rottweiler: add credential validation

[bcressey]

Issue number:
Related: bottlerocket-os/bottlerocket#4680

Description of changes:
Extend rottweiler with the ability to parse systemd-creds credential files, so that they can be dumped (for debugging purposes) or vetted prior to use to ensure they meet the expected parameters.

Refactor the CLI so that all commands follow the same rw [verb] [noun] ... pattern - generate-key was an exception to the rule, and I wanted to fix that rather than add dump-key as another exception.

Add another "check" subcommand to check whether directories are locked or unlocked. Currently this is only useful for debugging, but in the future we might want to populate a PCR differently based on whether or not the datastore is locked.

Testing done:

rottweiler dump

> rw dump key bottlerocket-data
{
  "encryption_type": "Tpm2Hmac",
  "key_size": 32,
  "block_size": 1,
  "iv_size": 12,
  "tag_size": 16,
  "iv": "0xf3acb08a3fc5ada436228778",
  "tpm2_header": {
    "pcr_mask": [
      4,
      7,
      9,
      11,
      14
    ],
    "pcr_bank": "SHA256",
    "primary_alg": "ECC",
    "blob_size": 240,
    "policy_hash_size": 32,
    "blob": "...",
    "policy_hash": "0x6cd3b2e043bd1d23565d01e93093b7ba608af23e73e68c33635c6d21df0b4e1b"
  },
  "tpm2_pubkey_header": null,
  "scoped_header": null,
  "encrypted_data": "..."
}

rottweiler check directory ... locked

# rw lock directory /.bottlerocket/datastore

 rw check directory /.bottlerocket/datastore locked
directory '/.bottlerocket/datastore' is not unlocked

# rw check directory /.bottlerocket/datastore unlocked
directory '/.bottlerocket/datastore' is not unlocked

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.