Add certificate subcommands, key delete, and ctk command for macOS

[maraino]

Description

This PR adds the following changes:

• Add certificate copy and delete subcommands
• Add key delete subcommand
• Add ctk command (macOS/CGO) to list CryptoTokenKit identities with table, JSON, and PEM output modes, token filtering, and serial lookup
• Update copyright year to 2022-2026 across all files

I had an old delete command and a simple ctk command but I've used claude code to improve them.

[hslatman]

Great functionality; looks good overall.

Just some thoughts on the copy command, and JSON marshaling.

I believe the Apple framework interop code was (largely) taken from existing code, so I didn't look too deep into that this time.

[hslatman]

It copies multiple certs when the source has multiple certs.

Making it a "certificate chain" isn't entirely correct (although that's the method that's being used on the KMS), as there's no check that it's an actual (partial) chain. Maybe "certificate (bundle)" works, but could be confusing in combination with the --bundle flag. Or do a check if it's an actual chain before storing (I don't believe we do that in each KMS, but maybe we should?), and then use "certificate (chain)".

It's possible that a source has multiple certs, and the destination doesn't support storing multiple. Right now that would result in only the first cert being stored, without the user getting to know that fact. This might be OK, but maybe we should print something indicating this case?

[hslatman]

Doesn't the ctkEntry work for marshaling?