1// Copyright 2017 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package cryptobyte
6
7import (
8	encoding_asn1 "encoding/asn1"
9	"fmt"
10	"math/big"
11	"reflect"
12	"time"
13
14	"golang.org/x/crypto/cryptobyte/asn1"
15)
16
17// This file contains ASN.1-related methods for String and Builder.
18
19// Builder
20
21// AddASN1Int64 appends a DER-encoded ASN.1 INTEGER.
22func (b *Builder) AddASN1Int64(v int64) {
23	b.addASN1Signed(asn1.INTEGER, v)
24}
25
26// AddASN1Int64WithTag appends a DER-encoded ASN.1 INTEGER with the
27// given tag.
28func (b *Builder) AddASN1Int64WithTag(v int64, tag asn1.Tag) {
29	b.addASN1Signed(tag, v)
30}
31
32// AddASN1Enum appends a DER-encoded ASN.1 ENUMERATION.
33func (b *Builder) AddASN1Enum(v int64) {
34	b.addASN1Signed(asn1.ENUM, v)
35}
36
37func (b *Builder) addASN1Signed(tag asn1.Tag, v int64) {
38	b.AddASN1(tag, func(c *Builder) {
39		length := 1
40		for i := v; i >= 0x80 || i < -0x80; i >>= 8 {
41			length++
42		}
43
44		for ; length > 0; length-- {
45			i := v >> uint((length-1)*8) & 0xff
46			c.AddUint8(uint8(i))
47		}
48	})
49}
50
51// AddASN1Uint64 appends a DER-encoded ASN.1 INTEGER.
52func (b *Builder) AddASN1Uint64(v uint64) {
53	b.AddASN1(asn1.INTEGER, func(c *Builder) {
54		length := 1
55		for i := v; i >= 0x80; i >>= 8 {
56			length++
57		}
58
59		for ; length > 0; length-- {
60			i := v >> uint((length-1)*8) & 0xff
61			c.AddUint8(uint8(i))
62		}
63	})
64}
65
66// AddASN1BigInt appends a DER-encoded ASN.1 INTEGER.
67func (b *Builder) AddASN1BigInt(n *big.Int) {
68	if b.err != nil {
69		return
70	}
71
72	b.AddASN1(asn1.INTEGER, func(c *Builder) {
73		if n.Sign() < 0 {
74			// A negative number has to be converted to two's-complement form. So we
75			// invert and subtract 1. If the most-significant-bit isn't set then
76			// we'll need to pad the beginning with 0xff in order to keep the number
77			// negative.
78			nMinus1 := new(big.Int).Neg(n)
79			nMinus1.Sub(nMinus1, bigOne)
80			bytes := nMinus1.Bytes()
81			for i := range bytes {
82				bytes[i] ^= 0xff
83			}
84			if len(bytes) == 0 || bytes[0]&0x80 == 0 {
85				c.add(0xff)
86			}
87			c.add(bytes...)
88		} else if n.Sign() == 0 {
89			c.add(0)
90		} else {
91			bytes := n.Bytes()
92			if bytes[0]&0x80 != 0 {
93				c.add(0)
94			}
95			c.add(bytes...)
96		}
97	})
98}
99
100// AddASN1OctetString appends a DER-encoded ASN.1 OCTET STRING.
101func (b *Builder) AddASN1OctetString(bytes []byte) {
102	b.AddASN1(asn1.OCTET_STRING, func(c *Builder) {
103		c.AddBytes(bytes)
104	})
105}
106
107const generalizedTimeFormatStr = "20060102150405Z0700"
108
109// AddASN1GeneralizedTime appends a DER-encoded ASN.1 GENERALIZEDTIME.
110func (b *Builder) AddASN1GeneralizedTime(t time.Time) {
111	if t.Year() < 0 || t.Year() > 9999 {
112		b.err = fmt.Errorf("cryptobyte: cannot represent %v as a GeneralizedTime", t)
113		return
114	}
115	b.AddASN1(asn1.GeneralizedTime, func(c *Builder) {
116		c.AddBytes([]byte(t.Format(generalizedTimeFormatStr)))
117	})
118}
119
120// AddASN1BitString appends a DER-encoded ASN.1 BIT STRING. This does not
121// support BIT STRINGs that are not a whole number of bytes.
122func (b *Builder) AddASN1BitString(data []byte) {
123	b.AddASN1(asn1.BIT_STRING, func(b *Builder) {
124		b.AddUint8(0)
125		b.AddBytes(data)
126	})
127}
128
129func (b *Builder) addBase128Int(n int64) {
130	var length int
131	if n == 0 {
132		length = 1
133	} else {
134		for i := n; i > 0; i >>= 7 {
135			length++
136		}
137	}
138
139	for i := length - 1; i >= 0; i-- {
140		o := byte(n >> uint(i*7))
141		o &= 0x7f
142		if i != 0 {
143			o |= 0x80
144		}
145
146		b.add(o)
147	}
148}
149
150func isValidOID(oid encoding_asn1.ObjectIdentifier) bool {
151	if len(oid) < 2 {
152		return false
153	}
154
155	if oid[0] > 2 || (oid[0] <= 1 && oid[1] >= 40) {
156		return false
157	}
158
159	for _, v := range oid {
160		if v < 0 {
161			return false
162		}
163	}
164
165	return true
166}
167
168func (b *Builder) AddASN1ObjectIdentifier(oid encoding_asn1.ObjectIdentifier) {
169	b.AddASN1(asn1.OBJECT_IDENTIFIER, func(b *Builder) {
170		if !isValidOID(oid) {
171			b.err = fmt.Errorf("cryptobyte: invalid OID: %v", oid)
172			return
173		}
174
175		b.addBase128Int(int64(oid[0])*40 + int64(oid[1]))
176		for _, v := range oid[2:] {
177			b.addBase128Int(int64(v))
178		}
179	})
180}
181
182func (b *Builder) AddASN1Boolean(v bool) {
183	b.AddASN1(asn1.BOOLEAN, func(b *Builder) {
184		if v {
185			b.AddUint8(0xff)
186		} else {
187			b.AddUint8(0)
188		}
189	})
190}
191
192func (b *Builder) AddASN1NULL() {
193	b.add(uint8(asn1.NULL), 0)
194}
195
196// MarshalASN1 calls encoding_asn1.Marshal on its input and appends the result if
197// successful or records an error if one occurred.
198func (b *Builder) MarshalASN1(v interface{}) {
199	// NOTE(martinkr): This is somewhat of a hack to allow propagation of
200	// encoding_asn1.Marshal errors into Builder.err. N.B. if you call MarshalASN1 with a
201	// value embedded into a struct, its tag information is lost.
202	if b.err != nil {
203		return
204	}
205	bytes, err := encoding_asn1.Marshal(v)
206	if err != nil {
207		b.err = err
208		return
209	}
210	b.AddBytes(bytes)
211}
212
213// AddASN1 appends an ASN.1 object. The object is prefixed with the given tag.
214// Tags greater than 30 are not supported and result in an error (i.e.
215// low-tag-number form only). The child builder passed to the
216// BuilderContinuation can be used to build the content of the ASN.1 object.
217func (b *Builder) AddASN1(tag asn1.Tag, f BuilderContinuation) {
218	if b.err != nil {
219		return
220	}
221	// Identifiers with the low five bits set indicate high-tag-number format
222	// (two or more octets), which we don't support.
223	if tag&0x1f == 0x1f {
224		b.err = fmt.Errorf("cryptobyte: high-tag number identifier octects not supported: 0x%x", tag)
225		return
226	}
227	b.AddUint8(uint8(tag))
228	b.addLengthPrefixed(1, true, f)
229}
230
231// String
232
233// ReadASN1Boolean decodes an ASN.1 BOOLEAN and converts it to a boolean
234// representation into out and advances. It reports whether the read
235// was successful.
236func (s *String) ReadASN1Boolean(out *bool) bool {
237	var bytes String
238	if !s.ReadASN1(&bytes, asn1.BOOLEAN) || len(bytes) != 1 {
239		return false
240	}
241
242	switch bytes[0] {
243	case 0:
244		*out = false
245	case 0xff:
246		*out = true
247	default:
248		return false
249	}
250
251	return true
252}
253
254var bigIntType = reflect.TypeOf((*big.Int)(nil)).Elem()
255
256// ReadASN1Integer decodes an ASN.1 INTEGER into out and advances. If out does
257// not point to an integer or to a big.Int, it panics. It reports whether the
258// read was successful.
259func (s *String) ReadASN1Integer(out interface{}) bool {
260	if reflect.TypeOf(out).Kind() != reflect.Ptr {
261		panic("out is not a pointer")
262	}
263	switch reflect.ValueOf(out).Elem().Kind() {
264	case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
265		var i int64
266		if !s.readASN1Int64(&i) || reflect.ValueOf(out).Elem().OverflowInt(i) {
267			return false
268		}
269		reflect.ValueOf(out).Elem().SetInt(i)
270		return true
271	case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
272		var u uint64
273		if !s.readASN1Uint64(&u) || reflect.ValueOf(out).Elem().OverflowUint(u) {
274			return false
275		}
276		reflect.ValueOf(out).Elem().SetUint(u)
277		return true
278	case reflect.Struct:
279		if reflect.TypeOf(out).Elem() == bigIntType {
280			return s.readASN1BigInt(out.(*big.Int))
281		}
282	}
283	panic("out does not point to an integer type")
284}
285
286func checkASN1Integer(bytes []byte) bool {
287	if len(bytes) == 0 {
288		// An INTEGER is encoded with at least one octet.
289		return false
290	}
291	if len(bytes) == 1 {
292		return true
293	}
294	if bytes[0] == 0 && bytes[1]&0x80 == 0 || bytes[0] == 0xff && bytes[1]&0x80 == 0x80 {
295		// Value is not minimally encoded.
296		return false
297	}
298	return true
299}
300
301var bigOne = big.NewInt(1)
302
303func (s *String) readASN1BigInt(out *big.Int) bool {
304	var bytes String
305	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) {
306		return false
307	}
308	if bytes[0]&0x80 == 0x80 {
309		// Negative number.
310		neg := make([]byte, len(bytes))
311		for i, b := range bytes {
312			neg[i] = ^b
313		}
314		out.SetBytes(neg)
315		out.Add(out, bigOne)
316		out.Neg(out)
317	} else {
318		out.SetBytes(bytes)
319	}
320	return true
321}
322
323func (s *String) readASN1Int64(out *int64) bool {
324	var bytes String
325	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) || !asn1Signed(out, bytes) {
326		return false
327	}
328	return true
329}
330
331func asn1Signed(out *int64, n []byte) bool {
332	length := len(n)
333	if length > 8 {
334		return false
335	}
336	for i := 0; i < length; i++ {
337		*out <<= 8
338		*out |= int64(n[i])
339	}
340	// Shift up and down in order to sign extend the result.
341	*out <<= 64 - uint8(length)*8
342	*out >>= 64 - uint8(length)*8
343	return true
344}
345
346func (s *String) readASN1Uint64(out *uint64) bool {
347	var bytes String
348	if !s.ReadASN1(&bytes, asn1.INTEGER) || !checkASN1Integer(bytes) || !asn1Unsigned(out, bytes) {
349		return false
350	}
351	return true
352}
353
354func asn1Unsigned(out *uint64, n []byte) bool {
355	length := len(n)
356	if length > 9 || length == 9 && n[0] != 0 {
357		// Too large for uint64.
358		return false
359	}
360	if n[0]&0x80 != 0 {
361		// Negative number.
362		return false
363	}
364	for i := 0; i < length; i++ {
365		*out <<= 8
366		*out |= uint64(n[i])
367	}
368	return true
369}
370
371// ReadASN1Int64WithTag decodes an ASN.1 INTEGER with the given tag into out
372// and advances. It reports whether the read was successful and resulted in a
373// value that can be represented in an int64.
374func (s *String) ReadASN1Int64WithTag(out *int64, tag asn1.Tag) bool {
375	var bytes String
376	return s.ReadASN1(&bytes, tag) && checkASN1Integer(bytes) && asn1Signed(out, bytes)
377}
378
379// ReadASN1Enum decodes an ASN.1 ENUMERATION into out and advances. It reports
380// whether the read was successful.
381func (s *String) ReadASN1Enum(out *int) bool {
382	var bytes String
383	var i int64
384	if !s.ReadASN1(&bytes, asn1.ENUM) || !checkASN1Integer(bytes) || !asn1Signed(&i, bytes) {
385		return false
386	}
387	if int64(int(i)) != i {
388		return false
389	}
390	*out = int(i)
391	return true
392}
393
394func (s *String) readBase128Int(out *int) bool {
395	ret := 0
396	for i := 0; len(*s) > 0; i++ {
397		if i == 4 {
398			return false
399		}
400		ret <<= 7
401		b := s.read(1)[0]
402		ret |= int(b & 0x7f)
403		if b&0x80 == 0 {
404			*out = ret
405			return true
406		}
407	}
408	return false // truncated
409}
410
411// ReadASN1ObjectIdentifier decodes an ASN.1 OBJECT IDENTIFIER into out and
412// advances. It reports whether the read was successful.
413func (s *String) ReadASN1ObjectIdentifier(out *encoding_asn1.ObjectIdentifier) bool {
414	var bytes String
415	if !s.ReadASN1(&bytes, asn1.OBJECT_IDENTIFIER) || len(bytes) == 0 {
416		return false
417	}
418
419	// In the worst case, we get two elements from the first byte (which is
420	// encoded differently) and then every varint is a single byte long.
421	components := make([]int, len(bytes)+1)
422
423	// The first varint is 40*value1 + value2:
424	// According to this packing, value1 can take the values 0, 1 and 2 only.
425	// When value1 = 0 or value1 = 1, then value2 is <= 39. When value1 = 2,
426	// then there are no restrictions on value2.
427	var v int
428	if !bytes.readBase128Int(&v) {
429		return false
430	}
431	if v < 80 {
432		components[0] = v / 40
433		components[1] = v % 40
434	} else {
435		components[0] = 2
436		components[1] = v - 80
437	}
438
439	i := 2
440	for ; len(bytes) > 0; i++ {
441		if !bytes.readBase128Int(&v) {
442			return false
443		}
444		components[i] = v
445	}
446	*out = components[:i]
447	return true
448}
449
450// ReadASN1GeneralizedTime decodes an ASN.1 GENERALIZEDTIME into out and
451// advances. It reports whether the read was successful.
452func (s *String) ReadASN1GeneralizedTime(out *time.Time) bool {
453	var bytes String
454	if !s.ReadASN1(&bytes, asn1.GeneralizedTime) {
455		return false
456	}
457	t := string(bytes)
458	res, err := time.Parse(generalizedTimeFormatStr, t)
459	if err != nil {
460		return false
461	}
462	if serialized := res.Format(generalizedTimeFormatStr); serialized != t {
463		return false
464	}
465	*out = res
466	return true
467}
468
469// ReadASN1BitString decodes an ASN.1 BIT STRING into out and advances.
470// It reports whether the read was successful.
471func (s *String) ReadASN1BitString(out *encoding_asn1.BitString) bool {
472	var bytes String
473	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 ||
474		len(bytes)*8/8 != len(bytes) {
475		return false
476	}
477
478	paddingBits := uint8(bytes[0])
479	bytes = bytes[1:]
480	if paddingBits > 7 ||
481		len(bytes) == 0 && paddingBits != 0 ||
482		len(bytes) > 0 && bytes[len(bytes)-1]&(1<<paddingBits-1) != 0 {
483		return false
484	}
485
486	out.BitLength = len(bytes)*8 - int(paddingBits)
487	out.Bytes = bytes
488	return true
489}
490
491// ReadASN1BitString decodes an ASN.1 BIT STRING into out and advances. It is
492// an error if the BIT STRING is not a whole number of bytes. It reports
493// whether the read was successful.
494func (s *String) ReadASN1BitStringAsBytes(out *[]byte) bool {
495	var bytes String
496	if !s.ReadASN1(&bytes, asn1.BIT_STRING) || len(bytes) == 0 {
497		return false
498	}
499
500	paddingBits := uint8(bytes[0])
501	if paddingBits != 0 {
502		return false
503	}
504	*out = bytes[1:]
505	return true
506}
507
508// ReadASN1Bytes reads the contents of a DER-encoded ASN.1 element (not including
509// tag and length bytes) into out, and advances. The element must match the
510// given tag. It reports whether the read was successful.
511func (s *String) ReadASN1Bytes(out *[]byte, tag asn1.Tag) bool {
512	return s.ReadASN1((*String)(out), tag)
513}
514
515// ReadASN1 reads the contents of a DER-encoded ASN.1 element (not including
516// tag and length bytes) into out, and advances. The element must match the
517// given tag. It reports whether the read was successful.
518//
519// Tags greater than 30 are not supported (i.e. low-tag-number format only).
520func (s *String) ReadASN1(out *String, tag asn1.Tag) bool {
521	var t asn1.Tag
522	if !s.ReadAnyASN1(out, &t) || t != tag {
523		return false
524	}
525	return true
526}
527
528// ReadASN1Element reads the contents of a DER-encoded ASN.1 element (including
529// tag and length bytes) into out, and advances. The element must match the
530// given tag. It reports whether the read was successful.
531//
532// Tags greater than 30 are not supported (i.e. low-tag-number format only).
533func (s *String) ReadASN1Element(out *String, tag asn1.Tag) bool {
534	var t asn1.Tag
535	if !s.ReadAnyASN1Element(out, &t) || t != tag {
536		return false
537	}
538	return true
539}
540
541// ReadAnyASN1 reads the contents of a DER-encoded ASN.1 element (not including
542// tag and length bytes) into out, sets outTag to its tag, and advances.
543// It reports whether the read was successful.
544//
545// Tags greater than 30 are not supported (i.e. low-tag-number format only).
546func (s *String) ReadAnyASN1(out *String, outTag *asn1.Tag) bool {
547	return s.readASN1(out, outTag, true /* skip header */)
548}
549
550// ReadAnyASN1Element reads the contents of a DER-encoded ASN.1 element
551// (including tag and length bytes) into out, sets outTag to is tag, and
552// advances. It reports whether the read was successful.
553//
554// Tags greater than 30 are not supported (i.e. low-tag-number format only).
555func (s *String) ReadAnyASN1Element(out *String, outTag *asn1.Tag) bool {
556	return s.readASN1(out, outTag, false /* include header */)
557}
558
559// PeekASN1Tag reports whether the next ASN.1 value on the string starts with
560// the given tag.
561func (s String) PeekASN1Tag(tag asn1.Tag) bool {
562	if len(s) == 0 {
563		return false
564	}
565	return asn1.Tag(s[0]) == tag
566}
567
568// SkipASN1 reads and discards an ASN.1 element with the given tag. It
569// reports whether the operation was successful.
570func (s *String) SkipASN1(tag asn1.Tag) bool {
571	var unused String
572	return s.ReadASN1(&unused, tag)
573}
574
575// ReadOptionalASN1 attempts to read the contents of a DER-encoded ASN.1
576// element (not including tag and length bytes) tagged with the given tag into
577// out. It stores whether an element with the tag was found in outPresent,
578// unless outPresent is nil. It reports whether the read was successful.
579func (s *String) ReadOptionalASN1(out *String, outPresent *bool, tag asn1.Tag) bool {
580	present := s.PeekASN1Tag(tag)
581	if outPresent != nil {
582		*outPresent = present
583	}
584	if present && !s.ReadASN1(out, tag) {
585		return false
586	}
587	return true
588}
589
590// SkipOptionalASN1 advances s over an ASN.1 element with the given tag, or
591// else leaves s unchanged. It reports whether the operation was successful.
592func (s *String) SkipOptionalASN1(tag asn1.Tag) bool {
593	if !s.PeekASN1Tag(tag) {
594		return true
595	}
596	var unused String
597	return s.ReadASN1(&unused, tag)
598}
599
600// ReadOptionalASN1Integer attempts to read an optional ASN.1 INTEGER
601// explicitly tagged with tag into out and advances. If no element with a
602// matching tag is present, it writes defaultValue into out instead. If out
603// does not point to an integer or to a big.Int, it panics. It reports
604// whether the read was successful.
605func (s *String) ReadOptionalASN1Integer(out interface{}, tag asn1.Tag, defaultValue interface{}) bool {
606	if reflect.TypeOf(out).Kind() != reflect.Ptr {
607		panic("out is not a pointer")
608	}
609	var present bool
610	var i String
611	if !s.ReadOptionalASN1(&i, &present, tag) {
612		return false
613	}
614	if !present {
615		switch reflect.ValueOf(out).Elem().Kind() {
616		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64,
617			reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
618			reflect.ValueOf(out).Elem().Set(reflect.ValueOf(defaultValue))
619		case reflect.Struct:
620			if reflect.TypeOf(out).Elem() != bigIntType {
621				panic("invalid integer type")
622			}
623			if reflect.TypeOf(defaultValue).Kind() != reflect.Ptr ||
624				reflect.TypeOf(defaultValue).Elem() != bigIntType {
625				panic("out points to big.Int, but defaultValue does not")
626			}
627			out.(*big.Int).Set(defaultValue.(*big.Int))
628		default:
629			panic("invalid integer type")
630		}
631		return true
632	}
633	if !i.ReadASN1Integer(out) || !i.Empty() {
634		return false
635	}
636	return true
637}
638
639// ReadOptionalASN1OctetString attempts to read an optional ASN.1 OCTET STRING
640// explicitly tagged with tag into out and advances. If no element with a
641// matching tag is present, it sets "out" to nil instead. It reports
642// whether the read was successful.
643func (s *String) ReadOptionalASN1OctetString(out *[]byte, outPresent *bool, tag asn1.Tag) bool {
644	var present bool
645	var child String
646	if !s.ReadOptionalASN1(&child, &present, tag) {
647		return false
648	}
649	if outPresent != nil {
650		*outPresent = present
651	}
652	if present {
653		var oct String
654		if !child.ReadASN1(&oct, asn1.OCTET_STRING) || !child.Empty() {
655			return false
656		}
657		*out = oct
658	} else {
659		*out = nil
660	}
661	return true
662}
663
664// ReadOptionalASN1Boolean sets *out to the value of the next ASN.1 BOOLEAN or,
665// if the next bytes are not an ASN.1 BOOLEAN, to the value of defaultValue.
666// It reports whether the operation was successful.
667func (s *String) ReadOptionalASN1Boolean(out *bool, defaultValue bool) bool {
668	var present bool
669	var child String
670	if !s.ReadOptionalASN1(&child, &present, asn1.BOOLEAN) {
671		return false
672	}
673
674	if !present {
675		*out = defaultValue
676		return true
677	}
678
679	return s.ReadASN1Boolean(out)
680}
681
682func (s *String) readASN1(out *String, outTag *asn1.Tag, skipHeader bool) bool {
683	if len(*s) < 2 {
684		return false
685	}
686	tag, lenByte := (*s)[0], (*s)[1]
687
688	if tag&0x1f == 0x1f {
689		// ITU-T X.690 section 8.1.2
690		//
691		// An identifier octet with a tag part of 0x1f indicates a high-tag-number
692		// form identifier with two or more octets. We only support tags less than
693		// 31 (i.e. low-tag-number form, single octet identifier).
694		return false
695	}
696
697	if outTag != nil {
698		*outTag = asn1.Tag(tag)
699	}
700
701	// ITU-T X.690 section 8.1.3
702	//
703	// Bit 8 of the first length byte indicates whether the length is short- or
704	// long-form.
705	var length, headerLen uint32 // length includes headerLen
706	if lenByte&0x80 == 0 {
707		// Short-form length (section 8.1.3.4), encoded in bits 1-7.
708		length = uint32(lenByte) + 2
709		headerLen = 2
710	} else {
711		// Long-form length (section 8.1.3.5). Bits 1-7 encode the number of octets
712		// used to encode the length.
713		lenLen := lenByte & 0x7f
714		var len32 uint32
715
716		if lenLen == 0 || lenLen > 4 || len(*s) < int(2+lenLen) {
717			return false
718		}
719
720		lenBytes := String((*s)[2 : 2+lenLen])
721		if !lenBytes.readUnsigned(&len32, int(lenLen)) {
722			return false
723		}
724
725		// ITU-T X.690 section 10.1 (DER length forms) requires encoding the length
726		// with the minimum number of octets.
727		if len32 < 128 {
728			// Length should have used short-form encoding.
729			return false
730		}
731		if len32>>((lenLen-1)*8) == 0 {
732			// Leading octet is 0. Length should have been at least one byte shorter.
733			return false
734		}
735
736		headerLen = 2 + uint32(lenLen)
737		if headerLen+len32 < len32 {
738			// Overflow.
739			return false
740		}
741		length = headerLen + len32
742	}
743
744	if int(length) < 0 || !s.ReadBytes((*[]byte)(out), int(length)) {
745		return false
746	}
747	if skipHeader && !out.Skip(int(headerLen)) {
748		panic("cryptobyte: internal error")
749	}
750
751	return true
752}
753