1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// Package asn1 implements parsing of DER-encoded ASN.1 data structures,
6// as defined in ITU-T Rec X.690.
7//
8// See also “A Layman's Guide to a Subset of ASN.1, BER, and DER,”
9// http://luca.ntop.org/Teaching/Appunti/asn1.html.
10package asn1
11
12// ASN.1 is a syntax for specifying abstract objects and BER, DER, PER, XER etc
13// are different encoding formats for those objects. Here, we'll be dealing
14// with DER, the Distinguished Encoding Rules. DER is used in X.509 because
15// it's fast to parse and, unlike BER, has a unique encoding for every object.
16// When calculating hashes over objects, it's important that the resulting
17// bytes be the same at both ends and DER removes this margin of error.
18//
19// ASN.1 is very complex and this package doesn't attempt to implement
20// everything by any means.
21
22import (
23	"errors"
24	"fmt"
25	"math"
26	"math/big"
27	"reflect"
28	"strconv"
29	"strings"
30	"time"
31	"unicode/utf16"
32	"unicode/utf8"
33)
34
35// A StructuralError suggests that the ASN.1 data is valid, but the Go type
36// which is receiving it doesn't match.
37type StructuralError struct {
38	Msg string
39}
40
41func (e StructuralError) Error() string { return "asn1: structure error: " + e.Msg }
42
43// A SyntaxError suggests that the ASN.1 data is invalid.
44type SyntaxError struct {
45	Msg string
46}
47
48func (e SyntaxError) Error() string { return "asn1: syntax error: " + e.Msg }
49
50// We start by dealing with each of the primitive types in turn.
51
52// BOOLEAN
53
54func parseBool(bytes []byte) (ret bool, err error) {
55	if len(bytes) != 1 {
56		err = SyntaxError{"invalid boolean"}
57		return
58	}
59
60	// DER demands that "If the encoding represents the boolean value TRUE,
61	// its single contents octet shall have all eight bits set to one."
62	// Thus only 0 and 255 are valid encoded values.
63	switch bytes[0] {
64	case 0:
65		ret = false
66	case 0xff:
67		ret = true
68	default:
69		err = SyntaxError{"invalid boolean"}
70	}
71
72	return
73}
74
75// INTEGER
76
77// checkInteger returns nil if the given bytes are a valid DER-encoded
78// INTEGER and an error otherwise.
79func checkInteger(bytes []byte) error {
80	if len(bytes) == 0 {
81		return StructuralError{"empty integer"}
82	}
83	if len(bytes) == 1 {
84		return nil
85	}
86	if (bytes[0] == 0 && bytes[1]&0x80 == 0) || (bytes[0] == 0xff && bytes[1]&0x80 == 0x80) {
87		return StructuralError{"integer not minimally-encoded"}
88	}
89	return nil
90}
91
92// parseInt64 treats the given bytes as a big-endian, signed integer and
93// returns the result.
94func parseInt64(bytes []byte) (ret int64, err error) {
95	err = checkInteger(bytes)
96	if err != nil {
97		return
98	}
99	if len(bytes) > 8 {
100		// We'll overflow an int64 in this case.
101		err = StructuralError{"integer too large"}
102		return
103	}
104	for bytesRead := 0; bytesRead < len(bytes); bytesRead++ {
105		ret <<= 8
106		ret |= int64(bytes[bytesRead])
107	}
108
109	// Shift up and down in order to sign extend the result.
110	ret <<= 64 - uint8(len(bytes))*8
111	ret >>= 64 - uint8(len(bytes))*8
112	return
113}
114
115// parseInt32 treats the given bytes as a big-endian, signed integer and returns
116// the result.
117func parseInt32(bytes []byte) (int32, error) {
118	if err := checkInteger(bytes); err != nil {
119		return 0, err
120	}
121	ret64, err := parseInt64(bytes)
122	if err != nil {
123		return 0, err
124	}
125	if ret64 != int64(int32(ret64)) {
126		return 0, StructuralError{"integer too large"}
127	}
128	return int32(ret64), nil
129}
130
131var bigOne = big.NewInt(1)
132
133// parseBigInt treats the given bytes as a big-endian, signed integer and returns
134// the result.
135func parseBigInt(bytes []byte) (*big.Int, error) {
136	if err := checkInteger(bytes); err != nil {
137		return nil, err
138	}
139	ret := new(big.Int)
140	if len(bytes) > 0 && bytes[0]&0x80 == 0x80 {
141		// This is a negative number.
142		notBytes := make([]byte, len(bytes))
143		for i := range notBytes {
144			notBytes[i] = ^bytes[i]
145		}
146		ret.SetBytes(notBytes)
147		ret.Add(ret, bigOne)
148		ret.Neg(ret)
149		return ret, nil
150	}
151	ret.SetBytes(bytes)
152	return ret, nil
153}
154
155// BIT STRING
156
157// BitString is the structure to use when you want an ASN.1 BIT STRING type. A
158// bit string is padded up to the nearest byte in memory and the number of
159// valid bits is recorded. Padding bits will be zero.
160type BitString struct {
161	Bytes     []byte // bits packed into bytes.
162	BitLength int    // length in bits.
163}
164
165// At returns the bit at the given index. If the index is out of range it
166// returns 0.
167func (b BitString) At(i int) int {
168	if i < 0 || i >= b.BitLength {
169		return 0
170	}
171	x := i / 8
172	y := 7 - uint(i%8)
173	return int(b.Bytes[x]>>y) & 1
174}
175
176// RightAlign returns a slice where the padding bits are at the beginning. The
177// slice may share memory with the BitString.
178func (b BitString) RightAlign() []byte {
179	shift := uint(8 - (b.BitLength % 8))
180	if shift == 8 || len(b.Bytes) == 0 {
181		return b.Bytes
182	}
183
184	a := make([]byte, len(b.Bytes))
185	a[0] = b.Bytes[0] >> shift
186	for i := 1; i < len(b.Bytes); i++ {
187		a[i] = b.Bytes[i-1] << (8 - shift)
188		a[i] |= b.Bytes[i] >> shift
189	}
190
191	return a
192}
193
194// parseBitString parses an ASN.1 bit string from the given byte slice and returns it.
195func parseBitString(bytes []byte) (ret BitString, err error) {
196	if len(bytes) == 0 {
197		err = SyntaxError{"zero length BIT STRING"}
198		return
199	}
200	paddingBits := int(bytes[0])
201	if paddingBits > 7 ||
202		len(bytes) == 1 && paddingBits > 0 ||
203		bytes[len(bytes)-1]&((1<<bytes[0])-1) != 0 {
204		err = SyntaxError{"invalid padding bits in BIT STRING"}
205		return
206	}
207	ret.BitLength = (len(bytes)-1)*8 - paddingBits
208	ret.Bytes = bytes[1:]
209	return
210}
211
212// NULL
213
214// NullRawValue is a [RawValue] with its Tag set to the ASN.1 NULL type tag (5).
215var NullRawValue = RawValue{Tag: TagNull}
216
217// NullBytes contains bytes representing the DER-encoded ASN.1 NULL type.
218var NullBytes = []byte{TagNull, 0}
219
220// OBJECT IDENTIFIER
221
222// An ObjectIdentifier represents an ASN.1 OBJECT IDENTIFIER.
223type ObjectIdentifier []int
224
225// Equal reports whether oi and other represent the same identifier.
226func (oi ObjectIdentifier) Equal(other ObjectIdentifier) bool {
227	if len(oi) != len(other) {
228		return false
229	}
230	for i := 0; i < len(oi); i++ {
231		if oi[i] != other[i] {
232			return false
233		}
234	}
235
236	return true
237}
238
239func (oi ObjectIdentifier) String() string {
240	var s strings.Builder
241	s.Grow(32)
242
243	buf := make([]byte, 0, 19)
244	for i, v := range oi {
245		if i > 0 {
246			s.WriteByte('.')
247		}
248		s.Write(strconv.AppendInt(buf, int64(v), 10))
249	}
250
251	return s.String()
252}
253
254// parseObjectIdentifier parses an OBJECT IDENTIFIER from the given bytes and
255// returns it. An object identifier is a sequence of variable length integers
256// that are assigned in a hierarchy.
257func parseObjectIdentifier(bytes []byte) (s ObjectIdentifier, err error) {
258	if len(bytes) == 0 {
259		err = SyntaxError{"zero length OBJECT IDENTIFIER"}
260		return
261	}
262
263	// In the worst case, we get two elements from the first byte (which is
264	// encoded differently) and then every varint is a single byte long.
265	s = make([]int, len(bytes)+1)
266
267	// The first varint is 40*value1 + value2:
268	// According to this packing, value1 can take the values 0, 1 and 2 only.
269	// When value1 = 0 or value1 = 1, then value2 is <= 39. When value1 = 2,
270	// then there are no restrictions on value2.
271	v, offset, err := parseBase128Int(bytes, 0)
272	if err != nil {
273		return
274	}
275	if v < 80 {
276		s[0] = v / 40
277		s[1] = v % 40
278	} else {
279		s[0] = 2
280		s[1] = v - 80
281	}
282
283	i := 2
284	for ; offset < len(bytes); i++ {
285		v, offset, err = parseBase128Int(bytes, offset)
286		if err != nil {
287			return
288		}
289		s[i] = v
290	}
291	s = s[0:i]
292	return
293}
294
295// ENUMERATED
296
297// An Enumerated is represented as a plain int.
298type Enumerated int
299
300// FLAG
301
302// A Flag accepts any data and is set to true if present.
303type Flag bool
304
305// parseBase128Int parses a base-128 encoded int from the given offset in the
306// given byte slice. It returns the value and the new offset.
307func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
308	offset = initOffset
309	var ret64 int64
310	for shifted := 0; offset < len(bytes); shifted++ {
311		// 5 * 7 bits per byte == 35 bits of data
312		// Thus the representation is either non-minimal or too large for an int32
313		if shifted == 5 {
314			err = StructuralError{"base 128 integer too large"}
315			return
316		}
317		ret64 <<= 7
318		b := bytes[offset]
319		// integers should be minimally encoded, so the leading octet should
320		// never be 0x80
321		if shifted == 0 && b == 0x80 {
322			err = SyntaxError{"integer is not minimally encoded"}
323			return
324		}
325		ret64 |= int64(b & 0x7f)
326		offset++
327		if b&0x80 == 0 {
328			ret = int(ret64)
329			// Ensure that the returned value fits in an int on all platforms
330			if ret64 > math.MaxInt32 {
331				err = StructuralError{"base 128 integer too large"}
332			}
333			return
334		}
335	}
336	err = SyntaxError{"truncated base 128 integer"}
337	return
338}
339
340// UTCTime
341
342func parseUTCTime(bytes []byte) (ret time.Time, err error) {
343	s := string(bytes)
344
345	formatStr := "0601021504Z0700"
346	ret, err = time.Parse(formatStr, s)
347	if err != nil {
348		formatStr = "060102150405Z0700"
349		ret, err = time.Parse(formatStr, s)
350	}
351	if err != nil {
352		return
353	}
354
355	if serialized := ret.Format(formatStr); serialized != s {
356		err = fmt.Errorf("asn1: time did not serialize back to the original value and may be invalid: given %q, but serialized as %q", s, serialized)
357		return
358	}
359
360	if ret.Year() >= 2050 {
361		// UTCTime only encodes times prior to 2050. See https://tools.ietf.org/html/rfc5280#section-4.1.2.5.1
362		ret = ret.AddDate(-100, 0, 0)
363	}
364
365	return
366}
367
368// parseGeneralizedTime parses the GeneralizedTime from the given byte slice
369// and returns the resulting time.
370func parseGeneralizedTime(bytes []byte) (ret time.Time, err error) {
371	const formatStr = "20060102150405.999999999Z0700"
372	s := string(bytes)
373
374	if ret, err = time.Parse(formatStr, s); err != nil {
375		return
376	}
377
378	if serialized := ret.Format(formatStr); serialized != s {
379		err = fmt.Errorf("asn1: time did not serialize back to the original value and may be invalid: given %q, but serialized as %q", s, serialized)
380	}
381
382	return
383}
384
385// NumericString
386
387// parseNumericString parses an ASN.1 NumericString from the given byte array
388// and returns it.
389func parseNumericString(bytes []byte) (ret string, err error) {
390	for _, b := range bytes {
391		if !isNumeric(b) {
392			return "", SyntaxError{"NumericString contains invalid character"}
393		}
394	}
395	return string(bytes), nil
396}
397
398// isNumeric reports whether the given b is in the ASN.1 NumericString set.
399func isNumeric(b byte) bool {
400	return '0' <= b && b <= '9' ||
401		b == ' '
402}
403
404// PrintableString
405
406// parsePrintableString parses an ASN.1 PrintableString from the given byte
407// array and returns it.
408func parsePrintableString(bytes []byte) (ret string, err error) {
409	for _, b := range bytes {
410		if !isPrintable(b, allowAsterisk, allowAmpersand) {
411			err = SyntaxError{"PrintableString contains invalid character"}
412			return
413		}
414	}
415	ret = string(bytes)
416	return
417}
418
419type asteriskFlag bool
420type ampersandFlag bool
421
422const (
423	allowAsterisk  asteriskFlag = true
424	rejectAsterisk asteriskFlag = false
425
426	allowAmpersand  ampersandFlag = true
427	rejectAmpersand ampersandFlag = false
428)
429
430// isPrintable reports whether the given b is in the ASN.1 PrintableString set.
431// If asterisk is allowAsterisk then '*' is also allowed, reflecting existing
432// practice. If ampersand is allowAmpersand then '&' is allowed as well.
433func isPrintable(b byte, asterisk asteriskFlag, ampersand ampersandFlag) bool {
434	return 'a' <= b && b <= 'z' ||
435		'A' <= b && b <= 'Z' ||
436		'0' <= b && b <= '9' ||
437		'\'' <= b && b <= ')' ||
438		'+' <= b && b <= '/' ||
439		b == ' ' ||
440		b == ':' ||
441		b == '=' ||
442		b == '?' ||
443		// This is technically not allowed in a PrintableString.
444		// However, x509 certificates with wildcard strings don't
445		// always use the correct string type so we permit it.
446		(bool(asterisk) && b == '*') ||
447		// This is not technically allowed either. However, not
448		// only is it relatively common, but there are also a
449		// handful of CA certificates that contain it. At least
450		// one of which will not expire until 2027.
451		(bool(ampersand) && b == '&')
452}
453
454// IA5String
455
456// parseIA5String parses an ASN.1 IA5String (ASCII string) from the given
457// byte slice and returns it.
458func parseIA5String(bytes []byte) (ret string, err error) {
459	for _, b := range bytes {
460		if b >= utf8.RuneSelf {
461			err = SyntaxError{"IA5String contains invalid character"}
462			return
463		}
464	}
465	ret = string(bytes)
466	return
467}
468
469// T61String
470
471// parseT61String parses an ASN.1 T61String (8-bit clean string) from the given
472// byte slice and returns it.
473func parseT61String(bytes []byte) (ret string, err error) {
474	return string(bytes), nil
475}
476
477// UTF8String
478
479// parseUTF8String parses an ASN.1 UTF8String (raw UTF-8) from the given byte
480// array and returns it.
481func parseUTF8String(bytes []byte) (ret string, err error) {
482	if !utf8.Valid(bytes) {
483		return "", errors.New("asn1: invalid UTF-8 string")
484	}
485	return string(bytes), nil
486}
487
488// BMPString
489
490// parseBMPString parses an ASN.1 BMPString (Basic Multilingual Plane of
491// ISO/IEC/ITU 10646-1) from the given byte slice and returns it.
492func parseBMPString(bmpString []byte) (string, error) {
493	if len(bmpString)%2 != 0 {
494		return "", errors.New("pkcs12: odd-length BMP string")
495	}
496
497	// Strip terminator if present.
498	if l := len(bmpString); l >= 2 && bmpString[l-1] == 0 && bmpString[l-2] == 0 {
499		bmpString = bmpString[:l-2]
500	}
501
502	s := make([]uint16, 0, len(bmpString)/2)
503	for len(bmpString) > 0 {
504		s = append(s, uint16(bmpString[0])<<8+uint16(bmpString[1]))
505		bmpString = bmpString[2:]
506	}
507
508	return string(utf16.Decode(s)), nil
509}
510
511// A RawValue represents an undecoded ASN.1 object.
512type RawValue struct {
513	Class, Tag int
514	IsCompound bool
515	Bytes      []byte
516	FullBytes  []byte // includes the tag and length
517}
518
519// RawContent is used to signal that the undecoded, DER data needs to be
520// preserved for a struct. To use it, the first field of the struct must have
521// this type. It's an error for any of the other fields to have this type.
522type RawContent []byte
523
524// Tagging
525
526// parseTagAndLength parses an ASN.1 tag and length pair from the given offset
527// into a byte slice. It returns the parsed data and the new offset. SET and
528// SET OF (tag 17) are mapped to SEQUENCE and SEQUENCE OF (tag 16) since we
529// don't distinguish between ordered and unordered objects in this code.
530func parseTagAndLength(bytes []byte, initOffset int) (ret tagAndLength, offset int, err error) {
531	offset = initOffset
532	// parseTagAndLength should not be called without at least a single
533	// byte to read. Thus this check is for robustness:
534	if offset >= len(bytes) {
535		err = errors.New("asn1: internal error in parseTagAndLength")
536		return
537	}
538	b := bytes[offset]
539	offset++
540	ret.class = int(b >> 6)
541	ret.isCompound = b&0x20 == 0x20
542	ret.tag = int(b & 0x1f)
543
544	// If the bottom five bits are set, then the tag number is actually base 128
545	// encoded afterwards
546	if ret.tag == 0x1f {
547		ret.tag, offset, err = parseBase128Int(bytes, offset)
548		if err != nil {
549			return
550		}
551		// Tags should be encoded in minimal form.
552		if ret.tag < 0x1f {
553			err = SyntaxError{"non-minimal tag"}
554			return
555		}
556	}
557	if offset >= len(bytes) {
558		err = SyntaxError{"truncated tag or length"}
559		return
560	}
561	b = bytes[offset]
562	offset++
563	if b&0x80 == 0 {
564		// The length is encoded in the bottom 7 bits.
565		ret.length = int(b & 0x7f)
566	} else {
567		// Bottom 7 bits give the number of length bytes to follow.
568		numBytes := int(b & 0x7f)
569		if numBytes == 0 {
570			err = SyntaxError{"indefinite length found (not DER)"}
571			return
572		}
573		ret.length = 0
574		for i := 0; i < numBytes; i++ {
575			if offset >= len(bytes) {
576				err = SyntaxError{"truncated tag or length"}
577				return
578			}
579			b = bytes[offset]
580			offset++
581			if ret.length >= 1<<23 {
582				// We can't shift ret.length up without
583				// overflowing.
584				err = StructuralError{"length too large"}
585				return
586			}
587			ret.length <<= 8
588			ret.length |= int(b)
589			if ret.length == 0 {
590				// DER requires that lengths be minimal.
591				err = StructuralError{"superfluous leading zeros in length"}
592				return
593			}
594		}
595		// Short lengths must be encoded in short form.
596		if ret.length < 0x80 {
597			err = StructuralError{"non-minimal length"}
598			return
599		}
600	}
601
602	return
603}
604
605// parseSequenceOf is used for SEQUENCE OF and SET OF values. It tries to parse
606// a number of ASN.1 values from the given byte slice and returns them as a
607// slice of Go values of the given type.
608func parseSequenceOf(bytes []byte, sliceType reflect.Type, elemType reflect.Type) (ret reflect.Value, err error) {
609	matchAny, expectedTag, compoundType, ok := getUniversalType(elemType)
610	if !ok {
611		err = StructuralError{"unknown Go type for slice"}
612		return
613	}
614
615	// First we iterate over the input and count the number of elements,
616	// checking that the types are correct in each case.
617	numElements := 0
618	for offset := 0; offset < len(bytes); {
619		var t tagAndLength
620		t, offset, err = parseTagAndLength(bytes, offset)
621		if err != nil {
622			return
623		}
624		switch t.tag {
625		case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString, TagBMPString:
626			// We pretend that various other string types are
627			// PRINTABLE STRINGs so that a sequence of them can be
628			// parsed into a []string.
629			t.tag = TagPrintableString
630		case TagGeneralizedTime, TagUTCTime:
631			// Likewise, both time types are treated the same.
632			t.tag = TagUTCTime
633		}
634
635		if !matchAny && (t.class != ClassUniversal || t.isCompound != compoundType || t.tag != expectedTag) {
636			err = StructuralError{"sequence tag mismatch"}
637			return
638		}
639		if invalidLength(offset, t.length, len(bytes)) {
640			err = SyntaxError{"truncated sequence"}
641			return
642		}
643		offset += t.length
644		numElements++
645	}
646	ret = reflect.MakeSlice(sliceType, numElements, numElements)
647	params := fieldParameters{}
648	offset := 0
649	for i := 0; i < numElements; i++ {
650		offset, err = parseField(ret.Index(i), bytes, offset, params)
651		if err != nil {
652			return
653		}
654	}
655	return
656}
657
658var (
659	bitStringType        = reflect.TypeFor[BitString]()
660	objectIdentifierType = reflect.TypeFor[ObjectIdentifier]()
661	enumeratedType       = reflect.TypeFor[Enumerated]()
662	flagType             = reflect.TypeFor[Flag]()
663	timeType             = reflect.TypeFor[time.Time]()
664	rawValueType         = reflect.TypeFor[RawValue]()
665	rawContentsType      = reflect.TypeFor[RawContent]()
666	bigIntType           = reflect.TypeFor[*big.Int]()
667)
668
669// invalidLength reports whether offset + length > sliceLength, or if the
670// addition would overflow.
671func invalidLength(offset, length, sliceLength int) bool {
672	return offset+length < offset || offset+length > sliceLength
673}
674
675// parseField is the main parsing function. Given a byte slice and an offset
676// into the array, it will try to parse a suitable ASN.1 value out and store it
677// in the given Value.
678func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParameters) (offset int, err error) {
679	offset = initOffset
680	fieldType := v.Type()
681
682	// If we have run out of data, it may be that there are optional elements at the end.
683	if offset == len(bytes) {
684		if !setDefaultValue(v, params) {
685			err = SyntaxError{"sequence truncated"}
686		}
687		return
688	}
689
690	// Deal with the ANY type.
691	if ifaceType := fieldType; ifaceType.Kind() == reflect.Interface && ifaceType.NumMethod() == 0 {
692		var t tagAndLength
693		t, offset, err = parseTagAndLength(bytes, offset)
694		if err != nil {
695			return
696		}
697		if invalidLength(offset, t.length, len(bytes)) {
698			err = SyntaxError{"data truncated"}
699			return
700		}
701		var result any
702		if !t.isCompound && t.class == ClassUniversal {
703			innerBytes := bytes[offset : offset+t.length]
704			switch t.tag {
705			case TagPrintableString:
706				result, err = parsePrintableString(innerBytes)
707			case TagNumericString:
708				result, err = parseNumericString(innerBytes)
709			case TagIA5String:
710				result, err = parseIA5String(innerBytes)
711			case TagT61String:
712				result, err = parseT61String(innerBytes)
713			case TagUTF8String:
714				result, err = parseUTF8String(innerBytes)
715			case TagInteger:
716				result, err = parseInt64(innerBytes)
717			case TagBitString:
718				result, err = parseBitString(innerBytes)
719			case TagOID:
720				result, err = parseObjectIdentifier(innerBytes)
721			case TagUTCTime:
722				result, err = parseUTCTime(innerBytes)
723			case TagGeneralizedTime:
724				result, err = parseGeneralizedTime(innerBytes)
725			case TagOctetString:
726				result = innerBytes
727			case TagBMPString:
728				result, err = parseBMPString(innerBytes)
729			default:
730				// If we don't know how to handle the type, we just leave Value as nil.
731			}
732		}
733		offset += t.length
734		if err != nil {
735			return
736		}
737		if result != nil {
738			v.Set(reflect.ValueOf(result))
739		}
740		return
741	}
742
743	t, offset, err := parseTagAndLength(bytes, offset)
744	if err != nil {
745		return
746	}
747	if params.explicit {
748		expectedClass := ClassContextSpecific
749		if params.application {
750			expectedClass = ClassApplication
751		}
752		if offset == len(bytes) {
753			err = StructuralError{"explicit tag has no child"}
754			return
755		}
756		if t.class == expectedClass && t.tag == *params.tag && (t.length == 0 || t.isCompound) {
757			if fieldType == rawValueType {
758				// The inner element should not be parsed for RawValues.
759			} else if t.length > 0 {
760				t, offset, err = parseTagAndLength(bytes, offset)
761				if err != nil {
762					return
763				}
764			} else {
765				if fieldType != flagType {
766					err = StructuralError{"zero length explicit tag was not an asn1.Flag"}
767					return
768				}
769				v.SetBool(true)
770				return
771			}
772		} else {
773			// The tags didn't match, it might be an optional element.
774			ok := setDefaultValue(v, params)
775			if ok {
776				offset = initOffset
777			} else {
778				err = StructuralError{"explicitly tagged member didn't match"}
779			}
780			return
781		}
782	}
783
784	matchAny, universalTag, compoundType, ok1 := getUniversalType(fieldType)
785	if !ok1 {
786		err = StructuralError{fmt.Sprintf("unknown Go type: %v", fieldType)}
787		return
788	}
789
790	// Special case for strings: all the ASN.1 string types map to the Go
791	// type string. getUniversalType returns the tag for PrintableString
792	// when it sees a string, so if we see a different string type on the
793	// wire, we change the universal type to match.
794	if universalTag == TagPrintableString {
795		if t.class == ClassUniversal {
796			switch t.tag {
797			case TagIA5String, TagGeneralString, TagT61String, TagUTF8String, TagNumericString, TagBMPString:
798				universalTag = t.tag
799			}
800		} else if params.stringType != 0 {
801			universalTag = params.stringType
802		}
803	}
804
805	// Special case for time: UTCTime and GeneralizedTime both map to the
806	// Go type time.Time.
807	if universalTag == TagUTCTime && t.tag == TagGeneralizedTime && t.class == ClassUniversal {
808		universalTag = TagGeneralizedTime
809	}
810
811	if params.set {
812		universalTag = TagSet
813	}
814
815	matchAnyClassAndTag := matchAny
816	expectedClass := ClassUniversal
817	expectedTag := universalTag
818
819	if !params.explicit && params.tag != nil {
820		expectedClass = ClassContextSpecific
821		expectedTag = *params.tag
822		matchAnyClassAndTag = false
823	}
824
825	if !params.explicit && params.application && params.tag != nil {
826		expectedClass = ClassApplication
827		expectedTag = *params.tag
828		matchAnyClassAndTag = false
829	}
830
831	if !params.explicit && params.private && params.tag != nil {
832		expectedClass = ClassPrivate
833		expectedTag = *params.tag
834		matchAnyClassAndTag = false
835	}
836
837	// We have unwrapped any explicit tagging at this point.
838	if !matchAnyClassAndTag && (t.class != expectedClass || t.tag != expectedTag) ||
839		(!matchAny && t.isCompound != compoundType) {
840		// Tags don't match. Again, it could be an optional element.
841		ok := setDefaultValue(v, params)
842		if ok {
843			offset = initOffset
844		} else {
845			err = StructuralError{fmt.Sprintf("tags don't match (%d vs %+v) %+v %s @%d", expectedTag, t, params, fieldType.Name(), offset)}
846		}
847		return
848	}
849	if invalidLength(offset, t.length, len(bytes)) {
850		err = SyntaxError{"data truncated"}
851		return
852	}
853	innerBytes := bytes[offset : offset+t.length]
854	offset += t.length
855
856	// We deal with the structures defined in this package first.
857	switch v := v.Addr().Interface().(type) {
858	case *RawValue:
859		*v = RawValue{t.class, t.tag, t.isCompound, innerBytes, bytes[initOffset:offset]}
860		return
861	case *ObjectIdentifier:
862		*v, err = parseObjectIdentifier(innerBytes)
863		return
864	case *BitString:
865		*v, err = parseBitString(innerBytes)
866		return
867	case *time.Time:
868		if universalTag == TagUTCTime {
869			*v, err = parseUTCTime(innerBytes)
870			return
871		}
872		*v, err = parseGeneralizedTime(innerBytes)
873		return
874	case *Enumerated:
875		parsedInt, err1 := parseInt32(innerBytes)
876		if err1 == nil {
877			*v = Enumerated(parsedInt)
878		}
879		err = err1
880		return
881	case *Flag:
882		*v = true
883		return
884	case **big.Int:
885		parsedInt, err1 := parseBigInt(innerBytes)
886		if err1 == nil {
887			*v = parsedInt
888		}
889		err = err1
890		return
891	}
892	switch val := v; val.Kind() {
893	case reflect.Bool:
894		parsedBool, err1 := parseBool(innerBytes)
895		if err1 == nil {
896			val.SetBool(parsedBool)
897		}
898		err = err1
899		return
900	case reflect.Int, reflect.Int32, reflect.Int64:
901		if val.Type().Size() == 4 {
902			parsedInt, err1 := parseInt32(innerBytes)
903			if err1 == nil {
904				val.SetInt(int64(parsedInt))
905			}
906			err = err1
907		} else {
908			parsedInt, err1 := parseInt64(innerBytes)
909			if err1 == nil {
910				val.SetInt(parsedInt)
911			}
912			err = err1
913		}
914		return
915	// TODO(dfc) Add support for the remaining integer types
916	case reflect.Struct:
917		structType := fieldType
918
919		for i := 0; i < structType.NumField(); i++ {
920			if !structType.Field(i).IsExported() {
921				err = StructuralError{"struct contains unexported fields"}
922				return
923			}
924		}
925
926		if structType.NumField() > 0 &&
927			structType.Field(0).Type == rawContentsType {
928			bytes := bytes[initOffset:offset]
929			val.Field(0).Set(reflect.ValueOf(RawContent(bytes)))
930		}
931
932		innerOffset := 0
933		for i := 0; i < structType.NumField(); i++ {
934			field := structType.Field(i)
935			if i == 0 && field.Type == rawContentsType {
936				continue
937			}
938			innerOffset, err = parseField(val.Field(i), innerBytes, innerOffset, parseFieldParameters(field.Tag.Get("asn1")))
939			if err != nil {
940				return
941			}
942		}
943		// We allow extra bytes at the end of the SEQUENCE because
944		// adding elements to the end has been used in X.509 as the
945		// version numbers have increased.
946		return
947	case reflect.Slice:
948		sliceType := fieldType
949		if sliceType.Elem().Kind() == reflect.Uint8 {
950			val.Set(reflect.MakeSlice(sliceType, len(innerBytes), len(innerBytes)))
951			reflect.Copy(val, reflect.ValueOf(innerBytes))
952			return
953		}
954		newSlice, err1 := parseSequenceOf(innerBytes, sliceType, sliceType.Elem())
955		if err1 == nil {
956			val.Set(newSlice)
957		}
958		err = err1
959		return
960	case reflect.String:
961		var v string
962		switch universalTag {
963		case TagPrintableString:
964			v, err = parsePrintableString(innerBytes)
965		case TagNumericString:
966			v, err = parseNumericString(innerBytes)
967		case TagIA5String:
968			v, err = parseIA5String(innerBytes)
969		case TagT61String:
970			v, err = parseT61String(innerBytes)
971		case TagUTF8String:
972			v, err = parseUTF8String(innerBytes)
973		case TagGeneralString:
974			// GeneralString is specified in ISO-2022/ECMA-35,
975			// A brief review suggests that it includes structures
976			// that allow the encoding to change midstring and
977			// such. We give up and pass it as an 8-bit string.
978			v, err = parseT61String(innerBytes)
979		case TagBMPString:
980			v, err = parseBMPString(innerBytes)
981
982		default:
983			err = SyntaxError{fmt.Sprintf("internal error: unknown string type %d", universalTag)}
984		}
985		if err == nil {
986			val.SetString(v)
987		}
988		return
989	}
990	err = StructuralError{"unsupported: " + v.Type().String()}
991	return
992}
993
994// canHaveDefaultValue reports whether k is a Kind that we will set a default
995// value for. (A signed integer, essentially.)
996func canHaveDefaultValue(k reflect.Kind) bool {
997	switch k {
998	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
999		return true
1000	}
1001
1002	return false
1003}
1004
1005// setDefaultValue is used to install a default value, from a tag string, into
1006// a Value. It is successful if the field was optional, even if a default value
1007// wasn't provided or it failed to install it into the Value.
1008func setDefaultValue(v reflect.Value, params fieldParameters) (ok bool) {
1009	if !params.optional {
1010		return
1011	}
1012	ok = true
1013	if params.defaultValue == nil {
1014		return
1015	}
1016	if canHaveDefaultValue(v.Kind()) {
1017		v.SetInt(*params.defaultValue)
1018	}
1019	return
1020}
1021
1022// Unmarshal parses the DER-encoded ASN.1 data structure b
1023// and uses the reflect package to fill in an arbitrary value pointed at by val.
1024// Because Unmarshal uses the reflect package, the structs
1025// being written to must use upper case field names. If val
1026// is nil or not a pointer, Unmarshal returns an error.
1027//
1028// After parsing b, any bytes that were leftover and not used to fill
1029// val will be returned in rest. When parsing a SEQUENCE into a struct,
1030// any trailing elements of the SEQUENCE that do not have matching
1031// fields in val will not be included in rest, as these are considered
1032// valid elements of the SEQUENCE and not trailing data.
1033//
1034//   - An ASN.1 INTEGER can be written to an int, int32, int64,
1035//     or *[big.Int].
1036//     If the encoded value does not fit in the Go type,
1037//     Unmarshal returns a parse error.
1038//
1039//   - An ASN.1 BIT STRING can be written to a [BitString].
1040//
1041//   - An ASN.1 OCTET STRING can be written to a []byte.
1042//
1043//   - An ASN.1 OBJECT IDENTIFIER can be written to an [ObjectIdentifier].
1044//
1045//   - An ASN.1 ENUMERATED can be written to an [Enumerated].
1046//
1047//   - An ASN.1 UTCTIME or GENERALIZEDTIME can be written to a [time.Time].
1048//
1049//   - An ASN.1 PrintableString, IA5String, or NumericString can be written to a string.
1050//
1051//   - Any of the above ASN.1 values can be written to an interface{}.
1052//     The value stored in the interface has the corresponding Go type.
1053//     For integers, that type is int64.
1054//
1055//   - An ASN.1 SEQUENCE OF x or SET OF x can be written
1056//     to a slice if an x can be written to the slice's element type.
1057//
1058//   - An ASN.1 SEQUENCE or SET can be written to a struct
1059//     if each of the elements in the sequence can be
1060//     written to the corresponding element in the struct.
1061//
1062// The following tags on struct fields have special meaning to Unmarshal:
1063//
1064//	application specifies that an APPLICATION tag is used
1065//	private     specifies that a PRIVATE tag is used
1066//	default:x   sets the default value for optional integer fields (only used if optional is also present)
1067//	explicit    specifies that an additional, explicit tag wraps the implicit one
1068//	optional    marks the field as ASN.1 OPTIONAL
1069//	set         causes a SET, rather than a SEQUENCE type to be expected
1070//	tag:x       specifies the ASN.1 tag number; implies ASN.1 CONTEXT SPECIFIC
1071//
1072// When decoding an ASN.1 value with an IMPLICIT tag into a string field,
1073// Unmarshal will default to a PrintableString, which doesn't support
1074// characters such as '@' and '&'. To force other encodings, use the following
1075// tags:
1076//
1077//	ia5     causes strings to be unmarshaled as ASN.1 IA5String values
1078//	numeric causes strings to be unmarshaled as ASN.1 NumericString values
1079//	utf8    causes strings to be unmarshaled as ASN.1 UTF8String values
1080//
1081// If the type of the first field of a structure is RawContent then the raw
1082// ASN1 contents of the struct will be stored in it.
1083//
1084// If the name of a slice type ends with "SET" then it's treated as if
1085// the "set" tag was set on it. This results in interpreting the type as a
1086// SET OF x rather than a SEQUENCE OF x. This can be used with nested slices
1087// where a struct tag cannot be given.
1088//
1089// Other ASN.1 types are not supported; if it encounters them,
1090// Unmarshal returns a parse error.
1091func Unmarshal(b []byte, val any) (rest []byte, err error) {
1092	return UnmarshalWithParams(b, val, "")
1093}
1094
1095// An invalidUnmarshalError describes an invalid argument passed to Unmarshal.
1096// (The argument to Unmarshal must be a non-nil pointer.)
1097type invalidUnmarshalError struct {
1098	Type reflect.Type
1099}
1100
1101func (e *invalidUnmarshalError) Error() string {
1102	if e.Type == nil {
1103		return "asn1: Unmarshal recipient value is nil"
1104	}
1105
1106	if e.Type.Kind() != reflect.Pointer {
1107		return "asn1: Unmarshal recipient value is non-pointer " + e.Type.String()
1108	}
1109	return "asn1: Unmarshal recipient value is nil " + e.Type.String()
1110}
1111
1112// UnmarshalWithParams allows field parameters to be specified for the
1113// top-level element. The form of the params is the same as the field tags.
1114func UnmarshalWithParams(b []byte, val any, params string) (rest []byte, err error) {
1115	v := reflect.ValueOf(val)
1116	if v.Kind() != reflect.Pointer || v.IsNil() {
1117		return nil, &invalidUnmarshalError{reflect.TypeOf(val)}
1118	}
1119	offset, err := parseField(v.Elem(), b, 0, parseFieldParameters(params))
1120	if err != nil {
1121		return nil, err
1122	}
1123	return b[offset:], nil
1124}
1125