V1 certificates are rejected with BadDER instead of UnsupportedCertVersion

[briansmith]

Either return a different error code, or document somewhere that the most likely cause of BadDER is a non-v3 certificate.

[jonas-schievink]

There's now an UnsupportedCertVersion, and I'm able to trigger it for a v2 and v4 version field.

[jonas-schievink]

Ah, but apparently the error returned when the version field is missing completely is still BadDER, so this is still relevant.

[briansmith]

Ah, but apparently the error returned when the version field is missing completely is still BadDER, so this is still relevant.

Right. The way to encode "version 1" is by not encoding the version at all, unfortunately. The best way to fix that would be to change ring's DER parser to return different errors for "the tag isn't what was expected" vs. other errors. I would take PRs to ring and to webpki to do that.

[briansmith]

The best way to fix that would be to change ring's DER parser to return different errors for "the tag isn't what was expected" vs. other errors. I would take PRs to ring and to webpki to do that.

#90 is a very similar problem and the best solution seems to be similar to what I suggested above.