node-forge 0.6.47 → 0.7.1

package/{js → lib}/asn1.js

@@ -133,12 +133,12 @@
  * The full OID (including ASN.1 tag and length of 6 bytes) is:
  * 0x06062A864886F70D
  */
-(function() {
-/* ########## Begin module implementation ########## */
-function initModule(forge) {
+var forge = require('./forge');
+require('./util');
+require('./oids');
 
 /* ASN.1 API */
-var asn1 = forge.asn1 = forge.asn1 || {};
+var asn1 = module.exports = forge.asn1 = forge.asn1 || {};
 
 /**
  * ASN.1 classes.
@@ -185,10 +185,13 @@ asn1.Type = {
  * @param type the data type (tag number) for the object.
  * @param constructed true if the asn1 object is in constructed form.
  * @param value the value for the object, if it is not constructed.
+ * @param [options] the options to use:
+ *          [bitStringContents] the plain BIT STRING content including padding
+ *            byte.
  *
  * @return the asn1 object.
  */
-asn1.create = function(tagClass, type, constructed, value) {
+asn1.create = function(tagClass, type, constructed, value, options) {
   /* An asn1 object has a tagClass, a type, a constructed flag, and a
     value. The value's type depends on the constructed flag. If
     constructed, it will contain a list of other asn1 objects. If not,
@@ -206,13 +209,108 @@ asn1.create = function(tagClass, type, constructed, value) {
     value = tmp;
   }
 
-  return {
+  var obj = {
     tagClass: tagClass,
     type: type,
     constructed: constructed,
     composed: constructed || forge.util.isArray(value),
     value: value
   };
+  if(options && 'bitStringContents' in options) {
+    // TODO: copy byte buffer if it's a buffer not a string
+    obj.bitStringContents = options.bitStringContents;
+    // TODO: add readonly flag to avoid this overhead
+    // save copy to detect changes
+    obj.original = asn1.copy(obj);
+  }
+  return obj;
+};
+
+/**
+ * Copies an asn1 object.
+ *
+ * @param obj the asn1 object.
+ * @param [options] copy options:
+ *          [excludeBitStringContents] true to not copy bitStringContents
+ *
+ * @return the a copy of the asn1 object.
+ */
+asn1.copy = function(obj, options) {
+  var copy;
+
+  if(forge.util.isArray(obj)) {
+    copy = [];
+    for(var i = 0; i < obj.length; ++i) {
+      copy.push(asn1.copy(obj[i], options));
+    }
+    return copy;
+  }
+
+  if(typeof obj === 'string') {
+    // TODO: copy byte buffer if it's a buffer not a string
+    return obj;
+  }
+
+  copy = {
+    tagClass: obj.tagClass,
+    type: obj.type,
+    constructed: obj.constructed,
+    composed: obj.composed,
+    value: asn1.copy(obj.value, options)
+  };
+  if(options && !options.excludeBitStringContents) {
+    // TODO: copy byte buffer if it's a buffer not a string
+    copy.bitStringContents = obj.bitStringContents;
+  }
+  return copy;
+};
+
+/**
+ * Compares asn1 objects for equality.
+ *
+ * Note this function does not run in constant time.
+ *
+ * @param obj1 the first asn1 object.
+ * @param obj2 the second asn1 object.
+ * @param [options] compare options:
+ *          [includeBitStringContents] true to compare bitStringContents
+ *
+ * @return true if the asn1 objects are equal.
+ */
+asn1.equals = function(obj1, obj2, options) {
+  if(forge.util.isArray(obj1)) {
+    if(!forge.util.isArray(obj2)) {
+      return false;
+    }
+    if(obj1.length !== obj2.length) {
+      return false;
+    }
+    for(var i = 0; i < obj1.length; ++i) {
+      if(!asn1.equals(obj1[i], obj2[i])) {
+        return false;
+      }
+      return true;
+    }
+  }
+
+  if(typeof obj1 !== typeof obj2) {
+    return false;
+  }
+
+  if(typeof obj1 === 'string') {
+    return obj1 === obj2;
+  }
+
+  var equal = obj1.tagClass === obj2.tagClass &&
+    obj1.type === obj2.type &&
+    obj1.constructed === obj2.constructed &&
+    obj1.composed === obj2.composed &&
+    asn1.equals(obj1.value, obj2.value);
+  if(options && options.includeBitStringContents) {
+    equal = equal && (obj1.bitStringContents === obj2.bitStringContents);
+  }
+
+  return equal;
 };
 
 /**
@@ -225,7 +323,7 @@ asn1.create = function(tagClass, type, constructed, value) {
  *
  * @return the length of the BER-encoded ASN.1 value or undefined.
  */
-var _getValueLength = asn1.getBerValueLength = function(b) {
+asn1.getBerValueLength = function(b) {
   // TODO: move this function and related DER/BER functions to a der.js
   // file; better abstract ASN.1 away from der/ber.
   var b2 = b.getByte();
@@ -247,18 +345,99 @@ var _getValueLength = asn1.getBerValueLength = function(b) {
   return length;
 };
 
+/**
+ * Check if the byte buffer has enough bytes. Throws an Error if not.
+ *
+ * @param bytes the byte buffer to parse from.
+ * @param remaining the bytes remaining in the current parsing state.
+ * @param n the number of bytes the buffer must have.
+ */
+function _checkBufferLength(bytes, remaining, n) {
+  if(n > remaining) {
+    var error = new Error('Too few bytes to parse DER.');
+    error.available = bytes.length();
+    error.remaining = remaining;
+    error.requested = n;
+    throw error;
+  }
+}
+
+/**
+ * Gets the length of a BER-encoded ASN.1 value.
+ *
+ * In case the length is not specified, undefined is returned.
+ *
+ * @param bytes the byte buffer to parse from.
+ * @param remaining the bytes remaining in the current parsing state.
+ *
+ * @return the length of the BER-encoded ASN.1 value or undefined.
+ */
+var _getValueLength = function(bytes, remaining) {
+  // TODO: move this function and related DER/BER functions to a der.js
+  // file; better abstract ASN.1 away from der/ber.
+  // fromDer already checked that this byte exists
+  var b2 = bytes.getByte();
+  remaining--;
+  if(b2 === 0x80) {
+    return undefined;
+  }
+
+  // see if the length is "short form" or "long form" (bit 8 set)
+  var length;
+  var longForm = b2 & 0x80;
+  if(!longForm) {
+    // length is just the first byte
+    length = b2;
+  } else {
+    // the number of bytes the length is specified in bits 7 through 1
+    // and each length byte is in big-endian base-256
+    var longFormBytes = b2 & 0x7F;
+    _checkBufferLength(bytes, remaining, longFormBytes);
+    length = bytes.getInt(longFormBytes << 3);
+  }
+  // FIXME: this will only happen for 32 bit getInt with high bit set
+  if(length < 0) {
+    throw new Error('Negative length: ' + length);
+  }
+  return length;
+};
+
 /**
  * Parses an asn1 object from a byte buffer in DER format.
  *
  * @param bytes the byte buffer to parse from.
- * @param strict true to be strict when checking value lengths, false to
+ * @param [strict] true to be strict when checking value lengths, false to
  *          allow truncated values (default: true).
+ * @param [options] object with options or boolean strict flag
+ *          [strict] true to be strict when checking value lengths, false to
+ *            allow truncated values (default: true).
+ *          [decodeBitStrings] true to attempt to decode the content of
+ *            BIT STRINGs (not OCTET STRINGs) using strict mode. Note that
+ *            without schema support to understand the data context this can
+ *            erroneously decode values that happen to be valid ASN.1. This
+ *            flag will be deprecated or removed as soon as schema support is
+ *            available. (default: true)
  *
  * @return the parsed asn1 object.
  */
-asn1.fromDer = function(bytes, strict) {
-  if(strict === undefined) {
-    strict = true;
+asn1.fromDer = function(bytes, options) {
+  if(options === undefined) {
+    options = {
+      strict: true,
+      decodeBitStrings: true
+    };
+  }
+  if(typeof options === 'boolean') {
+    options = {
+      strict: options,
+      decodeBitStrings: true
+    };
+  }
+  if(!('strict' in options)) {
+    options.strict = true;
+  }
+  if(!('decodeBitStrings' in options)) {
+    options.decodeBitStrings = true;
   }
 
   // wrap in buffer if needed
@@ -266,15 +445,30 @@ asn1.fromDer = function(bytes, strict) {
     bytes = forge.util.createBuffer(bytes);
   }
 
+  return _fromDer(bytes, bytes.length(), 0, options);
+}
+
+/**
+ * Internal function to parse an asn1 object from a byte buffer in DER format.
+ *
+ * @param bytes the byte buffer to parse from.
+ * @param remaining the number of bytes remaining for this chunk.
+ * @param depth the current parsing depth.
+ * @param options object with same options as fromDer().
+ *
+ * @return the parsed asn1 object.
+ */
+function _fromDer(bytes, remaining, depth, options) {
+  // temporary storage for consumption calculations
+  var start;
+
   // minimum length for ASN.1 DER structure is 2
-  if(bytes.length() < 2) {
-    var error = new Error('Too few bytes to parse DER.');
-    error.bytes = bytes.length();
-    throw error;
-  }
+  _checkBufferLength(bytes, remaining, 2);
 
   // get the first byte
   var b1 = bytes.getByte();
+  // consumed one byte
+  remaining--;
 
   // get the tag class
   var tagClass = (b1 & 0xC0);
@@ -282,107 +476,156 @@ asn1.fromDer = function(bytes, strict) {
   // get the type (bits 1-5)
   var type = b1 & 0x1F;
 
-  // get the value length
-  var length = _getValueLength(bytes);
+  // get the variable value length and adjust remaining bytes
+  start = bytes.length();
+  var length = _getValueLength(bytes, remaining);
+  remaining -= start - bytes.length();
 
   // ensure there are enough bytes to get the value
-  if(bytes.length() < length) {
-    if(strict) {
+  if(length !== undefined && length > remaining) {
+    if(options.strict) {
       var error = new Error('Too few bytes to read ASN.1 value.');
-      error.detail = bytes.length() + ' < ' + length;
+      error.available = bytes.length();
+      error.remaining = remaining;
+      error.requested = length;
       throw error;
     }
-    // Note: be lenient with truncated values
-    length = bytes.length();
+    // Note: be lenient with truncated values and use remaining state bytes
+    length = remaining;
   }
 
-  // prepare to get value
+  // value storage
   var value;
+  // possible BIT STRING contents storage
+  var bitStringContents;
 
   // constructed flag is bit 6 (32 = 0x20) of the first byte
   var constructed = ((b1 & 0x20) === 0x20);
-
-  // determine if the value is composed of other ASN.1 objects (if its
-  // constructed it will be and if its a BITSTRING it may be)
-  var composed = constructed;
-  if(!composed && tagClass === asn1.Class.UNIVERSAL &&
-    type === asn1.Type.BITSTRING && length > 1) {
-    /* The first octet gives the number of bits by which the length of the
-      bit string is less than the next multiple of eight (this is called
-      the "number of unused bits").
-
-      The second and following octets give the value of the bit string
-      converted to an octet string. */
-    // if there are no unused bits, maybe the bitstring holds ASN.1 objs
-    var read = bytes.read;
-    var unused = bytes.getByte();
-    if(unused === 0) {
-      // if the first byte indicates UNIVERSAL or CONTEXT_SPECIFIC,
-      // and the length is valid, assume we've got an ASN.1 object
-      b1 = bytes.getByte();
-      var tc = (b1 & 0xC0);
-      if(tc === asn1.Class.UNIVERSAL || tc === asn1.Class.CONTEXT_SPECIFIC) {
-        try {
-          var len = _getValueLength(bytes);
-          composed = (len === length - (bytes.read - read));
-          if(composed) {
-            // adjust read/length to account for unused bits byte
-            ++read;
-            --length;
-          }
-        } catch(ex) {}
-      }
-    }
-    // restore read pointer
-    bytes.read = read;
-  }
-
-  if(composed) {
+  if(constructed) {
     // parse child asn1 objects from the value
     value = [];
     if(length === undefined) {
       // asn1 object of indefinite length, read until end tag
       for(;;) {
+        _checkBufferLength(bytes, remaining, 2);
         if(bytes.bytes(2) === String.fromCharCode(0, 0)) {
           bytes.getBytes(2);
+          remaining -= 2;
           break;
         }
-        value.push(asn1.fromDer(bytes, strict));
+        start = bytes.length();
+        value.push(_fromDer(bytes, remaining, depth + 1, options));
+        remaining -= start - bytes.length();
       }
     } else {
       // parsing asn1 object of definite length
-      var start = bytes.length();
       while(length > 0) {
-        value.push(asn1.fromDer(bytes, strict));
+        start = bytes.length();
+        value.push(_fromDer(bytes, length, depth + 1, options));
+        remaining -= start - bytes.length();
         length -= start - bytes.length();
+      }
+    }
+  }
+
+  // if a BIT STRING, save the contents including padding
+  if(value === undefined && tagClass === asn1.Class.UNIVERSAL &&
+    type === asn1.Type.BITSTRING) {
+    bitStringContents = bytes.bytes(length);
+  }
+
+  // determine if a non-constructed value should be decoded as a composed
+  // value that contains other ASN.1 objects. BIT STRINGs (and OCTET STRINGs)
+  // can be used this way.
+  if(value === undefined && options.decodeBitStrings &&
+    tagClass === asn1.Class.UNIVERSAL &&
+    // FIXME: OCTET STRINGs not yet supported here
+    // .. other parts of forge expect to decode OCTET STRINGs manually
+    (type === asn1.Type.BITSTRING /*|| type === asn1.Type.OCTETSTRING*/) &&
+    length > 1) {
+    // save read position
+    var savedRead = bytes.read;
+    var savedRemaining = remaining;
+    var unused = 0;
+    if(type === asn1.Type.BITSTRING) {
+      /* The first octet gives the number of bits by which the length of the
+        bit string is less than the next multiple of eight (this is called
+        the "number of unused bits").
+
+        The second and following octets give the value of the bit string
+        converted to an octet string. */
+      _checkBufferLength(bytes, remaining, 1);
+      unused = bytes.getByte();
+      remaining--;
+    }
+    // if all bits are used, maybe the BIT/OCTET STRING holds ASN.1 objs
+    if(unused === 0) {
+      try {
+        // attempt to parse child asn1 object from the value
+        // (stored in array to signal composed value)
         start = bytes.length();
+        var subOptions = {
+          // enforce strict mode to avoid parsing ASN.1 from plain data
+          verbose: options.verbose,
+          strict: true,
+          decodeBitStrings: true
+        };
+        var composed = _fromDer(bytes, remaining, depth + 1, subOptions);
+        var used = start - bytes.length();
+        remaining -= used;
+        if(type == asn1.Type.BITSTRING) {
+          used++;
+        }
+
+        // if the data all decoded and the class indicates UNIVERSAL or
+        // CONTEXT_SPECIFIC then assume we've got an encapsulated ASN.1 object
+        var tc = composed.tagClass;
+        if(used === length &&
+          (tc === asn1.Class.UNIVERSAL || tc === asn1.Class.CONTEXT_SPECIFIC)) {
+          value = [composed];
+        }
+      } catch(ex) {
       }
     }
-  } else {
-    // asn1 not composed, get raw value
+    if(value === undefined) {
+      // restore read position
+      bytes.read = savedRead;
+      remaining = savedRemaining;
+    }
+  }
+
+  if(value === undefined) {
+    // asn1 not constructed or composed, get raw value
     // TODO: do DER to OID conversion and vice-versa in .toDer?
 
     if(length === undefined) {
-      if(strict) {
+      if(options.strict) {
         throw new Error('Non-constructed ASN.1 object of indefinite length.');
       }
-      // be lenient and use remaining bytes
-      length = bytes.length();
+      // be lenient and use remaining state bytes
+      length = remaining;
     }
 
     if(type === asn1.Type.BMPSTRING) {
       value = '';
-      for(var i = 0; i < length; i += 2) {
+      for(; length > 0; length -= 2) {
+        _checkBufferLength(bytes, remaining, 2);
         value += String.fromCharCode(bytes.getInt16());
+        remaining -= 2;
       }
     } else {
       value = bytes.getBytes(length);
     }
   }
 
+  // add BIT STRING contents if available
+  var asn1Options = bitStringContents === undefined ?  null : {
+    bitStringContents: bitStringContents
+  };
+
   // create and return asn1 object
-  return asn1.create(tagClass, type, constructed, value);
-};
+  return asn1.create(tagClass, type, constructed, value, asn1Options);
+}
 
 /**
  * Converts the given asn1 object to a buffer of bytes in DER format.
@@ -400,8 +643,19 @@ asn1.toDer = function(obj) {
   // for storing the ASN.1 value
   var value = forge.util.createBuffer();
 
-  // if composed, use each child asn1 object's DER bytes as value
-  if(obj.composed) {
+  // use BIT STRING contents if available and data not changed
+  var useBitStringContents = false;
+  if('bitStringContents' in obj) {
+    useBitStringContents = true;
+    if(obj.original) {
+      useBitStringContents = asn1.equals(obj, obj.original);
+    }
+  }
+
+  if(useBitStringContents) {
+    value.putBytes(obj.bitStringContents);
+  } else if(obj.composed) {
+    // if composed, use each child asn1 object's DER bytes as value
     // turn on 6th bit (0x20 = 32) to indicate asn1 is constructed
     // from other asn1 objects
     if(obj.constructed) {
@@ -425,6 +679,8 @@ asn1.toDer = function(obj) {
       }
     } else {
       // ensure integer is minimally-encoded
+      // TODO: should all leading bytes be stripped vs just one?
+      // .. ex '00 00 01' => '01'?
       if(obj.type === asn1.Type.INTEGER &&
         obj.value.length > 1 &&
         // leading 0x00 for positive integer
@@ -862,7 +1118,10 @@ asn1.derToInteger = function(bytes) {
  *
  * To capture an ASN.1 value, set an object in the validator's 'capture'
  * parameter to the key to use in the capture map. To capture the full
- * ASN.1 object, specify 'captureAsn1'.
+ * ASN.1 object, specify 'captureAsn1'. To capture BIT STRING bytes, including
+ * the leading unused bits counter byte, specify 'captureBitStringContents'.
+ * To capture BIT STRING bytes, without the leading unused bits counter byte,
+ * specify 'captureBitStringValue'.
  *
  * Objects in the validator may set a field 'optional' to true to indicate
  * that it isn't necessary to pass validation.
@@ -916,6 +1175,23 @@ asn1.validate = function(obj, v, capture, errors) {
         if(v.captureAsn1) {
           capture[v.captureAsn1] = obj;
         }
+        if(v.captureBitStringContents && 'bitStringContents' in obj) {
+          capture[v.captureBitStringContents] = obj.bitStringContents;
+        }
+        if(v.captureBitStringValue && 'bitStringContents' in obj) {
+          var value;
+          if(obj.bitStringContents.length < 2) {
+            capture[v.captureBitStringValue] = '';
+          } else {
+            // FIXME: support unused bits with data shifting
+            var unused = obj.bitStringContents.charCodeAt(0);
+            if(unused !== 0) {
+              throw new Error(
+                'captureBitStringValue only supported for zero unused bits');
+            }
+            capture[v.captureBitStringValue] = obj.bitStringContents.slice(1);
+          }
+        }
       }
     } else if(errors) {
       errors.push(
@@ -997,12 +1273,12 @@ asn1.prettyPrint = function(obj, level, indentation) {
     case asn1.Type.BOOLEAN:
       rval += ' (Boolean)';
       break;
-    case asn1.Type.BITSTRING:
-      rval += ' (Bit string)';
-      break;
     case asn1.Type.INTEGER:
       rval += ' (Integer)';
       break;
+    case asn1.Type.BITSTRING:
+      rval += ' (Bit string)';
+      break;
     case asn1.Type.OCTETSTRING:
       rval += ' (Octet string)';
       break;
@@ -1092,6 +1368,23 @@ asn1.prettyPrint = function(obj, level, indentation) {
       } catch(ex) {
         rval += '0x' + forge.util.bytesToHex(obj.value);
       }
+    } else if(obj.type === asn1.Type.BITSTRING) {
+      // TODO: shift bits as needed to display without padding
+      if(obj.value.length > 1) {
+        // remove unused bits field
+        rval += '0x' + forge.util.bytesToHex(obj.value.slice(1));
+      } else {
+        rval += '(none)';
+      }
+      // show unused bit count
+      if(obj.value.length > 0) {
+        var unused = obj.value.charCodeAt(0);
+        if(unused == 1) {
+          rval += ' (1 unused bit shown)';
+        } else if(unused > 1) {
+          rval += ' (' + unused + ' unused bits shown)';
+        }
+      }
     } else if(obj.type === asn1.Type.OCTETSTRING) {
       if(!_nonLatinRegex.test(obj.value)) {
         rval += '(' + obj.value + ') ';
@@ -1113,57 +1406,3 @@ asn1.prettyPrint = function(obj, level, indentation) {
 
   return rval;
 };
-
-} // end module implementation
-
-/* ########## Begin module wrapper ########## */
-var name = 'asn1';
-if(typeof define !== 'function') {
-  // NodeJS -> AMD
-  if(typeof module === 'object' && module.exports) {
-    var nodeJS = true;
-    define = function(ids, factory) {
-      factory(require, module);
-    };
-  } else {
-    // <script>
-    if(typeof forge === 'undefined') {
-      forge = {};
-    }
-    return initModule(forge);
-  }
-}
-// AMD
-var deps;
-var defineFunc = function(require, module) {
-  module.exports = function(forge) {
-    var mods = deps.map(function(dep) {
-      return require(dep);
-    }).concat(initModule);
-    // handle circular dependencies
-    forge = forge || {};
-    forge.defined = forge.defined || {};
-    if(forge.defined[name]) {
-      return forge[name];
-    }
-    forge.defined[name] = true;
-    for(var i = 0; i < mods.length; ++i) {
-      mods[i](forge);
-    }
-    return forge[name];
-  };
-};
-var tmpDefine = define;
-define = function(ids, factory) {
-  deps = (typeof ids === 'string') ? factory.slice(2) : ids.slice(2);
-  if(nodeJS) {
-    delete define;
-    return tmpDefine.apply(null, Array.prototype.slice.call(arguments, 0));
-  }
-  define = tmpDefine;
-  return define.apply(null, Array.prototype.slice.call(arguments, 0));
-};
-define(['require', 'module', './util', './oids'], function() {
-  defineFunc.apply(null, Array.prototype.slice.call(arguments, 0));
-});
-})();