chore: use rcgen and rustls-webpki k256-enabled forks from Zama org

[mkmks]

Description of changes

KMS nodes sign the CA certificates (that are used to issue ephemeral mTLS certificates) with their ECDSA+secp256k1 signing keys. rustls doesn't support the secp256k1 curve out of the box (although the underlying aws_lc_rs library does), and we had to fork the rcgen and rustls-webpki to enable it.

Initially, the forks were hosted under my (@mkmks) Github account because the whole idea was experimental and not certain to go to production. Now, that mTLS with core signing key-derived identities is in production, and fork upstreaming run into obstacles, a better practice would be to host the forks under the Zama Github organisation.

This PR does exactly that.

NB: The rustls-webpki version is stabilized at 0.103.7 in the fork because its 0.104 release has breaking architectural changes. These changes aren't final, so it wouldn't make a lot of sense to attempt to rebase our secp256k1-related changes on top of them.
NB2: The rcgen version is bumped to 0.14.7, and there were some API changes in the 0.14 branch (surprisingly) that required some minor changes on the KMS side.

Issue ticket number and link

Closes #240

PR Checklist

I attest that all checked items are satisfied. Any deviation is clearly justified above.

• Title follows conventional commits (e.g. chore: ...).
• Tests added for every new pub item and test coverage has not decreased.
• Public APIs and non-obvious logic documented; unfinished work marked as TODO(#issue).
• unwrap/expect/panic only in tests or for invariant bugs (documented if present).
• No dependency version changes OR (if changed) only minimal required fixes.
• No architectural protocol changes OR linked spec PR/issue provided.
• No breaking deployment config changes OR devops label + infra notified + infra-team reviewer assigned.
• No breaking gRPC / serialized data changes OR commit marked with ! and affected teams notified.
• No modifications to existing versionized structs OR backward compatibility tests updated.
• No critical business logic / crypto changes OR ≥2 reviewers assigned.
• No new sensitive data fields added OR Zeroize + ZeroizeOnDrop implemented.
• No new public storage data OR data is verifiable (signature / digest).
• No unsafe; if unavoidable: minimal, justified, documented, and test/fuzz covered.
• Strongly typed boundaries: typed inputs validated at the edge; no untyped values or errors cross modules.
• Self-review completed.

[github-actions]

Consolidated Tests Results 2026-02-25 - 09:44:04

Test Results

9 passed

Details

9 tests
not captured
junit-to-ctrf
build-and-test test-reporter #571
chore: use rcgen and rustls-webpki k256-enabled forks from Zama org #437

test-reporter: Run #571

Tests 📝	Passed ✅	Failed ❌	Skipped ⏭️	Pending ⏳	Other ❓	Flaky 🍂	Duration ⏱️
9	9	0	0	0	0	0	not captured

🎉 All tests passed!

Tests

View All Tests

Test Name	Status	Flaky	Duration
full_gen_tests_k8s_default_threshld_sequential_crs	✅		32.7s
test_k8s_threshld_insecure	✅		3m 15s
k8s_test_crs_uniqueness	✅		32.8s
k8s_test_keygen_and_crs	✅		3m 14s
k8s_test_keygen_uniqueness	✅		8m 48s
full_gen_tests_k8s_default_centralzd_sequential_crs	✅		1.8s
test_k8s_centralzd_insecure	✅		6m 20s
full_gen_tests_default_k8s_centralized_sequential_crs	✅		1.8s
k8s_test_centralized_insecure	✅		1m 1s

_{🍂 No flaky tests in this run.}

Github Test Reporter by CTRF 💚