Implement OTP token importing
    
    This patch adds support for importing tokens using RFC 6030 key container
    files. This includes decryption support. For sysadmin sanity, any tokens
    which fail to add will be written to the output file for examination. The
    main use case here is where a small subset of a large set of tokens fails
    to validate or add. Using the output file, the sysadmin can attempt to
    recover these specific tokens.
    
    This code is implemented as a server-side script. However, it doesn't
    actually need to run on the server. This was done because importing is an
    odd fit for the IPA command framework:
    1. We need to write an output file.
    2. The operation may be long-running (thousands of tokens).
    3. Only admins need to perform this task and it only happens infrequently.
    
    https://fedorahosted.org/freeipa/ticket/4261
    
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>