Add saved p12 certificate reuse for provisioning

[stephancill]

I was running into certificate creation issues when running xtool dev

Error: Unexpected response, expected status code: created, response: conflict(DeveloperAPI.Operations.CertificatesCreateInstance.Output.Conflict(body: DeveloperAPI.Operations.CertificatesCreateInstance.Output.Conflict.Body.json(DeveloperAPI.Components.Schemas.ErrorResponse(errors: Optional([DeveloperAPI.Components.Schemas.ErrorResponse.ErrorsPayloadPayload(id: Optional("b4991c89-208d-4614-a168-7c6d5c3d4bfb"), status: "409", code: "ENTITY_ERROR", title: "There is a problem with the request entity", detail: "You already have a current Development certificate or a pending certificate request.", source: nil, links: nil, meta: nil)])))))

However, I noticed that Xcode was able to create a new provisioning certificate without any issues so I used a coding agent to implement importing an existing certificate to be used instead of generating a new one at login time. Hoping this helps anyone else with the same issue.

AI generated description of the changes below:

---

Summary

• Add support for saving a signing certificate during auth via xtool auth login --signing-p12 ... --signing-p12-password ..., copying the certificate into xtool-managed storage for reuse.
• Reuse saved signing certificate credentials across device provisioning/signing flows (xtool dev and xtool install) before attempting Apple certificate creation.
• Replace shell-based openssl key extraction fallback with native PKCS#12 private key extraction in CXKit, removing reliance on an external OpenSSL CLI binary at runtime.
• Add signing-certificate details to xtool auth status and document the new auth/certificate workflow in installation and first-app docs.

Motivation

Users with existing Apple Development certificates can hit Apple API 409 ENTITY_ERROR conflicts when xtool always attempts to create new certificates. Saving and reusing a known-good .p12 cert/key pair avoids unnecessary certificate creation and makes provisioning deterministic across machines.

Implementation Notes

• Added persisted signing certificate metadata alongside auth token:
  • XTLSavedSigningP12Path
  • XTLSavedSigningP12Password
• auth login now optionally copies the provided .p12 into xtool config storage and saves its password.
• Certificate fetch flow now attempts to construct SigningInfo from saved .p12 first (including stale/expired cached-signing-info paths), and only falls back to cert creation when reuse is not possible.
• Native PKCS#12 extraction in CXKit:
  • parse p12 via OpenSSL API (PKCS12_parse)
  • export private key as PEM in-memory for existing signer pipeline
  • configure OpenSSL 3 provider search path for legacy-encrypted p12 compatibility

User-Facing Changes

• New auth login options:
  • --signing-p12
  • --signing-p12-password
• xtool auth status now reports saved signing cert state (configured/path/file presence/password presence, and cert summary when readable).
• Docs updated:
  • Documentation/xtool.docc/Installation-macOS.md
  • Documentation/xtool.docc/Installation-Linux.md
  • Documentation/xtool.docc/First-app.tutorial

Testing

• swift build (repo root)
• Verified xtool dev successful end-to-end on physical device with saved .p12 cert.
• Verified no OpenSSL CLI dependency by running xtool dev with restricted PATH (/usr/bin:/bin:/usr/sbin:/sbin) and confirming successful provision/sign/install.