I made a first cut at parsing the CertificateExtensions. I grab the OID and then I do an ASN1 DER decoding of the value. We have shortcomings in the way we decode the tag for DER/BER encodings. We don't decode multi-byte tags for example.
When I was decoding the cert extensions, I ran across several new tags, namely 128 and 130. According to ASN1dubuisson.pdf, these are context-specific, primitive types. When we have the high order bit set, we are masking the low order bits. I changed the mask to mask out the high order bit. This means that my 2 tags decode to a ByteArray, while the ExplicitConstructed type (101xxxxx) still decodes correctly. You may want to review my code in Cryptography- ASN package, specifically the ASN1Value class>>#typeClassForTag:
Robert