Factor out "p11trustmod" package

[JeremyRand]

We should refactor ncp11, by factoring out a p11trustmod package. This package will provide a p11mod.Slot, and will accept a p11trustmod.Backend, which provides the following interface:

• Accepts query for "IsBuiltinRootList"; returns boolean. If true, then the module will have a CKO_NSS_BUILTIN_ROOT_LIST object present, and certificates will have a CKA_NSS_MOZILLA_CA_POLICY attribute present. Otherwise, both are suppressed.
• Accepts query for "IsTrusted"; returns boolean. If true, then the module will return both CKO_CERTIFICATE and CKO_NSS_TRUST objects. Otherwise, it will only return CKO_CERTIFICATE objects.
• Accepts queries for certificates by value, subject, issuer+serial, or all certs.
• Returns a struct per cert that contains the following fields (which are then converted into a CKO_CERTIFICATE and CKO_NSS_TRUST object and passed to p11mod):
  • Label (string)
  • Certificate (x509.Certificate)
  • Builtin Policy (boolean)
  • Trust for Server Auth (CKT_NSS_ trust value)
  • Trust for Client Auth (CKT_NSS_ trust value)
  • Trust for Code Signing (CKT_NSS_ trust value)
  • Trust for Email Protection (CKT_NSS_ trust value)
• Info, TokenInfo (pass through to p11mod.Slot's functions)

ncp11 can then be refactored to provide this API.