Add methods for managing CAs to DevicePolicyManager(Service)

Guard install/uninstall by enforcing that the caller have the new system-only permission MANAGE_CA_CERTIFICATES.
Also include API methods for asking whether there are any User CA certs
installed, or if one by a particular name is installed in the keystore.

CA certs will be installed via KeyChain into the TrustedCertificateStore.

Bug: 8232670

Change-Id: I17b47a452e72eb4fe556dc6db823a46c6e854be8