[feat] implement OpenSSL::ASN1.traverse helper

kares · kares · commit d2b007641804 · 2026-04-20T13:58:33.000+02:00
diff --git a/src/main/java/org/jruby/ext/openssl/ASN1.java b/src/main/java/org/jruby/ext/openssl/ASN1.java
@@ -1216,8 +1216,8 @@ private static IRubyObject decodeImpl(final ThreadContext context, final RubyMod
     }
 
     @JRubyMethod(meta = true, required = 1)
-    public static IRubyObject decode_all(final ThreadContext context,
-        final IRubyObject self, IRubyObject obj) {
+    public static IRubyObject decode_all(final ThreadContext context, final IRubyObject self,
+                                         IRubyObject obj) {
         obj = to_der_if_possible(context, obj);
 
         BytesInputStream in = new BytesInputStream( obj.asString().getByteList() );
@@ -1239,10 +1239,170 @@ public static IRubyObject decode_all(final ThreadContext context,
         return arr;
     }
 
-    @JRubyMethod(meta = true, required = 1)
-    public static IRubyObject traverse(final ThreadContext context, final IRubyObject self, IRubyObject arg) {
-        warn(context, "WARNING: unimplemented method called: OpenSSL::ASN1#traverse");
-        return context.runtime.getNil();
+    @JRubyMethod(meta = true)
+    public static IRubyObject traverse(final ThreadContext context, final IRubyObject self,
+                                       IRubyObject arg, Block block) {
+        arg = to_der_if_possible(context, arg);
+
+        final ByteList byteList = arg.asString().getByteList();
+        final byte[] bytes = byteList.unsafeBytes();
+        final int begin = byteList.getBegin();
+        final int length = byteList.getRealSize();
+
+        final TraverseResult result = traverse(context, bytes, begin, begin + length, begin, 0, block);
+        if (length != 0 && result.read != length) {
+            throw newASN1Error(context.runtime,
+                "Type mismatch. Total bytes read: " + result.read +
+                " Bytes available: " + length + " Offset: " + result.offset);
+        }
+        return context.nil;
+    }
+
+    private static TraverseResult traverse(final ThreadContext context,
+                                           final byte[] bytes, final int begin, final int end,
+                                           final int base, final int depth,
+                                           final Block block) {
+
+        final Ruby runtime = context.runtime;
+
+        if (begin >= end) throw newASN1Error(runtime, "header too short");
+
+        int cursor = begin;
+        final int start = begin;
+        final int identifier = bytes[cursor++] & 0xFF;
+        final int tagClass = identifier & 0xC0;
+        final boolean constructed = (identifier & BERTags.CONSTRUCTED) != 0;
+
+        int tag = identifier & 0x1F;
+        if (tag == 0x1F) {
+            tag = 0;
+            if (cursor >= end) throw newASN1Error(runtime, "EOF found inside tag value");
+
+            int b = bytes[cursor++] & 0xFF;
+            if ((b & 0x7F) == 0) {
+                throw newASN1Error(runtime, "corrupted stream - invalid high tag number found");
+            }
+
+            while ((b & 0x80) != 0) {
+                tag |= (b & 0x7F);
+                tag <<= 7;
+                if (cursor >= end) throw newASN1Error(runtime, "EOF found inside tag value.");
+                b = bytes[cursor++] & 0xFF;
+            }
+            tag |= (b & 0x7F);
+        }
+
+        if (cursor >= end) throw newASN1Error(runtime, "header too short");
+
+        final int lengthByte = bytes[cursor++] & 0xFF;
+        final boolean indefinite = lengthByte == 0x80;
+        long contentLength = 0;
+        if (!indefinite) {
+            if ((lengthByte & 0x80) == 0) {
+                contentLength = lengthByte;
+            }
+            else {
+                final int lengthBytes = lengthByte & 0x7F;
+                if (lengthBytes == 0 || lengthBytes > 8) {
+                    throw newASN1Error(runtime, "invalid length encoding");
+                }
+                if (cursor + lengthBytes > end) throw newASN1Error(runtime, "header too short");
+                for (int i = 0; i < lengthBytes; i++) {
+                    contentLength = (contentLength << 8) | (bytes[cursor++] & 0xFFL);
+                }
+            }
+            if (contentLength > (long) end - cursor) {
+                throw newASN1Error(runtime, "value is too short");
+            }
+        }
+
+        final int headerLength = cursor - start;
+        if (block.isGiven()) {
+            block.yield(context,
+                    runtime.newArray(
+                            RubyBignum.bignorm(runtime, BigInteger.valueOf(depth)),
+                            RubyBignum.bignorm(runtime, BigInteger.valueOf(start - base)),
+                            RubyBignum.bignorm(runtime, BigInteger.valueOf(headerLength)),
+                            RubyBignum.bignorm(runtime, BigInteger.valueOf(contentLength)),
+                            runtime.newBoolean(constructed),
+                            tagClassSymbol(runtime, tagClass),
+                            RubyBignum.bignorm(runtime, BigInteger.valueOf(tag))
+                    )
+            );
+        }
+
+        int read = headerLength;
+        int offset = (start - base) + headerLength;
+
+        if (constructed) {
+            if (indefinite) {
+                int available = end - cursor;
+                while (available > 0) {
+                    final TraverseResult inner = traverse(context, bytes, cursor, end, base, depth + 1, block);
+                    read += inner.read;
+                    cursor += inner.read;
+                    available -= inner.read;
+                    offset = inner.offset;
+
+                    if (inner.isEoc() && inner.tagClass == BERTags.UNIVERSAL) break;
+                    if (available == 0) {
+                        throw newASN1Error(context.runtime, "EOC missing in indefinite length encoding");
+                    }
+                }
+            }
+            else {
+                final int contentEnd = cursor + (int) contentLength;
+                while (cursor < contentEnd) {
+                    final TraverseResult inner = traverse(context, bytes, cursor, contentEnd, base, depth + 1, block);
+                    read += inner.read;
+                    cursor += inner.read;
+                    offset = inner.offset;
+                }
+            }
+        }
+        else {
+            if (indefinite) throw newASN1Error(context.runtime, "indefinite length for primitive value");
+            read += contentLength;
+            offset += (int) contentLength;
+        }
+
+        if (!indefinite && read != headerLength + contentLength) {
+            throw newASN1Error(context.runtime,
+                "Type mismatch. Bytes read: " + read + " Bytes available: " + (headerLength + contentLength));
+        }
+
+        return new TraverseResult(read, offset, tag, tagClass);
+    }
+
+    private static IRubyObject tagClassSymbol(final Ruby runtime, final int tagClass) {
+        switch (tagClass) {
+            case BERTags.PRIVATE:
+                return runtime.newSymbol("PRIVATE");
+            case BERTags.APPLICATION:
+                return runtime.newSymbol("APPLICATION");
+            case BERTags.CONTEXT_SPECIFIC:
+                return runtime.newSymbol("CONTEXT_SPECIFIC");
+            default:
+                return runtime.newSymbol("UNIVERSAL");
+        }
+    }
+
+    private static final class TraverseResult {
+        private final int read;
+        private final int offset;
+        private final int tag;
+        private final int tagClass;
+
+        private TraverseResult(final int read, final int offset, final int tag, final int tagClass) {
+            this.read = read;
+            this.offset = offset;
+            this.tag = tag;
+            this.tagClass = tagClass;
+        }
+
+        boolean isEoc() {
+            return tag == 0;
+        }
     }
 
     public static RaiseException newASN1Error(Ruby runtime, String message) {
diff --git a/src/test/ruby/test_asn1.rb b/src/test/ruby/test_asn1.rb
@@ -759,30 +759,26 @@ def test_recursive_octet_string_parse
   end
 
   def test_decode_constructed_overread
-    #test = %w{ 31 06 31 02 30 02 05 00 }
-    ##                          ^ <- invalid
-    #raw = [test.join].pack("H*")
-    #ret = []
-    # <OpenSSL::ASN1::ASN1Error> exception was expected but none was thrown.
-    #assert_raise(OpenSSL::ASN1::ASN1Error) {
-    #  OpenSSL::ASN1.traverse(raw) { |x| ret << x }
-    #}
-    # <2> expected but was <0>
-    #assert_equal 2, ret.size
-    # NoMethodError: undefined method `[]' for nil:NilClass
-    #assert_equal 17, ret[0][6]
-    #assert_equal 17, ret[1][6]
-
-    #test = %w{ 31 80 30 03 00 00 }
-    ##                    ^ <- invalid
-    #raw = [test.join].pack("H*")
-    #ret = []
-    # <OpenSSL::ASN1::ASN1Error> exception was expected but none was thrown.
-    #assert_raise(OpenSSL::ASN1::ASN1Error) {
-    #  OpenSSL::ASN1.traverse(raw) { |x| ret << x }
-    #}
-    #assert_equal 1, ret.size
-    #assert_equal 17, ret[0][6]
+    test = %w[31 06 31 02 30 02 05 00]
+    #                          ^ <- invalid
+    raw = [test.join].pack('H*')
+    ret = []
+    assert_raise(OpenSSL::ASN1::ASN1Error) do
+      OpenSSL::ASN1.traverse(raw) { |x| ret << x }
+    end
+    assert_equal 2, ret.size
+    assert_equal 17, ret[0][6]
+    assert_equal 17, ret[1][6]
+
+    test = %w[31 80 30 03 00 00]
+    #                    ^ <- invalid
+    raw = [test.join].pack('H*')
+    ret = []
+    assert_raise(OpenSSL::ASN1::ASN1Error) do
+      OpenSSL::ASN1.traverse(raw) { |x| ret << x }
+    end
+    assert_equal 1, ret.size
+    assert_equal 17, ret[0][6]
   end
 
   def test_constructive_nesting
@@ -1228,14 +1224,13 @@ def test_decode_all
   def test_decode_application_specific
     raw = "0\x18\x02\x01\x01`\x13\x02\x01\x03\x04\to=Telstra\x80\x03ess"
     asn1 = OpenSSL::ASN1.decode(raw)
-    pp asn1 if false
 
     assert_equal OpenSSL::ASN1::Sequence, asn1.class
     assert_equal 2, asn1.value.size
     assert_equal OpenSSL::ASN1::Integer, asn1.value[0].class
-    assert_equal 1,  asn1.value[0].value
+    assert_equal 1, asn1.value[0].value
     assert_equal OpenSSL::ASN1::ASN1Data, asn1.value[1].class
-    assert_equal :APPLICATION,  asn1.value[1].tag_class
+    assert_equal :APPLICATION, asn1.value[1].tag_class
 
     asn1_data = asn1.value[1]
     assert_equal 3, asn1_data.value.size
@@ -1245,10 +1240,10 @@ def test_decode_application_specific
     assert_equal OpenSSL::ASN1::OctetString, asn1_data.value[1].class
     assert_equal 'o=Telstra', asn1_data.value[1].value
     assert_equal OpenSSL::ASN1::ASN1Data, asn1_data.value[2].class
-    assert_equal :CONTEXT_SPECIFIC,  asn1_data.value[2].tag_class
+    assert_equal :CONTEXT_SPECIFIC, asn1_data.value[2].tag_class
     assert_equal 'ess', asn1_data.value[2].value
 
-#    assert_equal raw, asn1.to_der
+    #    assert_equal raw, asn1.to_der
   end
 
 
@@ -1312,7 +1307,7 @@ def encode_decode_test(der, obj)
     decode_test(der, obj)
   end
 
-  def assert_universal(tag, asn1, inf_len=false)
+  def assert_universal(tag, asn1, inf_len = false)
     assert_equal(tag, asn1.tag)
     assert_equal(:UNIVERSAL, asn1.tag_class)
     assert_equal(inf_len, asn1.infinite_length)
