OpenSSL requires that RSA signatures be exactly the same byte-length
as the modulus. Currently it'll reject ~1/256 of our signatures: those
that end up a byte shorter.

Fixes #3796.

R=golang-dev, edsrzf, r
CC=golang-dev
https://golang.org/cl/6352093