For better or for worse, that is how the encoding/asn1 package works. There is a comment in the source code:

		// We allow extra bytes at the end of the SEQUENCE because
		// adding elements to the end has been used in X.509 as the
		// version numbers have increased.

I don't think we can change that now.

CC @agl @FiloSottile

I don't think we can change that now.

That's fine, I guess people would have to live with that, however:

• These comments you quoted are not from the go-doc but buried deep within the code.
• The go-doc doesn't say anything about when rest is (not)? empty, can we change that?

Yes, we can certainly change the documentation. Want to send a patch?

I think it's best if someone else does it.

I have no knowledge of ASN1 and I also opened this throwaway user just for reporting this.

This is indeed intended behavior, although something that surprised me at some point, too. Adding elements to SEQUENCEs is how ASN.1 is extended. If you want to check there's no extra elements, you should use golang.org/x/crypto/cryptobyte instead (and we do here and there for things like signature parsing).

rest is needed? initOffset is always zero and json.Unmarshal returns only error.
https://golang.org/src/encoding/asn1/asn1.go?s=30565:30631#L1082

func Unmarshal(b []byte, val interface{}) (rest []byte, err error) {
	return UnmarshalWithParams(b, val, "")
}

func UnmarshalWithParams(b []byte, val interface{}, params string) (rest []byte, err error) {
	v := reflect.ValueOf(val).Elem()
	offset, err := parseField(v, b, 0, parseFieldParameters(params))
	if err != nil {
		return nil, err
	}
	return b[offset:], nil
}

func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParameters) (offset int, err error)

Change https://golang.org/cl/233537 mentions this issue: encoding/asn1: document what Unmarshal returns in rest

Marking this as a duplicate of #35680, which is addressed in https://golang.org/cl/233537.