The SignPSS hash override happened after the boringcrypto block, meaning
if a boringcrypto user passed a hash in the PSSOptions which did not
match the hash argument, it wouldn't be overriden. This change moves the
check above the boring block to make sure the override is honored.
Thanks to Quim Muntal of Microsoft for spotting this issue.
Change-Id: I05082a84ccb1863798ac6eae7a15cf4d1e59f12d
Reviewed-on: https://go-review.googlesource.com/c/go/+/614276 Reviewed-by: Quim Muntal <quimmuntal@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: David Chase <drchase@google.com>