Add support for self-signed HTTPS onion sites derived from onion service's ed25519 key

Companion bug to https://bgz.la/1250696

I'd like to get feedback on this proposal.

The idea is to allow TBB to accept a self-signed trust root cert if the hash of the public key matches the .onion address. This will allow servers running as .onion sites to generate strong/modern TLS certs that are signed by a self-signed root cert containing the .onion public key.

This should allow us to get around the DV cert problem and allow valid .onion TLS certs be validated by the .onion name and have strong/modern TLS certs.