Use byte[] instead of ByteArray in DER encoding and parsing functions

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java

@@ -26,6 +26,7 @@
 
 import com.google.common.primitives.Bytes;
 import com.upokecenter.cbor.CBORObject;
+import com.yubico.internal.util.BinaryUtil;
 import com.yubico.webauthn.data.ByteArray;
 import com.yubico.webauthn.data.COSEAlgorithmIdentifier;
 import java.io.IOException;
@@ -40,7 +41,6 @@
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
-import java.util.stream.Stream;
 import lombok.AllArgsConstructor;
 import lombok.NonNull;
 
@@ -175,69 +175,70 @@ private static PublicKey importCoseRsaPublicKey(CBORObject cose)
   private static PublicKey importCoseEcdsaPublicKey(CBORObject cose)
       throws NoSuchAlgorithmException, InvalidKeySpecException {
     final int crv = cose.get(CBORObject.FromObject(-1)).AsInt32Value();
-    final ByteArray x = new ByteArray(cose.get(CBORObject.FromObject(-2)).GetByteString());
-    final ByteArray y = new ByteArray(cose.get(CBORObject.FromObject(-3)).GetByteString());
+    final byte[] x = cose.get(CBORObject.FromObject(-2)).GetByteString();
+    final byte[] y = cose.get(CBORObject.FromObject(-3)).GetByteString();
 
-    final ByteArray curveOid;
+    final byte[] curveOid;
     switch (crv) {
       case 1:
-        curveOid = P256_CURVE_OID;
+        curveOid = P256_CURVE_OID.getBytes();
         break;
 
       case 2:
-        curveOid = P384_CURVE_OID;
+        curveOid = P384_CURVE_OID.getBytes();
         break;
 
       case 3:
-        curveOid = P512_CURVE_OID;
+        curveOid = P512_CURVE_OID.getBytes();
         break;
 
       default:
         throw new IllegalArgumentException("Unknown COSE EC2 curve: " + crv);
     }
 
-    final ByteArray algId =
-        encodeDerSequence(encodeDerObjectId(EC_PUBLIC_KEY_OID), encodeDerObjectId(curveOid));
+    final byte[] algId =
+        encodeDerSequence(
+            encodeDerObjectId(EC_PUBLIC_KEY_OID.getBytes()), encodeDerObjectId(curveOid));
 
-    final ByteArray rawKey =
+    final byte[] rawKey =
         encodeDerBitStringWithZeroUnused(
-            new ByteArray(new byte[] {0x04}) // Raw EC public key with x and y
-                .concat(x)
-                .concat(y));
+            BinaryUtil.concat(
+                new byte[] {0x04}, // Raw EC public key with x and y
+                x,
+                y));
 
-    final ByteArray x509Key = encodeDerSequence(algId, rawKey);
+    final byte[] x509Key = encodeDerSequence(algId, rawKey);
 
     KeyFactory kFact = KeyFactory.getInstance("EC");
-    return kFact.generatePublic(new X509EncodedKeySpec(x509Key.getBytes()));
+    return kFact.generatePublic(new X509EncodedKeySpec(x509Key));
   }
 
-  static ByteArray encodeDerLength(final int length) {
+  static byte[] encodeDerLength(final int length) {
     if (length < 0) {
       throw new IllegalArgumentException("Length is negative: " + length);
     } else if (length <= 0x7f) {
-      return new ByteArray(new byte[] {(byte) (length & 0xff)});
+      return new byte[] {(byte) (length & 0xff)};
     } else if (length <= 0xff) {
-      return new ByteArray(new byte[] {(byte) (0x80 | 0x01), (byte) (length & 0xff)});
+      return new byte[] {(byte) (0x80 | 0x01), (byte) (length & 0xff)};
     } else if (length <= 0xffff) {
-      return new ByteArray(
-          new byte[] {(byte) (0x80 | 0x02), (byte) ((length >> 8) & 0xff), (byte) (length & 0xff)});
+      return new byte[] {
+        (byte) (0x80 | 0x02), (byte) ((length >> 8) & 0xff), (byte) (length & 0xff)
+      };
     } else if (length <= 0xffffff) {
-      return new ByteArray(
-          new byte[] {
-            (byte) (0x80 | 0x03),
-            (byte) ((length >> 16) & 0xff),
-            (byte) ((length >> 8) & 0xff),
-            (byte) (length & 0xff)
-          });
+      return new byte[] {
+        (byte) (0x80 | 0x03),
+        (byte) ((length >> 16) & 0xff),
+        (byte) ((length >> 8) & 0xff),
+        (byte) (length & 0xff)
+      };
     } else {
-      return new ByteArray(
-          new byte[] {
-            (byte) (0x80 | 0x04),
-            (byte) ((length >> 24) & 0xff),
-            (byte) ((length >> 16) & 0xff),
-            (byte) ((length >> 8) & 0xff),
-            (byte) (length & 0xff)
-          });
+      return new byte[] {
+        (byte) (0x80 | 0x04),
+        (byte) ((length >> 24) & 0xff),
+        (byte) ((length >> 16) & 0xff),
+        (byte) ((length >> 8) & 0xff),
+        (byte) (length & 0xff)
+      };
     }
   }
 
@@ -260,7 +261,7 @@ static ParseDerResult<Integer> parseDerLength(@NonNull byte[] der, int offset) {
           case 0:
             throw new IllegalArgumentException(
                 String.format(
-                    "Empty length encoding at offset %d: %s", offset, new ByteArray(der)));
+                    "Empty length encoding at offset %d: 0x%s", offset, BinaryUtil.toHex(der)));
           case 1:
             return new ParseDerResult<>(der[offset + 1] & 0xff, offset + 2);
           case 2:
@@ -293,36 +294,36 @@ static ParseDerResult<Integer> parseDerLength(@NonNull byte[] der, int offset) {
       } else {
         throw new IllegalArgumentException(
             String.format(
-                "Length encoding needs %d octets but only %s remain at index %d: %s",
-                longLen, len - (offset + 1), offset + 1, new ByteArray(der)));
+                "Length encoding needs %d octets but only %s remain at index %d: 0x%s",
+                longLen, len - (offset + 1), offset + 1, BinaryUtil.toHex(der)));
       }
     }
   }
 
-  private static ParseDerResult<ByteArray> parseDerTagged(
+  private static ParseDerResult<byte[]> parseDerTagged(
       @NonNull byte[] der, int offset, byte expectTag) {
     final int len = der.length - offset;
     if (len == 0) {
       throw new IllegalArgumentException(
-          String.format("Empty input at offset %d: %s", offset, new ByteArray(der)));
+          String.format("Empty input at offset %d: 0x%s", offset, BinaryUtil.toHex(der)));
     } else {
       final byte tag = der[offset];
       if (tag == expectTag) {
         final ParseDerResult<Integer> contentLen = parseDerLength(der, offset + 1);
         final int contentEnd = contentLen.nextOffset + contentLen.result;
         return new ParseDerResult<>(
-            new ByteArray(Arrays.copyOfRange(der, contentLen.nextOffset, contentEnd)), contentEnd);
+            Arrays.copyOfRange(der, contentLen.nextOffset, contentEnd), contentEnd);
       } else {
         throw new IllegalArgumentException(
             String.format(
-                "Incorrect tag: 0x%02x (expected 0x%02x) at offset %d: %s",
-                tag, expectTag, offset, new ByteArray(der)));
+                "Incorrect tag: 0x%02x (expected 0x%02x) at offset %d: 0x%s",
+                tag, expectTag, offset, BinaryUtil.toHex(der)));
       }
     }
   }
 
   /** Parse a SEQUENCE and return a copy of the content octets. */
-  static ParseDerResult<ByteArray> parseDerSequence(@NonNull byte[] der, int offset) {
+  static ParseDerResult<byte[]> parseDerSequence(@NonNull byte[] der, int offset) {
     return parseDerTagged(der, offset, (byte) 0x30);
   }
 
@@ -331,7 +332,7 @@ static ParseDerResult<ByteArray> parseDerSequence(@NonNull byte[] der, int offse
    * "constructed" encoding (bit 6 is 1), with a prescribed tag value, and return a copy of the
    * content octets.
    */
-  static ParseDerResult<ByteArray> parseDerExplicitlyTaggedContextSpecificConstructed(
+  static ParseDerResult<byte[]> parseDerExplicitlyTaggedContextSpecificConstructed(
       @NonNull byte[] der, int offset, byte tagNumber) {
     if (tagNumber <= 30 && tagNumber >= 0) {
       return parseDerTagged(der, offset, (byte) ((tagNumber & 0x1f) | 0xa0));
@@ -341,21 +342,21 @@ static ParseDerResult<ByteArray> parseDerExplicitlyTaggedContextSpecificConstruc
     }
   }
 
-  private static ByteArray encodeDerObjectId(final ByteArray oid) {
-    return new ByteArray(new byte[] {0x06, (byte) oid.size()}).concat(oid);
+  private static byte[] encodeDerObjectId(@NonNull byte[] oid) {
+    byte[] result = new byte[2 + oid.length];
+    result[0] = 0x06;
+    result[1] = (byte) oid.length;
+    return BinaryUtil.copyInto(oid, result, 2);
   }
 
-  private static ByteArray encodeDerBitStringWithZeroUnused(final ByteArray content) {
-    return new ByteArray(new byte[] {0x03})
-        .concat(encodeDerLength(1 + content.size()))
-        .concat(new ByteArray(new byte[] {0}))
-        .concat(content);
+  private static byte[] encodeDerBitStringWithZeroUnused(@NonNull byte[] content) {
+    return BinaryUtil.concat(
+        new byte[] {0x03}, encodeDerLength(1 + content.length), new byte[] {0}, content);
   }
 
-  static ByteArray encodeDerSequence(final ByteArray... items) {
-    final ByteArray content =
-        Stream.of(items).reduce(ByteArray::concat).orElseGet(() -> new ByteArray(new byte[0]));
-    return new ByteArray(new byte[] {0x30}).concat(encodeDerLength(content.size())).concat(content);
+  static byte[] encodeDerSequence(final byte[]... items) {
+    byte[] content = BinaryUtil.concat(items);
+    return BinaryUtil.concat(new byte[] {0x30}, encodeDerLength(content.length), content);
   }
 
   private static PublicKey importCoseEdDsaPublicKey(CBORObject cose)
@@ -371,12 +372,12 @@ private static PublicKey importCoseEdDsaPublicKey(CBORObject cose)
 
   private static PublicKey importCoseEd25519PublicKey(CBORObject cose)
       throws InvalidKeySpecException, NoSuchAlgorithmException {
-    final ByteArray rawKey = new ByteArray(cose.get(CBORObject.FromObject(-2)).GetByteString());
-    final ByteArray x509Key =
-        encodeDerSequence(ED25519_ALG_ID, encodeDerBitStringWithZeroUnused(rawKey));
+    final byte[] rawKey = cose.get(CBORObject.FromObject(-2)).GetByteString();
+    final byte[] x509Key =
+        encodeDerSequence(ED25519_ALG_ID.getBytes(), encodeDerBitStringWithZeroUnused(rawKey));
 
     KeyFactory kFact = KeyFactory.getInstance("EdDSA");
-    return kFact.generatePublic(new X509EncodedKeySpec(x509Key.getBytes()));
+    return kFact.generatePublic(new X509EncodedKeySpec(x509Key));
   }
 
   static String getJavaAlgorithmName(COSEAlgorithmIdentifier alg) {

webauthn-server-core/src/test/scala/com/yubico/webauthn/WebAuthnCodecsSpec.scala

@@ -24,8 +24,8 @@
 
 package com.yubico.webauthn
 
+import com.yubico.internal.util.BinaryUtil
 import com.yubico.webauthn.data.ByteArray
-import com.yubico.webauthn.data.Generators.arbitraryByteArray
 import com.yubico.webauthn.test.Util
 import org.junit.runner.RunWith
 import org.scalacheck.Arbitrary
@@ -129,24 +129,26 @@ class WebAuthnCodecsSpec
 
     describe("DER parsing and encoding:") {
       it("encodeDerLength and parseDerLength are each other's inverse.") {
-        forAll(Gen.chooseNum(0, Int.MaxValue), arbitraryByteArray.arbitrary) {
-          (len: Int, prefix: ByteArray) =>
-            val encoded = WebAuthnCodecs.encodeDerLength(len)
-            val decoded = WebAuthnCodecs.parseDerLength(encoded.getBytes, 0)
-            val decodedWithPrefix = WebAuthnCodecs.parseDerLength(
-              prefix.concat(encoded).getBytes,
-              prefix.size,
-            )
-
-            decoded.result should equal(len)
-            decoded.nextOffset should equal(encoded.size)
-            decodedWithPrefix.result should equal(len)
-            decodedWithPrefix.nextOffset should equal(
-              prefix.size + encoded.size
-            )
-
-            val recoded = WebAuthnCodecs.encodeDerLength(decoded.result)
-            recoded should equal(encoded)
+        forAll(
+          Gen.chooseNum(0, Int.MaxValue),
+          Arbitrary.arbitrary[Array[Byte]],
+        ) { (len: Int, prefix: Array[Byte]) =>
+          val encoded = WebAuthnCodecs.encodeDerLength(len)
+          val decoded = WebAuthnCodecs.parseDerLength(encoded, 0)
+          val decodedWithPrefix = WebAuthnCodecs.parseDerLength(
+            BinaryUtil.concat(prefix, encoded),
+            prefix.length,
+          )
+
+          decoded.result should equal(len)
+          decoded.nextOffset should equal(encoded.length)
+          decodedWithPrefix.result should equal(len)
+          decodedWithPrefix.nextOffset should equal(
+            prefix.length + encoded.length
+          )
+
+          val recoded = WebAuthnCodecs.encodeDerLength(decoded.result)
+          recoded should equal(encoded)
         }
       }
 
@@ -181,31 +183,32 @@ class WebAuthnCodecsSpec
       }
 
       it("encodeDerSequence and parseDerSequenceEnd are (almost) each other's inverse.") {
-        forAll { (data: Array[ByteArray], prefix: ByteArray) =>
+        forAll { (data: Array[Array[Byte]], prefix: Array[Byte]) =>
           val encoded = WebAuthnCodecs.encodeDerSequence(data: _*)
-          val decoded = WebAuthnCodecs.parseDerSequence(encoded.getBytes, 0)
-          val encodedWithPrefix = prefix.concat(encoded)
+          val decoded = WebAuthnCodecs.parseDerSequence(encoded, 0)
+          val encodedWithPrefix = BinaryUtil.concat(prefix, encoded)
           val decodedWithPrefix = WebAuthnCodecs.parseDerSequence(
-            encodedWithPrefix.getBytes,
-            prefix.size,
+            encodedWithPrefix,
+            prefix.length,
           )
 
-          val expectedContent: ByteArray =
-            data.fold(new ByteArray(Array.empty))((a, b) => a.concat(b))
+          val expectedContent: Array[Byte] = BinaryUtil.concat(data: _*)
           decoded.result should equal(expectedContent)
           decodedWithPrefix.result should equal(expectedContent)
-          decoded.nextOffset should equal(encoded.size)
-          decodedWithPrefix.nextOffset should equal(prefix.size + encoded.size)
+          decoded.nextOffset should equal(encoded.length)
+          decodedWithPrefix.nextOffset should equal(
+            prefix.length + encoded.length
+          )
         }
       }
 
       it("parseDerSequence fails if the first byte is not 0x30.") {
-        forAll { (tag: Byte, data: Array[ByteArray]) =>
+        forAll { (tag: Byte, data: Array[Array[Byte]]) =>
           whenever(tag != 0x30) {
             val encoded = WebAuthnCodecs.encodeDerSequence(data: _*)
             an[IllegalArgumentException] shouldBe thrownBy {
               WebAuthnCodecs.parseDerSequence(
-                encoded.getBytes.updated(0, tag),
+                encoded.updated(0, tag),
                 0,
               )
             }