Support PKINIT NSS deferred identity prompting

Support PKINIT NSS deferred identity prompting

The password callback which we usually supply to NSS already gets a
pointer to the pkinit_identity_crypto_context structure, but it needs to
be passed the name of the identity for which it's being called.

If it gets a name, and it's deferring prompting, just add the identity
to the list of deferred identity prompts (the password callback wouldn't
have been called if its result wasn't needed), and either return NULL
(as an indication that we couldn't get a password) or an empty string (a
value which we know is invalid) if that's handier.

Otherwise, check for a password that's been stashed for its use for that
identity, and return a copy of it if one's found.  If none of that
works, try to use the prompter callback to ask for the password.

ticket: 7680