We probably need to fix ParsePKIXPublicKey not to ignore the remainder of the DER encoding.

@agl, please speak up if you think the code is correct as is. Otherwise we'll take care of it. Thanks.

---------- Forwarded message ----------
From: jabczynskimichal@gmail.com
Date: Fri, Apr 24, 2015 at 3:36 PM
Subject: [golang-dev] proposal: ASN1 (un)marshalling from Reader/Writer
To: golang-dev@googlegroups.com

Hi golang-dev,

...

In crypto/x509/x509.go, we have the following code:

// ParsePKIXPublicKey parses a DER encoded public key. These values are
// typically found in PEM blocks with "BEGIN PUBLIC KEY".
func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error) {
    var pki publicKeyInfo
    if _, err = asn1.Unmarshal(derBytes, &pki); err != nil {
        return
    }
    algo := getPublicKeyAlgorithmFromOID(pki.Algorithm.Algorithm)
    if algo == UnknownPublicKeyAlgorithm {
        return nil, errors.New("x509: unknown public key algorithm")
    }
    return parsePublicKey(algo, &pki)
}

Notice that the rest value is ignored when parsing the public key. If key validity is checked using a hash function, a malicious entity could add bytes after the public key, changing its hash value without altering the key itself. This is unacceptable in x509 implementation.