Hi,

When parsing a private root certificate I get following error:
x509: invalid basic constraints b

Decoding the certificate we can see:

OBJECT IDENTIFIER basicConstraints (2.5.29.19)
BOOLEAN TRUE
OCTET STRING 30 03 01 01 01

ASN.1 BER encoding specifies that for booleans, false is encoded as 0 and true as any non-0 value. However, for DER (which is a subset of BER) true has only one legal value: 255. Meaning the above certificate is not using the correct value (01 instead of FF).

Now the issue is that many applications are wrongly using 01 and clients accept that (Curl, Chrome etc.). One could argue that it should be fixed in the application issuing the cert, but this is difficult to justify when thousands of devices have been deployed with this certificate and other clients interpret 01 as true and it has worked fine for years.

With the current Go crypto implementation the validation is very strict, preventing us from using Go's http client to validate tls connection unless InsecureSkipVerify is set to true.

For the sake of compatibility with other languages and legacy setups I propose we add "case 1: *out = true" to crypto/cryptobyte/asn1.go ReadASN1Boolean() which solves the problem.

https://github.com/golang/go/blob/master/src/vendor/golang.org/x/crypto/cryptobyte/asn1.go#L249-L265

func (s *String) ReadASN1Boolean(out *bool) bool {
	var bytes String
	if !s.ReadASN1(&bytes, asn1.BOOLEAN) || len(bytes) != 1 {
		return false
	}

	switch bytes[0] {
	case 0:
		*out = false
	case 1:
		*out = true
	case 0xff:
		*out = true
	default:
		return false
	}

	return true
}