Previously, one could construct an RSA key pair "successfully" even if
the bit length of the private moduli was not evenly divisible by 512.
However, using such a key to sign something would (usually) fail on
x86-64 because the x86-64 signing code requires the modulus to be an
even multiple of 8 limbs.
Now, all keys that have private primes with lengths that aren't
multiples of 512 bits will be rejected at key construction time with
error "PrivateModulusLenNotMultipleOf512Bits".
Support them by swapping (p, dP) and (q, dQ) and recalculating qInv
ourselves. Added a few test vectors for |p < q|
parsing/signing/verification.
I agree to license my contributions to each file under the terms given
at the top of each file I changed.
