Test RFC 4945 PKI Profile for IKE/ISAKMP/PKIX's Key Usage

See https://datatracker.ietf.org/doc/html/rfc4945#section-5.1.3.2

   A summary of the logic flow for peer cert validation follows:

   o  If no KU extension, continue.

   o  If KU present and doesn't mention digitalSignature or
      nonRepudiation (both, in addition to other KUs, is also fine),
      reject cert.

   o  If none of the above, continue.

See `westrun.sh` for the combinations tried.

The script ku.sh

  - generates a cert using `ipsec certutil` with KU based on param

  - dumps the cert for visual verification

  - starts pluto

  - generates a connection with name based on param

  - tries to establish the connection

  - shuts down pluto

For instance:

      ./ku.sh digitalSignature-certSigning

generate the cert with:

   ipsec certutil -n west-ku-codeSigning-ipsecIKE --keyUsage digitalSignature,certSigning

and the connection with:

   ipsec whack --name west-ku-digitalSignature-certSigning --cert=west-ku-digitalSignature-certSigning ...

Note: pluto is started a-fresh so that each exchange uses the state
serial numbers #1 and #2.
