Support EcdsaSecp256r1Signature2019 linked data proof

[gmulhearn]

NOTE: branched from #3442 (must merge first)

easier diff view: anonyome#4

• adds native support for verifying and signing with EcdsaSecp256r1Signature2019 (mostly a clone of Ed25519 2020 suite)

[gmulhearn]

update:
seems like i might be able to make this a plugin instead, i.e. via https://github.com/dbluhm/acapy-ld-signer , however i believe the ExternalSuiteProvider is only used in the signing flows, and not in the verifying flows. The verify w3c ldp cred/pres flows seem to use _get_all_proof_suites which returns the list of pre-existing suites (not utilizing ExternalSuiteProvider plugin). Does that seem correct? @dbluhm

If this is right, then I suppose an open question is whether EcdsaSecp256r1Signature2019 should be apart of acapy (which this draft PR does), or if ExternalSuiteProvider can be architectured to allowed suites for verification to be passed in aswell.

An argument to not include EcdsaSecp256r1Signature2019 is that it could be a considered as a step sideways, rather than a step forwards towards DataIntegrityProofs in VCDM2.0

[dbluhm]

seems like i might be able to make this a plugin instead, i.e. via https://github.com/dbluhm/acapy-ld-signer , however i believe the ExternalSuiteProvider is only used in the signing flows, and not in the verifying flows. The verify w3c ldp cred/pres flows seem to use _get_all_proof_suites which returns the list of pre-existing suites (not utilizing ExternalSuiteProvider plugin). Does that seem correct? @dbluhm

The original intent of the ExternalSuiteProvider was to make it possible to use something like a remote KMS to do signatures, which is why it's not used in the verification process; it wasn't necessarily intended to add support for additional signature types. I am not against the idea of enabling it to also provide hooks for permitting a plugin to handle cred/pres verification as well.

That being said, I am in favor of enabling ACA-Py to handle EcdsaSecp256r1Signature2019 natively, even if it's not a "forward-looking" option for Data Integrity Proofs.

Any thoughts on VCDM 2.0 and DI, @PatStLouis?

[sonarqubecloud]

Quality Gate failed

Failed conditions
4 Security Hotspots
6.1% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud