Add key rotation.

Change certificate checks to also consider the possibility of
signing certificate rotation by checking the
SigningDetails#pastSigningCertificates field.  In particular, add a
SigningDetails#checkCapability method which reports whether or not
the older SigningDetails is an ancestor of the current one, and
queries whether or not the old one has been granted capabilities,
such as being a sharedUser.

Bug: 64686581
Test: Builds, boots, browser and camera work, all with v3 signing.

Change-Id: I4199ff3f2d9ae959325b117b28e666ae31889800