crypto/x509: cleanup signature generation

Centralizing some repetitive code, which would have prevented #45990.

This also fixes the deprecated Certificate.CreateCRL for RSA-PSS, not
that anyone cared, probably.

This has two other minor observable behavior changes: MD2 is now treated
as a completely unknown algorithm (why did we even have that!? removing
lets us treat hash == 0 as always meaning no prehash); and we now do the
signature verification self-check for all signing operations.

Change-Id: I3b34fe0c3b6eb6181d2145b0704834225cd45a27
Reviewed-on: https://go-review.googlesource.com/c/go/+/586015
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Auto-Submit: Filippo Valsorda <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>

Author: FiloSottile

doc/next/6-stdlib/99-minor/crypto/x509/45990.md

@@ -0,0 +1,3 @@
+[CreateCertificateRequest] now correct supports RSA-PSS signature algorithms.
+
+[CreateCertificateRequest] and [CreateRevocationList] now verify the generated signature using the signer’s public key. If the signature is invalid, an error is returned. This has been the behavior of [CreateCertificate] since Go 1.16.