Hi, we've found an issue with Botan's BER decoding of OIDs.

The byte sequence 0x06 0x02 0x79 0x01 should yield the OID 2.41.1. However, Botan decodes it as 3.1.1. Please note that 3.1.1 is explicitly forbidden by the standard (see ITU-T X.660 Annex A.2).

According to the standard, the first "byte" is encoded by multiplying the first object identifier component by 40 and adding the second object identifier component: 2 * 40 + 41 = 121 (0x79) (see ITU-T X.690 Section 8.19.4). When decoding this byte, Botan interprets this as 3 * 40 + 1. For arc 0 and 1 only subidentifiers up to 39 are allowed (they couldn't be distinguished otherwise) (see ITU-T X.660 Section 7.6). For arc 2, there's no such limitation.

Furthermore, Botan does treat the first byte as a single byte. That is another issuer: The valid OID 2.999.1234 cannot be encoded/decoded by Botan. For this to work, Botan must use the same variable length encoding (bit 8 set to 1) for the first "byte" (see ITU-T X.690 Section 8.19.2).

Helpful Links:

• https://misc.daniel-marschall.de/asn.1/oid-converter/online.php
• https://misc.daniel-marschall.de/asn.1/oid_facts.html

@jdoubleu I believe #4063 addresses all of the issues you raise. If you have a chance I'd appreciate your input on it - particularly regarding the newly added test cases, and if there are additional corner cases we should be checking.