awslabs · DmitriyMusatkin · Oct 16, 2025 · Oct 10, 2025 · Oct 13, 2025 · Oct 13, 2025
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -0,0 +1,32 @@
+name: Code coverage check
+
+on:
+  push:
+
+env:
+  BUILDER_VERSION: v0.9.74
+  BUILDER_SOURCE: releases
+  BUILDER_HOST: https://d19elf31gohf1l.cloudfront.net
+  PACKAGE_NAME: aws-c-cal
+  RUN: ${{ github.run_id }}-${{ github.run_number }}
+  CRT_CI_ROLE: ${{ secrets.CRT_CI_ROLE_ARN }}
+  AWS_DEFAULT_REGION: us-east-1
+
+permissions:
+  id-token: write # This is required for requesting the JWT
+
+jobs:
+  codecov-linux:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ env.CRT_CI_ROLE }}
+        aws-region: ${{ env.AWS_DEFAULT_REGION }}
+    - name: Checkout Sources
+      uses: actions/checkout@v4
+    - name: Build ${{ env.PACKAGE_NAME }} + consumers
+      run: |
+        python3 -c "from urllib.request import urlretrieve; urlretrieve('${{ env.BUILDER_HOST }}/${{ env.BUILDER_SOURCE }}/${{ env.BUILDER_VERSION }}/builder.pyz?run=${{ env.RUN }}', 'builder')"
+        chmod a+x builder
+        ./builder build -p ${{ env.PACKAGE_NAME }} --compiler=gcc --cmake-extra=-DASSERT_LOCK_HELD=ON --coverage
diff --git a/include/aws/cal/private/der.h b/include/aws/cal/private/der.h
@@ -60,6 +60,11 @@ enum aws_der_type {
     /* forms */
     AWS_DER_FORM_CONSTRUCTED = 0x20,
     AWS_DER_FORM_PRIMITIVE = 0x00,
+
+    /* context specific */
+    /* TODO: we should probably handle tags more generically, but for now first 2 tags cover all cases. */
+    AWS_DER_CONTEXT_SPECIFIC_TAG0 = 0xa0,
+    AWS_DER_CONTEXT_SPECIFIC_TAG1 = 0xa1,
 };
 
 AWS_EXTERN_C_BEGIN
@@ -164,6 +169,14 @@ AWS_CAL_API int aws_der_encoder_get_contents(struct aws_der_encoder *encoder, st
  */
 AWS_CAL_API struct aws_der_decoder *aws_der_decoder_new(struct aws_allocator *allocator, struct aws_byte_cursor input);
 
+/**
+ * Initializes new decoder from string at the current location.
+ * Useful for cases where asn1 structure is nested inside another one, ex. ec pkcs8.
+ * @param decoder Current decoder
+ * @return Initialized decoder, or NULL
+ */
+AWS_CAL_API struct aws_der_decoder *aws_der_decoder_nested_tlv_decoder(struct aws_der_decoder *decoder);
+
 /**
  * Cleans up a DER encoder
  * @param decoder The encoder to clean up
@@ -177,6 +190,12 @@ AWS_CAL_API void aws_der_decoder_destroy(struct aws_der_decoder *decoder);
  */
 AWS_CAL_API bool aws_der_decoder_next(struct aws_der_decoder *decoder);
 
+/**
+ * Resets der decoder to the start.
+ * @param decoder The decoder to reset
+ */
+AWS_CAL_API void aws_der_decoder_reset(struct aws_der_decoder *decoder);
+
 /**
  * The type of the current TLV
  * @param decoder The decoder to inspect

diff --git a/include/aws/cal/private/ecc.h b/include/aws/cal/private/ecc.h
@@ -13,10 +13,16 @@ struct aws_der_decoder;
 
 AWS_EXTERN_C_BEGIN
 
+/*
+ * Helper to load keypair from various ASN1 format.
+ * Note: there are several formats in the wild: Sec1 and PKCS8 for private key and X509 for public key.
+ * This function attempts to automatically recognize the format and load from it.
+ * Depending on data available in the asn, either private or public key might be empty (zeroed out).
+ */
 AWS_CAL_API int aws_der_decoder_load_ecc_key_pair(
     struct aws_der_decoder *decoder,
-    struct aws_byte_cursor *out_public_x_coor,
-    struct aws_byte_cursor *out_public_y_coor,
+    struct aws_byte_cursor *out_public_x_coord,
+    struct aws_byte_cursor *out_public_y_coord,
     struct aws_byte_cursor *out_private_d,
     enum aws_ecc_curve_name *out_curve_name);
 

diff --git a/source/der.c b/source/der.c
@@ -400,6 +400,15 @@ struct aws_der_decoder *aws_der_decoder_new(struct aws_allocator *allocator, str
     return NULL;
 }
 
+struct aws_der_decoder *aws_der_decoder_nested_tlv_decoder(struct aws_der_decoder *decoder) {
+    struct aws_byte_cursor cursor;
+    AWS_ZERO_STRUCT(cursor);
+    if (aws_der_decoder_tlv_string(decoder, &cursor)) {
+        return NULL;
+    }
+    return aws_der_decoder_new(decoder->allocator, cursor);
+}
+
 void aws_der_decoder_destroy(struct aws_der_decoder *decoder) {
     if (!decoder) {
         return;
@@ -467,6 +476,10 @@ bool aws_der_decoder_next(struct aws_der_decoder *decoder) {
     return (++decoder->tlv_idx < (int)decoder->tlvs.length);
 }
 
+void aws_der_decoder_reset(struct aws_der_decoder *decoder) {
+    decoder->tlv_idx = -1;
+}
+
 static struct der_tlv s_decoder_tlv(struct aws_der_decoder *decoder) {
     AWS_FATAL_ASSERT(decoder->tlv_idx < (int)decoder->tlvs.length);
     struct der_tlv tlv = {0};