Kafkacrypto

This release includes two changes:

1. Fully separate dependencies on kafka backends, so that only a single backend (either [kafka-python](https://github.com/dpkp/kafka-python) or [confluent-kafka](https://github.com/confluentinc/confluent-kafka-python)) is needed for functionality. This means [kafka-python](https://github.com/dpkp/kafka-python) has been dropped as a hard dependency and instead there are two optional dependencies: kafkacrypto[kafka-python] (to install the kafka-python backend with kafkacrypto) or kafkacrypto[confluent-kafka] (to install the confluent-kafka backend with kafkacrypto). If neither of these optional variants is selected, kafkacrypto will use whichever backend is currently installed. This change enables full support of Python 3.12.
2. Add an optional tunable controlling whether KafkaCryptoStore sets the configuration of all loggers, or just those for the kafkacrypto package.

This release adds the ability for users to determine whether a ciphertext will ever be decryptable (if keys become available). This helps downstream projects, such as [OpenMSIStream](https://github.com/openmsi/openmsistream) handle that case with a better user experience.

This adds a public round trip test, and fixes two bugs:
1. A bug in KafkaCrypto that would cause producer subscriptions to not be properly updated in all instances.
2. A bug in store_opaque value which had the order of arguments reversed.

This release fixes one security issue, and adds support for versioned CryptoKey files as well as the new versioned wire format required to support post-quantum cryptography. Specific changes:

1. Add key exchange versioning. This changes the on-the-wire format, and is presently done in a backwards-compatible way through the legacy tunable.
2. Fix a security issue where a malicious, active, MITM with a valid signing key could replace a key request random value with their own. It is not obviously exploitable beyond making denial of service easier. Controllers (if used) must be updated first.

As a consequence of the security fix, controllers must be updated first so that they no longer replace the random value with their own.

This is a bugfix and enhancement release:
1. Make seek_to_beginning and seek_to_end function correctly and have consistent calling convention in both confluent_kafka and kafka_python wrappers.
1. Add support for passing confluent-specific parameters to consumer subscribe call in confluent_kafka_wrapper.
1. Fix listener callback functionality in confluent_kafka_wrapper.

This is a bufix release to correct a single issue with consuming topics:

- Add support for seeking to beginning/end of TopicPartitions on assignment. This makes sure a kafkacrypto object correctly consumes all chains/allowlist/denylist messages (rather than only consuming them once a new message is produced to them).

This fixes a bug with intermittent consumers/producers not properly updating their signing chains.