Make password retry detection saner

SignatureHandler::getAvailableSigningCertificates potentially
authenticates to multiple tokens. There was no way for a password
callback implementor to tell "called because of next token" from
"called because of retry after wrong password". NSS defines a
retry argmument for exactly that reason. Let's use it.

This doesn't fix any real issue I'm aware of, but makes semantics of
password callback clearer.

To not break qt5 / qt6 APIs, keep accepting the 1-arg callback form
there and insert a small shim to make it compatible with the 2-arg
SignatureHandler form.
7 jobs for bugfix/multitokenauth in 3 minutes and 14 seconds (queued for 15 seconds)