Resulted in this change:
But in the process we figured out why a PKI cert starts with MII by reading the ANS.1 spec.
Explained the reason in a comment in the patch committed, here’s the answer to $title without the keystone justification included:
thx to ayoung for sorting this out.
base64 decoded hex representation of MII is 3082
In : binascii.hexlify(base64.b64decode(‘MII=’))
according to: http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
pg4: For tags from 0 to 30 the first octet is the identfier
pg10: Hex 30 means sequence, followed by the length of that sequence.
pg5: Second octet is the length octet
first bit indicates short or long form, next 7 bits encode the number
of subsequent octets that make up the content length octets as an
unsigned binary int
82 = 10000010 (first bit indicates long form)
0000010 = 2 octets (next 7 bits indicate octet count for content length)
so read the next 2 octets to get the length of the content.