asn1(tests): add RFC 8410 encode/decode and round‑trip tests; SPKI decode; list encoding; negative validations

ariawisp · ariawisp · commit 77e7300bc41e · 2025-09-07T11:45:09.000-06:00
diff --git a/cryptography-serialization/asn1/modules/src/commonTest/kotlin/KeyAlgorithmIdentifierDecodeTest.kt b/cryptography-serialization/asn1/modules/src/commonTest/kotlin/KeyAlgorithmIdentifierDecodeTest.kt
@@ -0,0 +1,89 @@
+/*
+ * Copyright (c) 2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.serialization.asn1.modules
+
+import dev.whyoleg.cryptography.serialization.asn1.*
+import kotlinx.serialization.decodeFromByteArray
+import kotlin.test.*
+
+class KeyAlgorithmIdentifierDecodeTest {
+
+    private fun String.hexToBytes(): ByteArray {
+        check(length % 2 == 0) { "Invalid hex length" }
+        return ByteArray(length / 2) { i ->
+            val hi = this[i * 2].digitToInt(16)
+            val lo = this[i * 2 + 1].digitToInt(16)
+            ((hi shl 4) or lo).toByte()
+        }
+    }
+
+    @Test
+    fun decode_Ed25519_absentParameters() {
+        // SEQUENCE { algorithm OBJECT IDENTIFIER 1.3.101.112 } (no parameters element)
+        val bytes = "300506032B6570".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.Ed25519, id.algorithm)
+    }
+
+    @Test
+    fun decode_Ed25519_nullParameters() {
+        // SEQUENCE { algorithm OBJECT IDENTIFIER 1.3.101.112, parameters NULL }
+        val bytes = "300706032B65700500".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.Ed25519, id.algorithm)
+    }
+
+    @Test
+    fun decode_X25519_absentParameters() {
+        // SEQUENCE { algorithm OBJECT IDENTIFIER 1.3.101.110 } (no parameters element)
+        val bytes = "300506032B656E".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.X25519, id.algorithm)
+    }
+
+    @Test
+    fun decode_X25519_nullParameters() {
+        // SEQUENCE { algorithm OBJECT IDENTIFIER 1.3.101.110, parameters NULL }
+        val bytes = "300706032B656E0500".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.X25519, id.algorithm)
+    }
+
+    @Test
+    fun decode_Ed448_absentParameters() {
+        val bytes = "300506032B6571".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.Ed448, id.algorithm)
+    }
+
+    @Test
+    fun decode_Ed448_nullParameters() {
+        val bytes = "300706032B65710500".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.Ed448, id.algorithm)
+    }
+
+    @Test
+    fun decode_X448_absentParameters() {
+        val bytes = "300506032B6570".replace("70","6F").hexToBytes() // 1.3.101.111
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.X448, id.algorithm)
+    }
+
+    @Test
+    fun decode_X448_nullParameters() {
+        val bytes = "300706032B656F0500".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(bytes)
+        assertTrue(id is UnknownKeyAlgorithmIdentifier)
+        assertEquals(ObjectIdentifier.X448, id.algorithm)
+    }
+}
diff --git a/cryptography-serialization/asn1/modules/src/commonTest/kotlin/KeyAlgorithmIdentifierEncodeTest.kt b/cryptography-serialization/asn1/modules/src/commonTest/kotlin/KeyAlgorithmIdentifierEncodeTest.kt
@@ -0,0 +1,53 @@
+/*
+ * Copyright (c) 2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.serialization.asn1.modules
+
+import dev.whyoleg.cryptography.serialization.asn1.*
+import kotlinx.serialization.encodeToByteArray
+import kotlinx.serialization.decodeFromByteArray
+import kotlin.test.*
+
+class KeyAlgorithmIdentifierEncodeTest {
+
+    private fun ByteArray.toHex() = joinToString("") { (it.toInt() and 0xFF).toString(16).padStart(2, '0') }
+    private fun String.hexToBytes(): ByteArray {
+        check(length % 2 == 0)
+        return ByteArray(length / 2) { i ->
+            val hi = this[i * 2].digitToInt(16)
+            val lo = this[i * 2 + 1].digitToInt(16)
+            ((hi shl 4) or lo).toByte()
+        }
+    }
+
+    @Test
+    fun encode_Ed25519_absentParameters() {
+        val id: KeyAlgorithmIdentifier = UnknownKeyAlgorithmIdentifier(ObjectIdentifier.Ed25519)
+        val bytes = Der.encodeToByteArray(id)
+        assertEquals("300506032b6570", bytes.toHex())
+    }
+
+    @Test
+    fun encode_X25519_absentParameters() {
+        val id: KeyAlgorithmIdentifier = UnknownKeyAlgorithmIdentifier(ObjectIdentifier.X25519)
+        val bytes = Der.encodeToByteArray(id)
+        assertEquals("300506032b656e", bytes.toHex())
+    }
+
+    @Test
+    fun encode_RSA_nullParameters() {
+        val id: KeyAlgorithmIdentifier = RsaKeyAlgorithmIdentifier
+        val bytes = Der.encodeToByteArray(id)
+        assertEquals("300d06092a864886f70d0101010500", bytes.toHex())
+    }
+
+    @Test
+    fun roundTrip_Ed25519_null_normalizedToAbsent() {
+        val withNull = "300706032b65700500".hexToBytes()
+        val id = Der.decodeFromByteArray<KeyAlgorithmIdentifier>(withNull)
+        val reencoded = Der.encodeToByteArray(id)
+        assertEquals("300506032b6570", reencoded.toHex())
+    }
+}
+
diff --git a/cryptography-serialization/asn1/modules/src/commonTest/kotlin/SubjectPublicKeyInfoRfc8410Test.kt b/cryptography-serialization/asn1/modules/src/commonTest/kotlin/SubjectPublicKeyInfoRfc8410Test.kt
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.serialization.asn1.modules
+
+import dev.whyoleg.cryptography.serialization.asn1.*
+import kotlinx.serialization.decodeFromByteArray
+import kotlin.test.*
+
+class SubjectPublicKeyInfoRfc8410Test {
+    private fun String.hexToBytes(): ByteArray {
+        check(length % 2 == 0)
+        return ByteArray(length / 2) { i ->
+            val hi = this[i * 2].digitToInt(16)
+            val lo = this[i * 2 + 1].digitToInt(16)
+            ((hi shl 4) or lo).toByte()
+        }
+    }
+
+    @Test
+    fun spki_Ed25519_absentParameters() {
+        val bytes = "300a300506032b6570030100".hexToBytes()
+        val spki = Der.decodeFromByteArray<SubjectPublicKeyInfo>(bytes)
+        assertEquals(ObjectIdentifier.Ed25519, spki.algorithm.algorithm)
+    }
+
+    @Test
+    fun spki_Ed25519_nullParameters() {
+        val bytes = "300c300706032b65700500030100".hexToBytes()
+        val spki = Der.decodeFromByteArray<SubjectPublicKeyInfo>(bytes)
+        assertEquals(ObjectIdentifier.Ed25519, spki.algorithm.algorithm)
+    }
+}
+
diff --git a/cryptography-serialization/asn1/src/commonTest/kotlin/ListEncodingTest.kt b/cryptography-serialization/asn1/src/commonTest/kotlin/ListEncodingTest.kt
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.serialization.asn1
+
+import kotlinx.serialization.builtins.ListSerializer
+import kotlinx.serialization.builtins.serializer
+import kotlin.test.*
+
+class ListEncodingTest {
+    private fun ByteArray.toHex() = joinToString("") { (it.toInt() and 0xFF).toString(16).padStart(2, '0') }
+
+    @Test
+    fun encode_sequenceOf_int_topLevel() {
+        val list = listOf(1, 2, 3)
+        val bytes = Der.encodeToByteArray(ListSerializer(Int.serializer()), list)
+        assertEquals("3009020101020102020103", bytes.toHex())
+    }
+
+    @Test
+    fun encode_sequenceOf_int_empty() {
+        val list = emptyList<Int>()
+        val bytes = Der.encodeToByteArray(ListSerializer(Int.serializer()), list)
+        assertEquals("3000", bytes.toHex())
+    }
+
+    @Test
+    fun decode_sequenceOf_int_topLevel() {
+        val bytes = "3009020101020102020103".chunked(2).map { it.toInt(16).toByte() }.toByteArray()
+        val list = Der.decodeFromByteArray(ListSerializer(Int.serializer()), bytes)
+        assertEquals(listOf(1, 2, 3), list)
+    }
+}
diff --git a/cryptography-serialization/asn1/src/commonTest/kotlin/NegativeDecodingTest.kt b/cryptography-serialization/asn1/src/commonTest/kotlin/NegativeDecodingTest.kt
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2025 Oleg Yukhnevich. Use of this source code is governed by the Apache 2.0 license.
+ */
+
+package dev.whyoleg.cryptography.serialization.asn1
+
+import dev.whyoleg.cryptography.serialization.asn1.ContextSpecificTag.*
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.decodeFromByteArray
+import kotlin.test.*
+
+class NegativeDecodingTest {
+
+    @Test
+    fun wrongTagForInteger() {
+        // OCTET STRING (0x04) with one byte content 0x01
+        val bytes = byteArrayOf(0x04, 0x01, 0x01).map { it.toByte() }.toByteArray()
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<Int>(bytes)
+        }
+    }
+
+    @Test
+    fun invalidLengthZeroInLongForm() {
+        // OID (0x06) with long-form length 0x82 0x00 0x00 -> illegal zero length
+        val bytes = byteArrayOf(0x06, 0x82.toByte(), 0x00, 0x00).map { it.toByte() }.toByteArray()
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<ObjectIdentifier>(bytes)
+        }
+    }
+
+    @Serializable
+    class MandatoryImplicit(
+        @ContextSpecificTag(0, TagType.IMPLICIT)
+        val x: Int,
+    )
+
+    @Test
+    fun contextSpecificMandatoryTagMismatch() {
+        // Encoded value only for tag [1] IMPLICIT with INTEGER 8
+        val sequence = byteArrayOf(0x30, 0x03, 0x81.toByte(), 0x01, 0x08).map { it.toByte() }.toByteArray()
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<MandatoryImplicit>(sequence)
+        }
+    }
+
+    @Serializable
+    class ExplicitInt(
+        @ContextSpecificTag(0, TagType.EXPLICIT)
+        val x: Int,
+    )
+
+    @Test
+    fun contextSpecificExplicitInnerTagMismatch() {
+        // SEQUENCE { [0] EXPLICIT { OCTET STRING 0x01 } } but Int expects INTEGER inside EXPLICIT
+        val seq = byteArrayOf(
+            0x30, 0x05,       // SEQUENCE, len 5
+            0xA0.toByte(), 0x03, // [0] EXPLICIT, len 3
+            0x04, 0x01, 0x01  // OCTET STRING, len 1, 0x01
+        )
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<ExplicitInt>(seq)
+        }
+    }
+
+    @Test
+    fun bitStringEmptyWithNonZeroUnusedBits() {
+        // BIT STRING: length 1, unusedBits = 1, no payload
+        val bs = byteArrayOf(0x03, 0x01, 0x01)
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<BitArray>(bs)
+        }
+    }
+
+    @Test
+    fun bitStringUnusedBitsExceedsTrailingZeros() {
+        // BIT STRING: unusedBits=1, payload last byte 0x01 (no trailing zeros)
+        val bs = byteArrayOf(0x03, 0x02, 0x01, 0x01)
+        assertFailsWith<IllegalStateException> {
+            Der.decodeFromByteArray<BitArray>(bs)
+        }
+    }
+}
