use key instead of subject to check root cert

[pete911]

@jonhadfield, I have merged and release you PR to unblock you, but want to know your opinion on comparing keys instead of subjects. My understanding of RFC is that the key is either omitted, or has to be the same (self signed).
I feel like it is maybe safer to compare keys instead of subjects. Let me know what you think - this PR addresses that.

[jonhadfield]

Your message resulted in a lot of interesting reading. I got a bit thrown by RFC SHOULDs and MAYBEs and started looking for exceptions to each of the possible rules.
My takeaway (and I'm far from an expert) is that matching DNs should be sufficient and more compatible (less of the spec to adhere to?), but key comparison is technically superior if the spec is always followed.

[pete911]

Hi, so it is quite easy to create intermediate with the same issuer and subject (I added test certificate to test this specific scenario to pkg/cert/testdata/intermediate_same_issuer_and_subject.pem).
I will merge this PR to cover cases likes this, even though they are unlikely.

[jonhadfield]

Hi @pete911, I was having another read and, FWIW, also concluded that comparison of AKI (or lack thereof) and SKI is definitely the correct way to go.