Bug 312411

Several Security framework APIs (`SecTrustSerialize`, `SecTrustDeserialize`, `SecTrustCopyPropertyListRepresentation`, `SecTrustCreateFromPropertyListRepresentation`, `SecKeyCreateRandomKey`, `SecKeyCreateWithData`) return +1 retained `CFErrorRef` objects through their out parameters, but the APIs are missing the `CF_RETURNS_RETAINED` annotation on those parameters (rdar://161546781). Newer functions in the same headers (`SecTrustCopyTrustStoreContentDigest`, `SecTrustGetAssetVersionNumber`, etc.) already have the annotation, but these older APIs have not been updated. WebKit callers store the raw `CFErrorRef` in a local variable, check it for errors, but never release it -- leaking the error object on every error path. This affects both production code (`CoreIPCSecTrust.mm`, `WKRemoteObjectCoder.mm`, `VirtualAuthenticatorUtils.mm`) and test code (`IPCSerialization.mm`, `Challenge.mm`, `WebTransport.mm`, `_WKWebAuthenticationPanel.mm`, `TestControllerCocoa.mm`).