abnf | ABNF for golang — α stage

Despite my limited knowledge about compiling/parsing I dared to build a small recursive descent parser for OData $filter expressions. The parser only needs to check the expression for correctness and output a corresponding condition in SQL. As input and output have almost the same tokens and structure this was fairly straightforward and my implementation does 90% of what I want.

But now I got stuck with parenthesis, which appear in separate rules for logical and arithmetic expressions. The full OData grammar in ABNF is here, a condensed version of the rules involved is this:

Solving a CORS issue, I was wondering what are the valid values for the HTTP response header Access-Control-Allow-Headers.

The Whatwg CORS spec on header syntax tells me in ABNF that :

Access-Control-Allow-Headers = #field-name

And the RFC7230 tells me that :

I'm quite confused as to what's allowed as the time separator/designator in the RFC3339 standard. By time separator I mean the sequence of characters that draw the line between date and time.

The standard states in section 5.6 different things that are unclear or conflicting. First of all, it says that the production rule for a full datetime is this:

RFC 3986 says that Host (I'm writing with a capital, to distinguish it as parameter inside HTTP request) value reg-name has ABNF syntax reg-name = *( unreserved / pct-encoded / sub-delims ), which includes i.e. signs + or !, which as far as I know are prohibited in URL authority. Standard states also that

A host identified by a registered name is a sequence of characters usually intended for lookup within a locally defined host or service name registry, though the URI's scheme-specific semantics may require that a specific registry (or fixed name table) be used instead. The most common name registry mechanism is the Domain Name System (DNS).

And refers to RFC 1034 section 3.5, where syntax looks more like I would expect. What's the relation between reg-name in HTTP Host value and DNS name syntax? What are technologies which uses HTTP request Host value different than the most common one (which I understand is just one of many others)?

I'm trying to generate a 43-octet (Byte) string to use as code verifier for OAuth authentication with PowerShell as described in RFC7636.

1. Protocol

4.1. Client Creates a Code Verifier

The client first creates a code verifier, "code_verifier", for each OAuth 2.0 [RFC6749] Authorization Request, in the following manner:

code_verifier = high-entropy cryptographic random STRING using the unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"
from Section 2.3 of [RFC3986], with a minimum length of 43 characters and a maximum length of 128 characters.

ABNF for "code_verifier" is as follows.

code-verifier = 43*128unreserved unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" ALPHA = %x41-5A / %x61-7A DIGIT = %x30-39

NOTE: The code verifier SHOULD have enough entropy to make it
impractical to guess the value. It is RECOMMENDED that the output of a suitable random number generator be used to create a 32-octet
sequence. The octet sequence is then base64url-encoded to produce a
43-octet URL safe string to use as the code verifier.

I found that using the RNGCryptoServiceProvider class is more likely to generate a high-entropy random number but when I convert it into a base64 string, it has undesired characters.