https://github.com/golang/go/issues/13515 https://github.com/golang/go/issues/13907
Peter Gutmann mentions in the cryptlib documentation that the extra check makes RSA signatures 10% slower, so I assume it's tempting to patch it out (or not add it in the first place).