Add cabf tls ecc key usage lint

[digirenpeter]

Adding a lint to check the following requirement

7.1.2.7.11 Subscriber Certificate Key Usage
The acceptable Key Usage values vary based on whether the Certificate’s
subjectPublicKeyInfo identifies an RSA public key or an ECC public key. CAs MUST ensure
the Key Usage is appropriate for the Certificate Public Key.

Table 56: Key Usage for ECC Public Keys

+-------------------+-----------+------------------+
| Key Usage         | Permitted | Required         |
+-------------------+-----------+------------------+
| digitalSignature  | Y         | MUST             |
| nonRepudiation    | N         | –                |
| keyEncipherment   | N         | –                |
| dataEncipherment  | N         | –                |
| keyAgreement      | Y         | NOT RECOMMENDED  |
| keyCertSign       | N         | –                |
| cRLSign           | N         | –                |
| encipherOnly      | N         | –                |
| decipherOnly      | N         | –                |
+-------------------+-----------+------------------+

There is a similar lint for RFC requirements (lint_ecdsa_allowed_ku) but that only checks the following requirement and not the CABF requirements.

// If the keyUsage extension is present in a certificate that indicates
// id-ecPublicKey in SubjectPublicKeyInfo, then the following values
// MUST NOT be present:
//
// keyEncipherment; and
// dataEncipherment.

[christopher-henderson]

As always, valuable and easy to read. Thank you!