crypto/rsa: reject short signatures #21896
During dev.boringcrypto work, I discovered that x/crypto/openpgp tests depend on crypto/rsa accepting trimmed RSA signatures, in which leading zeros have been removed, while BoringSSL does not. @agl says that the Go library is in error and that such signatures are not valid. We should fix this (in master, not just dev.boringcrypto) for Go 1.10 and mark it in the release notes. Will need to fix openpgp first.