This adds support for embedding SCTs in certificates instead of
returning a header with a detached SCTs. This is done by implementing an
SCT interface for a signer. For example, GCP CA Service will not
support embedded SCTs, but KMS will.

This heavily leverages the Go CT library. I've removed the custom
client in favor of the CT library client, which includes more
verification and retry logic. Note that there's a TODO to include the
public key of the CT log in Fulcio so that the SCT is checked before
returning a response.

A certificate is signed twice, which adds an extra remote call to KMS.
The first certificate is added to the CT log via AddPreChain instead of
AddChain.

The Cosign client will need to be updated to support embedded SCTs.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

This is because Cosign expects an AddChainResponse and not an SCT. The
new client returns an SCT instead, so we have to manually convert it.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

PEM encoding handles adding a newline.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>