feat: action v2 signing (#8779)

# Which Problems Are Solved

The action v2 messages were didn't contain anything providing security
for the sent content.

# How the Problems Are Solved

Each Target now has a SigningKey, which can also be newly generated
through the API and returned at creation and through the Get-Endpoints.
There is now a HTTP header "Zitadel-Signature", which is generated with
the SigningKey and Payload, and also contains a timestamp to check with
a tolerance if the message took to long to sent.

# Additional Changes

The functionality to create and check the signature is provided in the
pkg/actions package, and can be reused in the SDK.

# Additional Context

Closes #7924

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

cmd/encryption/encryption_keys.go

@@ -17,6 +17,7 @@ var (
 		"smsKey",
 		"smtpKey",
 		"userKey",
+		"targetKey",
 		"csrfCookieKey",
 		"userAgentCookieKey",
 	}
@@ -31,6 +32,7 @@ type EncryptionKeyConfig struct {
 	SMS                  *crypto.KeyConfig
 	SMTP                 *crypto.KeyConfig
 	User                 *crypto.KeyConfig
+	Target               *crypto.KeyConfig
 	CSRFCookieKeyID      string
 	UserAgentCookieKeyID string
 }
@@ -44,6 +46,7 @@ type EncryptionKeys struct {
 	SMS                crypto.EncryptionAlgorithm
 	SMTP               crypto.EncryptionAlgorithm
 	User               crypto.EncryptionAlgorithm
+	Target             crypto.EncryptionAlgorithm
 	CSRFCookieKey      []byte
 	UserAgentCookieKey []byte
 	OIDCKey            []byte
@@ -91,6 +94,10 @@ func EnsureEncryptionKeys(ctx context.Context, keyConfig *EncryptionKeyConfig, k
 	if err != nil {
 		return nil, err
 	}
+	keys.Target, err = crypto.NewAESCrypto(keyConfig.Target, keyStorage)
+	if err != nil {
+		return nil, err
+	}
 	key, err = crypto.LoadKey(keyConfig.CSRFCookieKeyID, keyStorage)
 	if err != nil {
 		return nil, err