Support adding a recipient/password to an existing encrypted message
'sq encrypt' should have an option to reencrypt an encrypted message. This would decrypt the session key and add or replace PKESK/SKESK packets.
If this is inconvenient to do using the current low-level API, then appropriate convenience functions should be added.
Note: if the encrypted part is signed, this would break the signatures. This condition should be detected and handled.
Note: this is not about upgrading the symmetric encryption, e.g., changing a message to use an AEAD instead of a SED packet.