DerUtils.java

/*
 * The contents of this file are subject to the terms of the Common Development and
 * Distribution License (the License). You may not use this file except in compliance with the
 * License.
 *
 * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
 * specific language governing permission and limitations under the License.
 *
 * When distributing Covered Software, include this CDDL Header Notice in each file and include
 * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
 * Header, with the fields enclosed by brackets [] replaced by your own identifying
 * information: "Portions copyright [year] [name of copyright owner]".
 *
 * Copyright 2016-2017 ForgeRock AS.
 */

package org.forgerock.json.jose.utils;

import java.nio.BufferOverflowException;
import java.nio.ByteBuffer;

import org.forgerock.util.Reject;

/**
 * Utility methods for reading and writing DER-encoded values. This is just the absolute minimum needed to decode and
 * encode ECDSA signatures to ES256 format.
 */
public final class DerUtils {
    /**
     * DER tag for integer values.
     */
    public static final byte INTEGER_TAG = 0x02;
    /**
     * DER tag for sequence values.
     */
    public static final byte SEQUENCE_TAG = 0x30;

    private DerUtils() {
        // Utility class
    }

    /**
     * Reads an unsigned integer value into the given byte array. The output will be in big-endian format and aligned
     * to take up exactly {@code length} bytes (leaving untouched any unused leading bytes).
     *
     * @param input the input DER-encoded byte buffer.
     * @param output the output byte array.
     * @param offset the offset into the byte array to start writing the integer value.
     * @param length the maximum length of the byte value (excluding any leading sign byte).
     * @throws BufferOverflowException if the integer does not fit in the given output buffer slice.
     */
    public static void readUnsignedInteger(ByteBuffer input, byte[] output, int offset, int length) {
        Reject.ifFalse(input.get() == INTEGER_TAG, "Not an integer");
        int len = readLength(input);
        if (len > length) {
            // See if it fits if we assume the first byte is a redundant zero sign byte
            if (--len > length || input.get() != 0) {
                throw new BufferOverflowException();
            }
        }
        input.get(output, offset + (length - len), len);
    }

    /**
     * Writes an integer value in DER format to the given buffer.
     *
     * @param buffer the buffer to write the value to
     * @param data the integer value (in big-endian format) to write
     */
    public static void writeInteger(final ByteBuffer buffer, final byte[] data) {
        buffer.put(INTEGER_TAG);
        // according to DER specification, the data cannot start with a leading 0
        int startIndex = data.length - 1;
        for (int index = 0; index < data.length; index++) {
            if (data[index] != 0) {
                startIndex = index;
                break;
            }
        }
        final int length = data.length - startIndex;
        writeLength(buffer, length);
        buffer.put(data, startIndex, length);
    }

    /**
     * Reads a DER-encoded length field from the given byte buffer.
     *
     * @param buffer the buffer to read a length field from.
     * @return the length field.
     */
    public static int readLength(final ByteBuffer buffer) {
        int b = buffer.get();
        // See http://luca.ntop.org/Teaching/Appunti/asn1.html. If the high-bit of the first byte is 0 then this byte
        // is the length. Otherwise the first byte (masking off the high bit) gives the number of following bytes
        // that encode the length (in big-endian unsigned integer format).
        if ((b & 0x80) == 0) {
            return b & 0xFF;
        } else {
            int numBytes = b & 0x7F;
            Reject.ifFalse(numBytes > 0 && numBytes < 4, "Unsupported DER length field");

            int len = 0;
            for (int i = 0; i < numBytes; ++i) {
                len = (len << 8) + (buffer.get() & 0xFF);
            }
            return len;
        }
    }

    /**
     * Writes a length field to the output.
     * If the length is 127 or less, the byte is the length.
     * If the length is 128 or greater, the first byte is a combination of 0x80 to indicate the length is defined and
     * the number of bytes to specify that length. See DER specification for more information.
     *
     * @param output the output buffer.
     * @param length the length to write.
     */
    public static void writeLength(final ByteBuffer output, final int length) {
        if ((length & 0x0000007F) == length) {
            output.put((byte) length);
        } else if ((length & 0x000000FF) == length) {
            output.put((byte) 0x81);
            output.put((byte) length);
        } else if ((length & 0x0000FFFF) == length) {
            output.put((byte) 0x82);
            output.put((byte) (length >> 8));
            output.put((byte) length);
        } else if ((length & 0x00FFFFFF) == length) {
            output.put((byte) 0x83);
            output.put((byte) (length >> 16));
            output.put((byte) (length >> 8));
            output.put((byte) length);
        } else {
            output.put((byte) 0x84);
            output.put((byte) (length >> 24));
            output.put((byte) (length >> 16));
            output.put((byte) (length >> 8));
            output.put((byte) length);
        }
    }
}