use explicit hsm label key in signer configs

[g-k]

Instead of trying to load signer.PrivateKey as PEM then falling back to loading it as an HSM label use explicit hsmlabels as the config key e.g.

signers:
  - id: example
    hsmlabel: examplehsm

This should make it easier to find signers using the HSM (instead of relying on heuristics like the length of the private key or starts with a PEM prefix) for test key gen, management, and rotation for #210 #211 #222

[jvehent]

fine by me

[g-k]

Cool. This is a nice to have. It will require:

• decide whether hsmlabel and privatekey are mutually exclusive (I'm leaning toward yes) or if not which one takes precedence (i.e. maintain current order of privatekey before hsmlabel)
• change code, probably signer GetPrivateKey and GetKeysAndRand (TODO: finish looking into this)
• a tag a major release (since backwards incompatible change)
• migrate stage and configs for autograph and dependent services using dev configs (i.e. addons-server)

[jvehent]

decide whether hsmlabel and privatekey are mutually exclusive

yes, avoids confusion. we can be strict about these things.

change code

https://github.com/mozilla-services/autograph/blob/master/signer/signer.go#L200