feat: add loaders for pkcs8 keys in cloudfront/sign

[lucix-aws]

Closes #2270.

Add the following APIs:

// LoadPEMPrivKeyPKCS8 reads a PEM-encoded RSA private key in PKCS8 format from
// the given reader.
//
// [x509.ParsePKCS8PrivateKey] can return multiple key types and this API does
// not discern between them. Callers in need of the underlying value must
// obtain it via type assertion:
//
//  key, err := sign.LoadPEMPrivKeyPKCS8(r)
//  if err != nil { /* ... */ }
//
//  switch key.(type) {
//  case *rsa.PrivateKey:
//      // ...
//  case *ecdsa.PrivateKey:
//      // ...
//  case ed25519.PrivateKey:
//      // ...
//  default:
//      panic("unrecognized private key type")
//  }
//
// See aforementioned API docs for a full list of possible key types.
//
// If calling code can opaquely handle the returned key as a [crypto.Signer],
// use [LoadPEMPrivKeyPKCS8AsSigner] instead.
func LoadPEMPrivKeyPKCS8(reader io.Reader) (interface{}, error)

// LoadPEMPrivKeyPKCS8AsSigner wraps [LoadPEMPrivKeyPKCS8] to expect a
// [crypto.Signer].
func LoadPEMPrivKeyPKCS8AsSigner(reader io.Reader) (crypto.Signer, error)

Additionally--

• improve package documentation
• deprecate LoadEncryptedPEMPrivKey

[isaiahvita]

@lucix-aws LGTM, just one question though: why create a new API LoadPEMPrivKeyPKCS8 rather than amending LoadEncryptedPEMPrivKey? is it to avoid an unexpected behavioral change? that way its better to explicitly deprecate and add rather than replace?