ECDSA key support

[tnytown]

Hey! Thanks for maintaining rust-tuf :) I'm trying this library out with the Sigstore TUF instance, evaluating if we can replace tough in our Sigstore client. One thing that I noticed is that it doesn't seem to accept Sigstore's root metadata, returning this error from Client::from_trusted_root:

metadata root signature threshold not met: 0/3:
TufError(MetadataMissingSignatures { role: MetadataPath("root"), number_of_valid_signatures: 0, threshold: 3 })

I dug a little deeper and this may be related to the fact that the Sigstore uses ECDSA keys. From my quick skim of the codebase, ECDSA key deserialization and ecdsa-sha2-nistp256 signatures don't seem to be implemented. Are there any plans to support this key type?

[erickt]

Hello! That’s great you’re trying it out. I’d love to support the other key types, but we haven’t needed them on Fuchsia so there hasn’t been a driving force for it yet.

My plan to support them was actually to try to migrate rust-tuf over to a generic signature trait like https://docs.rs/signature/latest/signature/ where end users can bring their own crypto library. I don’t think it’d be particularly hard to do, I just haven’t had cycles to do it yet. Would you or your team be interested in helping out with it?

[tnytown]

Thanks for the quick response! Unfortunately, we (@trailofbits) are at the end of our current contract for sigstore-rs work. We'd be happy to work on this (and other Sigstore-related incompatibilities) when we get more funding, but that will probably take some time 😅 I just wanted to flag this issue for other users trying this library out with Sigstore.