdcRBm7Uf /wRXZItFg2uhUijUb56gEN8uCUgmuEw6wQ5ZBuR7UT/FLyyAUeAH87ox F4im2DXK6J+JA7IAs2UHJ16uTqvdserUU8NIosislaXIZCvz+NTDb3SJ cxs6bvCikeU=  ; ZSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 26838
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=  ; KSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 20326
. 172800 IN RRSIG DNSKEY 8 0 172800 20210711000000 20210620000000 20326 . p4bhRuhJ9zT91zJ4ihVX7VE4RIRdVOl/NfT2pJkvb28rWsYFdRV03RpU d5WU9T/n2XkpzQsEnWl9FrGpyXjy5Q3Ya2rIgXiLhp4Hn+qASkN/U4Qs G9fO9AoMiYQDJxBi41HxSIKEVcb5tZp9ybmobFyK52m3X+a2Q2wpcLFY 3JFho+ymZh5YjDEMShTpFWcHLboO7/gk5H6Lcmp9ENz90LISBhXPbH0F IX0X/1Z/2hOhkpb2InQ344ko0k+YqmH422lB9Josk8nkheYzRCzqdxpm OhNql0pjB3ojjrV6detLUklCOS1vNZZDW7D+BJ5ivg3SlNyjrz0P5/ta uugylg==  ; alg = RSASHA256

; REFERRAL:
xyz. 86400 IN DS 3599 8 1 3FA3B264F45DB5F38BEDEAF1A88B76AA318C2C7F  ; alg = RSASHA256 ; hash = SHA1
xyz. 86400 IN DS 3599 8 2 B9733869BC84C86BB59D102BA5DA6B27B2088552332A39DCD54BC4E8 D66B0499  ; alg = RSASHA256 ; hash = SHA256
xyz. 86400 IN RRSIG DS 8 1 86400 20210707200000 20210624190000 14631 . AYqmwE0+4oMOGy77IbxvkToRiqrEB4z2IKPmxifNGT8l6OAuFpqnh7ot OneJmyd9VrEh/bdRHotePyyhfY6bOUZ3x23s9keJC32fWXS+K4oeQguc UqVaSWMZVpqKVIz173KlWT60f/cyOIypIOiSiTZ8hPVIyB8RnddU+aog N1YzosXA8zDL1R50lgA3bev1Xb15gaMy3Bt2/UZDJEd6+Zo1khE1ZtRx aTq7o88aVLFQoaRxaizRTGOSoUCKR8DmhNsEZJ1Dc7L99fPz3Kq8mDTI EPMgSu7W5MPO6fJmHimUTnT1EmJAP0M56PzKmHcCqac1ssdbmvdUdu8j 2sX0mA==  ; alg = RSASHA256

;;
;; ZONE: XYZ.
;;
; KEYS:
xyz. 3600 IN DNSKEY 256 3 8 AwEAAbap4DnxAjCv7xmSs+sutlIWGKniqRcEUazqcDDFUjCDDHwl43Cr g5VVtn+twpjFHsZK+tW5wkl042QJ2sEuUTA1oYaYNDclrgmWkr4crw4q 2CCga2eVBta8K277N4MkK+HtxBAXDyzErX8J0VXLJ2K/oRdsF7M0M0R7 ZBgvcGln  ; ZSK ; alg = RSASHA256 ; bits = 1024,17 ; key id = 30910
xyz. 3600 IN DNSKEY 256 3 8 AwEAAen35rB3DGMEx5HS8smsDEgk28hHfmJzJxwYp8D7YWeDbJHEaHR5 LbxuWUToxJ8gA8FSzf2xRKwnUB9YPm7LXn/7e6UWQHutF1kONVk/6GH1 Nla7SZPG10CRXgOTkpIl961mW5EVRZQpZkm4IknPoZFqP8Cu1xG+j5tO ePnKIAwh  ; ZSK ; alg = RSASHA256 ; bits = 1024,17 ; key id = 50428
xyz. 3600 IN DNSKEY 257 3 8 AwEAAbYRTzkgLg4oxcFb/+oFQMvluEut45siTtLiNL7t5Fim/ZnYhkxa l6TiCUywnfgiycJyneNmtC/3eoTcz5dlrlRB5dwDehcqiZoFiqjaXGHc ykHGFBDynD0/sRcEAQL+bLMv2qA+o2L7pDPHbCGJVXlUq57oTWfS4esb GDIa+1Bs8gDVMGUZcbRmeeKkc/MH2Oq1ApE5EKjH0ZRvYWS6afsWyvlX D2NXDthS5LltVKqqjhi6dy2O02stOt41z1qwfRlU89b3HXfDghlJ/L33 DE+OcTyK0yRJ+ay4WpBgQJL8GDFKz1hnR2lOjYXLttJD7aHfcYyVO6zY sx2aeHI0OYM=  ; KSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 3599
xyz. 3600 IN RRSIG DNSKEY 8 1 3600 20210708115756 20210608152128 3599 xyz. GzN/nHkGerqIMX5rgeCQuUG3pQ+cUUIMNTG0RYB/oW384HOIa8vxJTA0 Y/51cW7TSQtECVImaghIuq8Gr+pz6pdrzvchVFtIXFWIkg1YOjioBBiu nyMLWzDw4L+Z5e5XhSZJ3Rmg0IQloTKhIPIDYlhs9zjN91n7lf71q0gG FNoOcfOB4wtlh8xa9PxXUedeSHLZwvOcRweMA7TAAK3la/X+fN1yNXmg 4nLYjKQe4BkD/VJJTr+hoB40oOi+fBpt/xf6tMwg7nIfWRoISJ2CE4Zj QaLZjKuKP4JHb+/+jtanK6xjGnmoCLDE/qeIpyAPJXOE3/RZIiVGxXq+ c7aVlg==  ; alg = RSASHA256

; REFERRAL:
hns-claim-test-2.xyz. 3600 IN DS 63856 8 2 B480B51523DB84F1FFCC504FDE63571F9555FF971EF5BF2A4312A338 772792C0  ; alg = RSASHA256 ; hash = SHA256
hns-claim-test-2.xyz. 3600 IN RRSIG DS 8 2 3600 20210708193033 20210608152128 50428 xyz. 579ciVtUjA75jlcHmGtx7n8ZTybJ9TNXadHKpoYgadXQZNcclVIyOpnP babShDWi1rJXLRwJulcc1mkPZOiZ7t+ovgxsE1CfhNi7DZLyEF4Nk9Ma iy0YLDDX3NIab760mSigoDk6Spk3yciSY2Qp7zERUPvhCQ9vVHLzu8Mu Xy8=  ; alg = RSASHA256

;;
;; ZONE: HNS-CLAIM-TEST-2.XYZ.
;;
; KEYS:
hns-claim-test-2.xyz. 6000 IN DNSKEY 256 3 8 AwEAAajlSXDyWWwg4GXJQooLw/Cegsy5V6OHrU18nP64vw6MnxACu5CU obkMyh95gpB6drNBlDDVYtnryobToMfLUbA2ABwWs/Xgnxf+89ue31XI U2vxzhF6oHCRzLIEi7q9YmgljAVEd43mxJpEJ9hzUL70DvrV0+uSiL0D 2zICkjQxVMjirTG51LVBOGz9f9n2MgQphEx9W+n6Pj6UsLfOBGEq0l6K TFYfdGbNAhpdPSza39xv83cji2NMMpxDDBDymJ8p4E2FoUDhrbopgs+Z 6qlILodfQG8nNdcLP+ZGwccQWTNCLBi5lSaMjOg+eoLq/8jV8RWrlAUu GFmTbu+Rixk=  ; ZSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 27259
hns-claim-test-2.xyz. 6000 IN DNSKEY 257 3 8 AwEAAd334XDnsXiofaipnUTULW5CW4VZlWzNKXDzQKsaCyFQEd28I9Xx /gR4H29Bhn1UZyeEi6Q6nkCPml5IKTLzj3NWeuCsmfr1PDiPPt3ZAXor ULFMui81j5WcS16DdzjKTOnproqOOLmiCcKlROkLaxCSMANh0JdwTKfT AgP9VnXjkAoUc8v7XSPKt0q5GBE5EqIhdZletH/lURkaPSdQKRHa/D/V GLt1dEKZl5nu3uZ/AwkOM3CPpvERZQNuXXuuJhgvsgM7yfqu3188MHuH rTRln3ambhZLTYNgr4sU5FyRYnd4sXmoponKQ49kVJzL1iFUMvybmaqU 5J5Lx7AQ8mM=  ; KSK ; alg = RSASHA256 ; bits = 2048,17 ; key id = 63856
hns-claim-test-2.xyz. 6000 IN RRSIG DNSKEY 8 2 6000 20220601000000 20210625170437 63856 hns-claim-test-2.xyz. NlE1g/qKlKfjFjNYdg0Em6E1/dhUqfsWQmZWswEl+NYqUzTmwxTsdYD0 cmhjOR5tWZ+pO2MLOwQZCsIixuL6rVndrSLXEpZK4b+2VRKf2Z+HbDxZ smgT67kTgI5wSuNxhb1eok1uFIEWD7F0LnOk0y42wV2X13srkkIWMumX 5TBtMbnOhI322WEXqdPpRedWSRX0CNqrIXhU2+fAvCf7GqIbF1pyNBH1 AohehxhmzRswrqnMGqgxG6eCrdg0xh35T0vHwk4aPpsWOlP9CA0+xHR4 GLod4jXeWyge6kiI9wuAOJZTdOMmAVy1xAYZmsUWIz5ruF07+ijx9l/2 B0AKcQ==  ; alg = RSASHA256

; CLAIM:
hns-claim-test-2.xyz. 3600 IN TXT "hns-regtest:aakgpzi7wgivq75qmq377rraojtj6curztl73wcpn2r62zx3tjtl3ry56orjwonppjdru3p2uirlbyglvvtcepoqbhdacaaaadaytgy6"
hns-claim-test-2.xyz. 6000 IN RRSIG TXT 8 2 3600 20220625194354 20210624194354 27259 hns-claim-test-2.xyz. Oy0WvZNQR+uODxFMJI12stzHTDGk8BknuTg87qxuNrcwyHIzuU9pBzW1 utMf1lVHk5PiUahPXQnEnjx3u3/Q5l7PtUYVUU3TrZAdHLNIOD0WYO/o fgLnK4UW29fo9DPNA8VBektJ4tax/BE+wUwxHF7cH+apQsQhjbF8Bvl9 swQy47olC3sQk2rSUqy4PwA9wOPfRcLXWIF5ur5pjvk71cblX3mrzy/X rsBkyaE+Jo85PN55XUV6zbaEP1CQRfDLCXvpmhLHrv5tH5LwqNXzDdBM +xB9qsXbtBVFPRMVZqQAPNKUEZip/sJU2JZCahjjGPasUceOrqPy5Z1z RwnpPw==  ; alg = RSASHA256

[Anunayj]

Any specific reason to have the inception time a day before?

[pinheadmz]

This is how we do it in bns dnssec.sign() as well: https://github.com/chjj/bns/blob/master/lib/dnssec.js#L191

My guess is, its just to ensure that when you deploy there will be very few machines on earth that think the timestamp is invalid. This is especially true for blockchains which have a weird concept of "now".