According to MSDN, calling CryptDecodeObject() with X509_KEY_USAGE
fills in a CRYPT_BIT_BLOB struct, not a CERT_KEY_USAGE_RESTRICTION_INFO
one.

Avoid potential complications of using CRYPT_DECODE_NOCOPY_FLAG.
Instead, just follow the normal pattern of first finding out the size
of buffer needed, allocate a such buffer, and then call the API again,
passing that buffer. When called without CRYPT_DECODE_NOCOPY_FLAG, at
least, it's what pbData points to that contains the usage bits, not
the pointer value itself.

Add SAL_WARNs for cleartext error messages in all error cases.

Change-Id: I9b9f7d08d6013753d127c723dedd959109a85c97