cmd/incusd: support for JWT authentication

[mikerobski]

Added support for JWT authentication of REST API requests.
To use the JWT authentication the client should send Authorization header with Bearer token.
The Bearer token contains the JWT signed with the client certificate.

The JWT token must have the following content:
{
"sub":"axxxxxxxx",
"exp":1710288000,
"nbf":1710201600,
"iat":1710201600
}

The sub parameter contains the client certificate fingerprint, calculated as the SHA256 checksum of the raw certificate.

The authentication of the API request checks for the presence of the Authorization header and if it is present and contains valid JWT token, uses the subject to find the trusted client certificate and verifies the JWT signature.

[stgraber]

Looking good, just a couple small changes needed.

We'll also want to add a new API extension for this, let's call it auth_tls_jwt. For that you want an extra commit title api: auth_tls_jwt which adds the extension to both doc/api-extensions.md and internal/version/api.go.

And we should also ideally add a test for this. Probably introduce a small test tool in tests/ which you can feed a client.crt+client.key, a not-before and not-after timestamp and have it return you the JWT.

We can then use that in the testsuite to validate that:

• An invalid token is rejected
• A valid token is properly reported as the user that signed it
• A token that's not valid yet is not accepted
• A token that's no longer valid is not accepted

[stgraber]

So per above, we'll likely end up with a PR containing:

• api: auth_tls_jwt
• incusd: Add support for JWT authentication
• tests: Introduce tls2jwt tool
• tests: Test JWT authentication