Drop-in replacements for x509.ParseCertificate and x509.ParseCertificates that handle certificates with unsupported ASN.1 string types in Distinguished Name attributes.
Go's crypto/x509 parser only supports 6 string types in RDN attributes (UTF8String, PrintableString, T61String, IA5String, BMPString, NumericString). Valid certificates may use other types — for example, x500UniqueIdentifier (OID 2.5.4.45) is defined as BIT STRING per the X.520 spec. OpenSSL parses these fine, but Go rejects them with:
x509: invalid RDNSequence: invalid attribute value: unsupported string type: 3
This is Go issue #48371, open since 2021, marked Unplanned. A proposal for lenient parsing was explicitly rejected by the Go security team. No alternative Go x509 library handles this either.
ParseCertificate and ParseCertificates first try the standard crypto/x509 parser. If it fails with "unsupported string type", they:
- Copy the DER bytes
- Walk the ASN.1 structure to find Issuer and Subject RDN sequences
- Replace unsupported value tags (BIT STRING
0x03, OCTET STRING0x04) with T61String (0x14) - Parse the patched copy
- Restore
cert.Rawto the original unpatched bytes
Normal certificates take the standard code path with zero overhead. The original DER is always preserved in cert.Raw for re-encoding and signature verification.
import "github.com/invopop/x509tolerant"
cert, err := x509tolerant.ParseCertificate(der)