Throw on attempt to unwrap a WrappedKey with old PlatformKey

Also brings the decrypt key inline with the representation in
ag/3362855. When getting the latest decrypt/encrypt key we will
always want to know the generation ID, so that we can either
persist that information with the WrappedKey, or check against
WrappedKeys we're attempting to decrypt. As such it makes sense
to have methods return a class that wraps the key and ID, as they
always belong together.

Test: adb shell am instrument -w -e package com.android.server.locksettings.recoverablekeystore com.android.frameworks.servicestests/android.support.test.runner.AndroidJUnitRunner
Change-Id: I2c7e97af9ed87216ff2f133a1e3efd546431ab7e