Implement HSM provider backends for Vault, AWS KMS, and Azure Key Vault (#102)

* Initial plan

* Implement HSM provider backends (Vault, AWS, Azure)

Co-authored-by: Steake <530040+Steake@users.noreply.github.com>

* Address code review feedback: fix security issues and improve error messages

Co-authored-by: Steake <530040+Steake@users.noreply.github.com>

* Improve DER parser bounds checking and validation

Co-authored-by: Steake <530040+Steake@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Steake <530040+Steake@users.noreply.github.com>

Author: Copilot

crates/bitcell-admin/Cargo.toml

@@ -10,6 +10,10 @@ default = []
 # Enable insecure transaction signing endpoint that accepts private keys via HTTP.
 # WARNING: This should NEVER be enabled in production environments.
 insecure-tx-signing = []
+# HSM provider features
+vault = ["vaultrs"]
+aws-hsm = ["aws-sdk-kms", "aws-config"]
+azure-hsm = ["azure_security_keyvault", "azure_identity", "azure_core"]
 
 [dependencies]
 # Web framework
@@ -44,6 +48,12 @@ sysinfo = "0.30"
 # Hex encoding
 hex = "0.4"
 
+# Base64 encoding (for Vault backend)
+base64 = "0.21"
+
+# Async streams (for Azure backend)
+futures = "0.3"
+
 # Error handling
 thiserror.workspace = true
 
@@ -64,6 +74,14 @@ bitcell-network = { path = "../bitcell-network" }
 bitcell-crypto = { path = "../bitcell-crypto" }
 bitcell-ca = { path = "../bitcell-ca" }
 
+# HSM providers (optional)
+vaultrs = { version = "0.7", optional = true }
+aws-sdk-kms = { version = "1.0", optional = true }
+aws-config = { version = "1.0", optional = true }
+azure_security_keyvault = { version = "0.20", optional = true }
+azure_identity = { version = "0.20", optional = true }
+azure_core = { version = "0.20", optional = true }
+
 # Unix process management
 [target.'cfg(unix)'.dependencies]
 libc = "0.2"