createca: Address panic when no private key pair matches

[tstromberg]

Summary

While following https://github.com/lukehinds/sigstore-the-hard-way - I managed to trigger a panic by running:

go run . createca --org=acme --country=USA --locality=Anytown --province=AnyPlace --postal-code=ABCDEF --street-address=123 Main St --hsm-caroot-id 0 --out fulcio-root.pem

which resulted in the following output:

INFO	app/createca.go:77	binding to PKCS11 HSM
INFO	app/createca.go:97	finding slot for private key: PKCS11CA
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1222616]

goroutine 1 [running]:
github.com/sigstore/fulcio/cmd/app.runCreateCACmd(0xc0001fb680, {0xc0000a6a80, 0x2, 0xc})
	/home/t/src/fulcio.up/cmd/app/createca.go:103 +0x616
github.com/spf13/cobra.(*Command).execute(0xc0001fb680, {0xc0000a69c0, 0xc, 0xc})
	/home/t/go/pkg/mod/github.com/spf13/cobra@v1.3.0/command.go:860 +0x8b3
...

I wasn't sure how to interpret this, so I dove into the source code and discovered that PKCS11CA was a label, rather than a key type or format. Apparently, the tutorial uses a label of "FulcioCA", whereas fulcio expected "PKCS11CA" (this may just be a HEAD vs latest release change).

This PR catches the unhandled panic and makes the underlying issue a little bit more clear:

go run . createca --org=acme --country=USA --locality=Anytown --province=AnyPlace --postal-code=ABCDEF --street-address=123 Main St --hsm-caroot-id 0 --out fulcio-root.pem
INFO       app/createca.go:77      binding to PKCS11 HSM
INFO       app/createca.go:97      finding slot for private key label "PKCS11CA"
FATAL      app/createca.go:104     no key pair was found matching label "PKCS11CA"

Release Note

createca: Address panic when no private key pair matches