crypto/ecdsa: add SignASN1, VerifyASN1

[jyasskin]

The crypto.Signer implementation provided by crypto.ecdsa encodes its signature into bytes using the ASN.1 format that's used by TLS, but it doesn't provide a matching verification routine that takes a []byte instead of a pair of big.Ints. It's straightforward to implement one, and both crypto.tls and crypto.x509 have done so, but it seems silly to make every consumer independently implement a standardized signature format.

[rsc]

/cc @agl

[rsc]

I ran into this oddness during BoringCrypto work too. It does seem like there should be a

package ecdsa
func VerifyBytes(pub *PublicKey, hash, sig []byte) bool

to match ecdsa.PrivateKey.Sign. It would be tempting to add SignBytes that returns []byte instead of two big.Int, but that name doesn't seem right. So maybe instead:

package ecdsa
func SignASN1(io.Reader, priv *PrivateKey, hash []byte) (sig []byte, err error)
func VerifyASN1(pub *PublicKey, hash, sig []byte) bool

?

@agl, I'm happy to write these if you sign off (ha) on the names.

[FiloSottile]

This came up during @katiehockman's work on Wycheproof tests, and it seems like a good idea, it looks like we are forcing everyone to use encoding/asn1 when they just want to deal with ECDSA. I'm in favor of adding these APIs.

[rsc]

Based on the discussion above, this seems like a likely accept.

Leaving open for a week for final comments.