[androidtv] fix new shield tv key not read and stored correctly

[mythbai]

Claude Analysis:

• ShieldTVMessageParser: The privLen was being calculated incorrectly — it used a raw byte count from the protobuf message instead of reading the actual DER structure length of the private key. Similarly, the certificate bytes needed to skip the protobuf field tag bytes before reading the DER length. Both were fixed to properly parse the DER SEQUENCE tag and length bytes.

• AndroidTVPKI.decodePrivateKey(): The private key bytes from the ShieldTV are in PKCS#1 (RSA) format, but the code was passing them directly to KeyFactory.generatePrivate() which expects PKCS#8 format. The fix wraps the PKCS#1 bytes in a PKCS#8 PrivateKeyInfo structure using BouncyCastle before decoding.

• AndroidTVPKI.initialize(): When loadFromKeyStore() failed (e.g., due to a corrupt or empty keystore file from a previous failed PIN attempt), the code would throw an exception instead of regenerating a fresh keystore. The fix catches the exception and falls back to generating a new self-signed certificate and key pair.

fixes #20340

@morph166955 Please review the comments

[mythbai]

Here is another analysis about necessity of the changes:

Root Cause: The original ShieldTVMessageParser.java used a heuristic formula to compute privLen (the length of the private key in the certificate reply message):

String st = "" + charArray[i+2] + charArray[i+3] + charArray[i] + charArray[i+1]; // byte-swap LE→BE
int privLen = 2246 + ((Integer.parseInt(st, 16) - 2400) * 2);

This formula computed privLen = 2440 hex chars (1220 bytes), but the actual PKCS#8 DER private key was only 2436 hex chars (1218 bytes). The 4 extra hex chars (2 bytes: 30 82) were the beginning of the X.509 certificate that follows the private key. When AndroidTVPKI.getKeyStore() tried to parse the private key bytes with PKCS8EncodedKeySpec, the JVM's DER parser threw java.io.IOException: extra data at the end, causing saveKeyStore() to fail and leaving an empty keystore file.

Three fixes applied in the current commit:

1. ShieldTVMessageParser.java (root cause fix): Replaced the heuristic privLen formula with DER-based length parsing. The code now reads the DER SEQUENCE tag (30) and length indicator (82 for long form) directly from the key bytes to compute the exact key length: privLen = (1 + 3 + contentLen) * 2. This correctly yields 2436 instead of 2440.

2. ShieldTVConnectionManager.java (defensive fix): Added a try/catch around loadFromKeyStore() so that if a corrupted/empty keystore file exists (as left by the original bug), it is automatically regenerated rather than causing the binding to fail to initialize.

3. AndroidTVPKI.java (defensive fix): Added a decodePrivateKey() helper that tries PKCS#8 first, then falls back to PKCS#1 via BouncyCastle. This is technically unnecessary since the ShieldTV key IS PKCS#8 format, but provides resilience for edge cases.