Confirm parent user's credential when setting lock for profile

When a DPC fires ACTION_SET_NEW_PASSWORD to set a work challenge
for an existing work profile with unified challenge, require the
user to confirm exisiting device lock first. This is not only for
increased security, but also a functionality requirement: the
system can only re-derive the current work profile password needed
by the password change after a fresh confirm credential operation.

Test: Add device lock, create work profile, then execute:
      adb shell su 1010000 am start --user 10 -a android.app.action.SET_NEW_PASSWORD
      Verify the device is prompting for current password.
Bug: 65910682
Change-Id: Ib4b4c88c1551cfff626f707d5f3182160a1ec46c