X.509v1 certificates are ancient and should be dead. (They are even
prohibited by the Baseline requirements, section 7.1.1.)

However, there are a number of v1 roots from the 1990's that are still
in operation. Thus crypto/x509.Certificate.CheckSignatureFrom allows
X.509v1 certificates to sign other certificates.

The chain building code, however, only allows v1 certificates to sign
others if they're a root. This change adds a test to check that.

Change-Id: Ib8d81e522f30d41932b89bdf3b19ef3782d8ec12
Reviewed-on: https://go-review.googlesource.com/34383
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>