[compat] improve ASN.1 tagging behavior

kares · kares · commit eee9cd3aa77b · 2026-03-05T17:51:08.000+01:00
now passing OpenSSL imported tests
diff --git a/src/main/java/org/jruby/ext/openssl/ASN1.java b/src/main/java/org/jruby/ext/openssl/ASN1.java
@@ -1841,6 +1841,17 @@ byte[] toDER(final ThreadContext context) throws IOException {
                 return toDERInternal(context, false, false, string);
             }
 
+            // Special behavior: Encoding universal types with non-default 'tag'
+            // attribute and nil tagging method - replace the tag byte with the custom tag.
+            if ( !isTagged() && isUniversal(context) ) {
+                final IRubyObject defTag = defaultTag();
+                if ( !defTag.isNil() && getTag(context) != RubyNumeric.fix2int(defTag) ) {
+                    final byte[] encoded = toASN1Primitive(context).toASN1Primitive().getEncoded(ASN1Encoding.DER);
+                    encoded[0] = (byte) getTag(context);
+                    return encoded;
+                }
+            }
+
             return toASN1(context).toASN1Primitive().getEncoded(ASN1Encoding.DER);
         }
 
@@ -2033,11 +2044,18 @@ ASN1Encodable toASN1(final ThreadContext context) {
             if ( isInfiniteLength() ) return super.toASN1(context);
 
             if ( isSequence() ) {
-                return new DERSequence( toASN1EncodableVector(context) );
+                final ASN1Encodable seq = new DERSequence( toASN1EncodableVector(context) );
+                if ( isTagged() ) {
+                    return new DERTaggedObject(isExplicitTagging(), getTagClass(context), getTag(context), seq);
+                }
+                return seq;
             }
             if ( isSet() ) {
-                return new DLSet( toASN1EncodableVector(context) ); // return new BERSet(values);
-                //return ASN1Set.getInstance(toASN1TaggedObject(context), isExplicitTagging());
+                final ASN1Encodable set = new DLSet( toASN1EncodableVector(context) );
+                if ( isTagged() ) {
+                    return new DERTaggedObject(isExplicitTagging(), getTagClass(context), getTag(context), set);
+                }
+                return set;
             }
             switch ( getTag(context) ) { // "raw" Constructive ?!?
             case OCTET_STRING:
@@ -2069,10 +2087,10 @@ byte[] toDER(final ThreadContext context) throws IOException {
 
             if ( isIndefiniteLength ) {
                 if ( isSequence() || tagNo == SEQUENCE ) {
-                    return sequenceToDER(context);
+                    return applyIndefiniteTagging(context, sequenceToDER(context));
                 }
                 if ( isSet() || tagNo == SET)  {
-                    return setToDER(context);
+                    return applyIndefiniteTagging(context, setToDER(context));
                 }
                 // "raw" Constructive
                 switch ( getTag(context) ) {
@@ -2094,6 +2112,18 @@ byte[] toDER(final ThreadContext context) throws IOException {
                 return toDERInternal(context, true, isIndefiniteLength, valueAsArray(context));
             }
 
+            // Special behavior: Encoding universal types with non-default 'tag'
+            // attribute and nil tagging method - replace the tag byte with the custom tag,
+            // preserving the CONSTRUCTED bit.
+            if ( !isTagged() && isUniversal(context) ) {
+                final IRubyObject defTag = defaultTag();
+                if ( !defTag.isNil() && tagNo != RubyNumeric.fix2int(defTag) ) {
+                    final byte[] encoded = toASN1(context).toASN1Primitive().getEncoded(ASN1Encoding.DER);
+                    encoded[0] = (byte) (BERTags.CONSTRUCTED | tagNo);
+                    return encoded;
+                }
+            }
+
             return super.toDER(context);
         }
 
@@ -2140,6 +2170,28 @@ private byte[] setToDER(final ThreadContext context) throws IOException {
             return new BERSet(values).toASN1Primitive().getEncoded();
         }
 
+        // Applies EXPLICIT or IMPLICIT tagging to an already-encoded indefinite-length
+        // Sequence or Set byte array. For IMPLICIT, replaces the tag byte in-place.
+        // For EXPLICIT, wraps the inner bytes with an outer tag + indefinite-length header
+        // and appends the required outer EOC (0x00 0x00).
+        private byte[] applyIndefiniteTagging(final ThreadContext context, final byte[] innerBytes) throws IOException {
+            if ( !isTagged() ) return innerBytes;
+            final int tag = getTag(context);
+            final int tagClass = getTagClass(context);
+            if ( isImplicitTagging() ) {
+                innerBytes[0] = (byte) (tagClass | BERTags.CONSTRUCTED | tag);
+                return innerBytes;
+            } else { // EXPLICIT
+                final ByteArrayOutputStream out = new ByteArrayOutputStream(innerBytes.length + 4);
+                writeDERIdentifier(tag, tagClass | BERTags.CONSTRUCTED, out);
+                out.write(0x80); // indefinite length
+                out.write(innerBytes);
+                out.write(0x00); // outer EOC
+                out.write(0x00);
+                return out.toByteArray();
+            }
+        }
+
         private ASN1EncodableVector toASN1EncodableVector(final ThreadContext context) {
             final ASN1EncodableVector vec = new ASN1EncodableVector();
             final IRubyObject value = value(context);
diff --git a/src/test/ruby/test_asn1.rb b/src/test/ruby/test_asn1.rb
@@ -620,61 +620,46 @@ def test_prim_implicit_tagging
     encode_test B(%w{ 80 01 01 }), int
     int2 = OpenSSL::ASN1::Integer.new(1, 1, :IMPLICIT, :APPLICATION)
     encode_test B(%w{ 41 01 01 }), int2
-    #decoded = OpenSSL::ASN1.decode(int2.to_der)
-    # <:APPLICATION> expected but was <:UNIVERSAL>
-    #assert_equal :APPLICATION, decoded.tag_class
-    # <1> expected but was <2>
-    #assert_equal 1, decoded.tag
-    # <"\x01"> expected but was <#<OpenSSL::BN 1>>
-    #assert_equal B(%w{ 01 }), decoded.value
-
-    # Special behavior: Encoding universal types with non-default 'tag'
-    # attribute and nil tagging method.
-    #int3 = OpenSSL::ASN1::Integer.new(1, 1)
-    # <"\x01\x01\x01"> expected but was <"\x02\x01\x01">
-    #encode_test B(%w{ 01 01 01 }), int3
+    decoded = OpenSSL::ASN1.decode(int2.to_der)
+    assert_equal :APPLICATION, decoded.tag_class
+    assert_equal 1, decoded.tag
+    assert_equal B(%w{ 01 }), decoded.value
+
+    # Special behavior: Encoding universal types with non-default 'tag' attribute and nil tagging method.
+    int3 = OpenSSL::ASN1::Integer.new(1, 1)
+    encode_test B(%w{ 01 01 01 }), int3
   end
 
   def test_cons_explicit_tagging
-    #content = [ OpenSSL::ASN1::PrintableString.new('abc') ]
-    #seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT)
-    # TODO: Import Issue
-    # RuntimeError: No message available
-    #encode_test B(%w{ A2 07 30 05 13 03 61 62 63 }), seq
-    #seq2 = OpenSSL::ASN1::Sequence.new(content, 3, :EXPLICIT, :APPLICATION)
-    # RuntimeError: No message available
-    #encode_test B(%w{ 63 07 30 05 13 03 61 62 63 }), seq2
-
-    #content3 = [ OpenSSL::ASN1::PrintableString.new('abc'),
-    #             OpenSSL::ASN1::EndOfContent.new() ]
-    #seq3 = OpenSSL::ASN1::Sequence.new(content3, 2, :EXPLICIT)
-    #seq3.indefinite_length = true
-    # RuntimeError: No message available
-    #encode_test B(%w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 }), seq3
+    content = [ OpenSSL::ASN1::PrintableString.new('abc') ]
+    seq = OpenSSL::ASN1::Sequence.new(content, 2, :EXPLICIT)
+    encode_test B(%w{ A2 07 30 05 13 03 61 62 63 }), seq
+    seq2 = OpenSSL::ASN1::Sequence.new(content, 3, :EXPLICIT, :APPLICATION)
+    encode_test B(%w{ 63 07 30 05 13 03 61 62 63 }), seq2
+
+    content3 = [ OpenSSL::ASN1::PrintableString.new('abc'),
+                 OpenSSL::ASN1::EndOfContent.new() ]
+    seq3 = OpenSSL::ASN1::Sequence.new(content3, 2, :EXPLICIT)
+    seq3.indefinite_length = true
+    encode_test B(%w{ A2 80 30 80 13 03 61 62 63 00 00 00 00 }), seq3
   end
 
   def test_cons_implicit_tagging
-    #content = [ OpenSSL::ASN1::Null.new(nil) ]
-    #seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT)
-    # TODO: Import Issue
-    # <"\xA1\x02\x05\x00"> expected but was <"0\x02\x05\x00">
-    #encode_test B(%w{ A1 02 05 00 }), seq
-    #seq2 = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT, :APPLICATION)
-    # <"a\x02\x05\x00"> expected but was <"0\x02\x05\x00">
-    #encode_test B(%w{ 61 02 05 00 }), seq2
-
-    #content3 = [ OpenSSL::ASN1::Null.new(nil),
-    #             OpenSSL::ASN1::EndOfContent.new() ]
-    #seq3 = OpenSSL::ASN1::Sequence.new(content3, 1, :IMPLICIT)
-    #seq3.indefinite_length = true
-    # <"\xA1\x80\x05\x00\x00\x00"> expected but was <"0\x80\x05\x00\x00\x00">
-    #encode_test B(%w{ A1 80 05 00 00 00 }), seq3
-
-    # Special behavior: Encoding universal types with non-default 'tag'
-    # attribute and nil tagging method.
-    #seq4 = OpenSSL::ASN1::Sequence.new([], 1)
-    # <"!\x00"> expected but was <"0\x00">
-    #encode_test B(%w{ 21 00 }), seq4
+    content = [ OpenSSL::ASN1::Null.new(nil) ]
+    seq = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT)
+    encode_test B(%w{ A1 02 05 00 }), seq
+    seq2 = OpenSSL::ASN1::Sequence.new(content, 1, :IMPLICIT, :APPLICATION)
+    encode_test B(%w{ 61 02 05 00 }), seq2
+
+    content3 = [ OpenSSL::ASN1::Null.new(nil),
+                 OpenSSL::ASN1::EndOfContent.new() ]
+    seq3 = OpenSSL::ASN1::Sequence.new(content3, 1, :IMPLICIT)
+    seq3.indefinite_length = true
+    encode_test B(%w{ A1 80 05 00 00 00 }), seq3
+
+    # Special behavior: Encoding universal types with non-default 'tag' attribute and nil tagging method.
+    seq4 = OpenSSL::ASN1::Sequence.new([], 1)
+    encode_test B(%w{ 21 00 }), seq4
   end
 
   def test_octet_string_constructed_tagging
