ed25519: support PKCS#8 v1 (for OpenSSL interop)?

[tarcieri]

It seems even the most recent versions of OpenSSL don't support PKCS#8 v2 which includes the public key in the resulting document in addition to the private key. See: https://github.com/RustCrypto/formats/issues/1349

From RFC8410 Section 7:

NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in [RFC7748]. This means that they will not accept a private key structure that contains the public key field. This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.

Concretely this would involve changing the PKCS#8 serializer to not include the public key, which would permit interop with OpenSSL.

In many ways this makes sense as the public key is easily computed from the private key via scalar multiplication.

[randombit]

If this was done it would be nice if the choice of v1 vs v2 was in some way configurable, since some highly opinionated software (notably ring) require v2 PKCS8 encoding.

[tarcieri]

@randombit the pkcs8::KeypairBytes type could still be used to serialize PKCS#8 v2 if desired, by leveraging the From<SigningKey> impl.