Fix PK update being rejected with Security Violation on some platforms

* On Lenovo T460 platforms, writing to the PK is being rejected on account that the credential
  we generate doesn't contain an explicit 'keyCertSign' for the key usage.
* Technically, the fact that we use "critical" when defining the key usage, without an explicit
  mention of use for certificate signing, means that pedantic implementations who see a cert that
  was signed in such a manner, may declare the whole payload as invalid, since criticality implies
  that any deviation from the stated usage (i.e. doing something that is not explicitly mandated)
  is incorrect (though one could argue that criticality should only apply when the operation is
  being attempted, and not after, so, yeah, the Lenovo PKI implementation is over-pedantic here).
* Fix this by explicitly declaring certificate signing for the key usage, to keep Lenovo happy.
* Closes #19.

Author: pbatard

src/pki.c

@@ -175,7 +175,7 @@ EFI_STATUS GenerateCredentials(
 
 	// Set usage for code signing as a Certification Authority
 	AddExtension(Cert, NID_basic_constraints, "critical,CA:TRUE");
-	AddExtension(Cert, NID_key_usage, "critical,digitalSignature,keyEncipherment");
+	AddExtension(Cert, NID_key_usage, "critical,digitalSignature,keyCertSign");
 
 	// Set subject key identifier
 	ASN1_OCTET_STRING *Skid = ASN1_OCTET_STRING_new();