Description: Fix FTBFS due to signature verification error
 Since Go 1.16, x509.CreateCertificate() verifies the signature.
 .
 util_test.go:24: error: x509: signature over certificate returned by signer is invalid: crypto/rsa: verification error
 .
 https://github.com/golang/go/commit/2ec71e57323c4801bb70a8dab687991e551229f4
Author: Peter Colberg <peter@colberg.org>
Bug-Debian: https://bugs.debian.org/890925
Last-Update: 2023-02-05
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/storage/util.go
+++ b/storage/util.go
@@ -124,8 +124,12 @@
 }
 
 func determineKeyIDFromCert(c *x509.Certificate) string {
+	return determineKeyIDFromSubjectPublicKeyInfo(c.RawSubjectPublicKeyInfo)
+}
+
+func determineKeyIDFromSubjectPublicKeyInfo(b []byte) string {
 	h := sha256.New()
-	h.Write(c.RawSubjectPublicKeyInfo)
+	h.Write(b)
 	return strings.ToLower(strings.TrimRight(base32.StdEncoding.EncodeToString(h.Sum(nil)), "="))
 }
 
@@ -175,29 +179,12 @@
 
 // Given a public key, returns the key ID.
 func DetermineKeyIDFromPublicKey(pubk crypto.PublicKey) (string, error) {
-	// Trick crypto/x509 into creating a certificate so we can grab the
-	// subjectPublicKeyInfo by giving it a fake private key generating an invalid
-	// signature. ParseCertificate doesn't verify the signature so this will
-	// work.
-	//
-	// Yes, this is very hacky, but avoids having to duplicate code in crypto/x509.
-
-	determineKeyIDFromKeyIntl(pubk, psuedoPrivateKey{})
-
-	cc := &x509.Certificate{
-		SerialNumber: big.NewInt(1),
-	}
-	cb, err := x509.CreateCertificate(rand.Reader, cc, cc, pubk, &psuedoPrivateKey{pubk})
+	b, err := x509.MarshalPKIXPublicKey(pubk)
 	if err != nil {
 		return "", err
 	}
 
-	c, err := x509.ParseCertificate(cb)
-	if err != nil {
-		return "", err
-	}
-
-	return determineKeyIDFromCert(c), nil
+	return determineKeyIDFromSubjectPublicKeyInfo(b), nil
 }
 
 func determineAccountID(providerURL string, privateKey interface{}) (string, error) {