Support FIPS 140 validated crypto module(s)

[gponto]

Is your feature request related to a problem?

FIPS (Federal Information Processing Standards) requires that any cryptographic functions (e.g. hashing) utilize cryptographic modules validated and listed by NIST under https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

What solution do you propose?

1. The crypto provider (https://pkg.go.dev/crypto) must offer this feature. Working with this provider to determine what compilation/import flags (if any) are required to explicitly leverage FIPS validated modules is therefore the first step.
2. Depending on whether a variant build/flag of https://pkg.go.dev/crypto is required, CLI/tool vendors may support a command line flag such as --fips-mode true which engages the appropriate version of https://pkg.go.dev/crypto. However if the providers of https://pkg.go.dev/crypto can attest that their library is fully FIPS 140 validated and can supply the https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all Certificate #, then no such flag is required.

What alternatives have you considered?

Utilize an OpenSSL go library that utilizes FIPS validated modules, or build OpenSSL for go using a version of OpenSSL that is FIPS validated (3.0.9 as of this writing) https://www.openssl.org/source/

Any additional context?

The following Cloud Service Providers reference the Notary Project as their recommended method for signing containers. Any US Federal customer of these providers must therefore meet the FIPS compliance requirement described above. 

• https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push
• https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-signing.html

[yizha1]

Per the discussion in the meeting 3/12/2024, set the milestone to 1.3.0