Add function WebAuthnCodecs.parseDerSequence

Author: emlun

webauthn-server-core/src/main/java/com/yubico/webauthn/WebAuthnCodecs.java

@@ -299,6 +299,23 @@ static ParseDerResult<Integer> parseDerLength(@NonNull byte[] der, int offset) {
     }
   }
 
+  /** Parse a SEQUENCE and return a copy of the content octets. */
+  static ParseDerResult<ByteArray> parseDerSequence(@NonNull byte[] der, int offset) {
+    final int len = der.length - offset;
+    if (len == 0) {
+      throw new IllegalArgumentException(
+          String.format("Empty input at offset %d: %s", offset, new ByteArray(der)));
+    } else if ((der[offset] & 0xff) == 0x30) {
+      final ParseDerResult<Integer> contentLen = parseDerLength(der, offset + 1);
+      final int contentEnd = contentLen.nextOffset + contentLen.result;
+      return new ParseDerResult<>(
+          new ByteArray(Arrays.copyOfRange(der, contentLen.nextOffset, contentEnd)), contentEnd);
+    } else {
+      throw new IllegalArgumentException(
+          String.format("Not a SEQUENCE tag (0x30) at offset %d: %s", offset, new ByteArray(der)));
+    }
+  }
+
   private static ByteArray encodeDerObjectId(final ByteArray oid) {
     return new ByteArray(new byte[] {0x06, (byte) oid.size()}).concat(oid);
   }
@@ -310,7 +327,7 @@ private static ByteArray encodeDerBitStringWithZeroUnused(final ByteArray conten
         .concat(content);
   }
 
-  private static ByteArray encodeDerSequence(final ByteArray... items) {
+  static ByteArray encodeDerSequence(final ByteArray... items) {
     final ByteArray content =
         Stream.of(items).reduce(ByteArray::concat).orElseGet(() -> new ByteArray(new byte[0]));
     return new ByteArray(new byte[] {0x30}).concat(encodeDerLength(content.size())).concat(content);

webauthn-server-core/src/test/scala/com/yubico/webauthn/WebAuthnCodecsSpec.scala

@@ -179,6 +179,50 @@ class WebAuthnCodecsSpec
           .parseDerLength(Array(0x84, 0, 1, 33, 7).map(_.toByte), 0)
           .result should equal(73991)
       }
+
+      it("encodeDerSequence and parseDerSequenceEnd are (almost) each other's inverse.") {
+        forAll { (data: Array[ByteArray], prefix: ByteArray) =>
+          val encoded = WebAuthnCodecs.encodeDerSequence(data: _*)
+          val decoded = WebAuthnCodecs.parseDerSequence(encoded.getBytes, 0)
+          val encodedWithPrefix = prefix.concat(encoded)
+          val decodedWithPrefix = WebAuthnCodecs.parseDerSequence(
+            encodedWithPrefix.getBytes,
+            prefix.size,
+          )
+
+          val expectedContent: ByteArray =
+            data.fold(new ByteArray(Array.empty))((a, b) => a.concat(b))
+          decoded.result should equal(expectedContent)
+          decodedWithPrefix.result should equal(expectedContent)
+          decoded.nextOffset should equal(encoded.size)
+          decodedWithPrefix.nextOffset should equal(prefix.size + encoded.size)
+        }
+      }
+
+      it("parseDerSequence fails if the first byte is not 0x30.") {
+        forAll { (tag: Byte, data: Array[ByteArray]) =>
+          whenever(tag != 0x30) {
+            val encoded = WebAuthnCodecs.encodeDerSequence(data: _*)
+            an[IllegalArgumentException] shouldBe thrownBy {
+              WebAuthnCodecs.parseDerSequence(
+                encoded.getBytes.updated(0, tag),
+                0,
+              )
+            }
+          }
+        }
+      }
+
+      it("parseDerSequence fails on empty input.") {
+        an[IllegalArgumentException] shouldBe thrownBy {
+          WebAuthnCodecs.parseDerSequence(Array.empty, 0)
+        }
+        forAll { data: Array[Byte] =>
+          an[IllegalArgumentException] shouldBe thrownBy {
+            WebAuthnCodecs.parseDerSequence(data, data.length)
+          }
+        }
+      }
     }
   }
 }