FIPS compliant libraries

[lukehinds]

We currently have two non FIPS compliant modules in use:

./pkg/pki/ssh/sign.go:	"golang.org/x/crypto/ssh"
./pkg/pki/ssh/ssh.go:	"golang.org/x/crypto/ssh"
./pkg/pki/ssh/verify.go:	"golang.org/x/crypto/ssh"
./pkg/pki/pgp/pgp.go:	"golang.org/x/crypto/openpgp/armor"
./pkg/pki/pgp/pgp.go:	"golang.org/x/crypto/openpgp/packet"
./pkg/pki/pgp/pgp.go:	"golang.org/x/crypto/openpgp"

We should port to FIPS compliant modules, as being non FIPS will make it a challenge for operators to deploy rekor into government / military / FSI etc

[bobcallaway]

note that #286 found that we can't swap for the proton mail openpgp port due to lack of support for RPM signatures (which require pgp v3 packets)

[lukehinds]

is it viable / extensive to get that work upstream (note to self, is proton mail openpgp even FIPs)?

[haydentherapper]

Can we close this? Golang's crypto library isn't FIPS compliant without being recompiled and using boringssl instead, and that seems like a risky change to take on

[sunstonesecure-robert]

how risky? it would open up much more use across gov and healthcare. having built and validagted FIPS hardware and software happy to help

[jtcarnes]

I would be interested as well. What are the current blockers?