* New key wrapping API
Allows key wrapping to be different between persistent and server-side
storage.
To accomplish this, the PrivateKey now always stores the fully
reconstructed key, and has different methods to serialize it for the
respective use case.
* Cleans up legacy credential parsing
This is a backwards incompatible change. This PR already introduces
backwards incompatible new credential parsing, and therefore we can also
remove all other legacy parsing.
* Correct credential minimum size
* wider public interface to allow custom PrivateKey construction
87f0711284