In PKINIT NSS crypto, support encrypted PEM keys

In PKINIT NSS crypto, support encrypted PEM keys

When the PEM module is given an encrypted key, it changes its token
flags to indicate that a password is required (by setting needs-login)
to signal the application that we need to supply a password to decrypt
it.  Attempts to load any other items will fail until the flag is
cleared.

If we detect that the flag is set after we've attempted to load a
private key, attempt to "log in" to the "token" using a password.  Even
if we fail, the token will reset its needs-login flag, which is
necessary before we can import anything else.