tka: implement credential signatures (key material delegation)

This will be needed to support preauth-keys with network lock in the future,
so getting the core mechanics out of the way now.

Signed-off-by: Tom DNetto <tom@tailscale.com>

ipn/ipnlocal/network-lock.go

@@ -147,7 +147,7 @@ func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeK
 		SigKind:        tka.SigDirect,
 		KeyID:          signer.KeyID(),
 		Pubkey:         p,
-		RotationPubkey: nodeInfo.RotationPubkey,
+		WrappingPubkey: nodeInfo.RotationPubkey,
 	}
 	sig.Signature, err = signer.SignNKS(sig.SigHash())
 	if err != nil {