Add device password change functionality

Implements a new API endpoint to allow users to change their device
password without re-entering the BIP39 passphrase.

Changes:
- Add ChangePasswordRequest message to proto definitions
- Implement change_password module in Rust API
- Refactor keystore to support password re-encryption:
  - Add re_encrypt_seed() function to change password while preserving
    BIP39 seed state
  - Extract encrypt_and_store_seed_internal() helper to share logic
    between initial setup and password change
- Add Python bindings for change_password workflow
- Add comprehensive tests including password verification
- Regenerated protobuf files

The password change workflow:
1. Unlock device with current password
2. Prompt for new password (entered twice for confirmation)
3. Re-encrypt seed with new password while preserving BIP39 seed

This prevents users from having to re-enter their BIP39 passphrase
after changing their password.

Author: cedwies

messages/bitbox02_system.proto

@@ -66,3 +66,6 @@ message SetDeviceNameRequest {
 message SetPasswordRequest {
     bytes entropy = 1;
 }
+
+message ChangePasswordRequest{
+}

messages/hww.proto

@@ -69,6 +69,7 @@ message Request {
         CardanoRequest cardano = 27;
         BIP85Request bip85 = 28;
         BluetoothRequest bluetooth = 29;
+        ChangePasswordRequest change_password = 30;
     }
 }
 

py/bitbox02/bitbox02/bitbox02/bitbox02.py

@@ -212,6 +212,23 @@ def set_password(self, entropy_size: int = 32) -> bool:
             raise
         return True
 
+    def change_password(self) -> bool:
+        """
+        Returns True if the user changes password successfully by
+        unlocking with old password and entering and confirming new password.
+        Returns False otherwise.
+        """
+        # pylint: disable=no-member
+        request = hww.Request()
+        request.change_password.CopyFrom(bitbox02_system.ChangePasswordRequest())
+        try:
+            self._msg_query(request, expected_response="success")
+        except Bitbox02Exception as err:
+            if err.code == ERR_GENERIC:
+                return False
+            raise
+        return True
+
     def create_backup(self) -> bool:
         """
         Returns True if the backup was created successfully.

py/bitbox02/bitbox02/communication/generated/bitbox02_system_pb2.py

@@ -208,3 +208,13 @@ class SetPasswordRequest(google.protobuf.message.Message):
     def ClearField(self, field_name: typing.Literal["entropy", b"entropy"]) -> None: ...
 
 global___SetPasswordRequest = SetPasswordRequest
+
+@typing.final
+class ChangePasswordRequest(google.protobuf.message.Message):
+    DESCRIPTOR: google.protobuf.descriptor.Descriptor
+
+    def __init__(
+        self,
+    ) -> None: ...
+
+global___ChangePasswordRequest = ChangePasswordRequest