Cleanup ASN1 decoding routines

leshi · leshi · commit cdb1b2dfd033 · 2016-02-03T14:16:41.000-08:00
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/U2FServerReferenceImpl.java
@@ -46,6 +46,7 @@
 import com.google.u2f.server.data.SecurityKeyData;
 import com.google.u2f.server.data.SecurityKeyData.Transports;
 import com.google.u2f.server.data.SignSessionData;
+import com.google.u2f.server.impl.attestation.X509ExtentionParsingUtil;
 import com.google.u2f.server.messages.RegisteredKey;
 import com.google.u2f.server.messages.RegistrationRequest;
 import com.google.u2f.server.messages.RegistrationResponse;
@@ -325,36 +326,12 @@ public SecurityKeyData processSignResponse(SignResponse signResponse) throws U2F
    */
   public static List<Transports> parseTransportsExtension(X509Certificate cert)
       throws CertificateParsingException{
-    byte[] extValue = cert.getExtensionValue(TRANSPORT_EXTENSION_OID);
     LinkedList<Transports> transportsList = new LinkedList<Transports>();
-    if (extValue == null) {
-      // No transports extension found.
-      return null;
-    }
-
-    ASN1InputStream ais = new ASN1InputStream(extValue);
-    ASN1Object asn1Object;
-    // Read out the OctetString
-    try {
-      asn1Object = ais.readObject();
-      ais.close();
-    } catch (IOException e) {
-      throw new CertificateParsingException("Not able to read object in transports extenion", e);
-    }
-
-    if (asn1Object == null || !(asn1Object instanceof DEROctetString)) {
-      throw new CertificateParsingException("No Octet String found in transports extension");
-    }
-    DEROctetString octet = (DEROctetString) asn1Object;
+    DEROctetString extValue =
+        X509ExtentionParsingUtil.extractExtensionValue(cert, TRANSPORT_EXTENSION_OID);
 
     // Read out the BitString
-    ais = new  ASN1InputStream(octet.getOctets());
-    try {
-      asn1Object = ais.readObject();
-      ais.close();
-    } catch (IOException e) {
-      throw new CertificateParsingException("Not able to read object in transports extension", e);
-    }
+    ASN1Object asn1Object = X509ExtentionParsingUtil.getAsn1Object(extValue.getOctets());
     if (asn1Object == null || !(asn1Object instanceof DERBitString)) {
       throw new CertificateParsingException("No BitString found in transports extension");
     }
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/X509ExtentionParsingUtil.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/X509ExtentionParsingUtil.java
@@ -0,0 +1,46 @@
+package com.google.u2f.server.impl.attestation;
+
+import org.bouncycastle.asn1.ASN1InputStream;
+import org.bouncycastle.asn1.ASN1Object;
+import org.bouncycastle.asn1.DEROctetString;
+
+import java.io.IOException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+
+/**
+ * A set of utilities for parsing X509 Extensions
+ */
+public class X509ExtentionParsingUtil {
+  public static DEROctetString extractExtensionValue(X509Certificate cert, String Oid)
+      throws CertificateParsingException {
+    byte[] extensionValue = cert.getExtensionValue(Oid);
+
+    if (extensionValue == null || extensionValue.length == 0) {
+      throw new CertificateParsingException("Did not find extension with OID " + Oid);
+    }
+
+    ASN1Object asn1Object  = getAsn1Object(extensionValue);
+    if (asn1Object == null || !(asn1Object instanceof DEROctetString)) {
+      throw new CertificateParsingException("Expected DEROctetString.");
+    }
+    
+    return (DEROctetString) asn1Object;
+  }
+  
+  public static ASN1Object getAsn1Object(byte[] octets) throws CertificateParsingException {
+    ASN1InputStream ais = new ASN1InputStream(octets);
+    // Read the key description octet string
+    try {
+      return ais.readObject();
+    } catch (IOException e) {
+      throw new CertificateParsingException("Not able to read ASN.1 object", e);
+    } finally {
+      try {
+        ais.close();
+      } catch (IOException e) {
+        throw new CertificateParsingException("Not able to close ASN.1 stream", e);  
+      }
+    }
+  }
+}
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/Algorithm.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/Algorithm.java
@@ -1,4 +1,4 @@
-package com.google.u2f.server.impl.androidattestation;
+package com.google.u2f.server.impl.attestation.android;
 
 import java.security.cert.CertificateParsingException;
 
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/AndroidKeyStoreAttestation.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/AndroidKeyStoreAttestation.java
@@ -1,17 +1,16 @@
-package com.google.u2f.server.impl.androidattestation;
+package com.google.u2f.server.impl.attestation.android;
+
+import com.google.u2f.server.impl.attestation.X509ExtentionParsingUtil;
 
 import org.bouncycastle.asn1.ASN1Encodable;
-import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.ASN1Integer;
 import org.bouncycastle.asn1.ASN1Object;
 import org.bouncycastle.asn1.ASN1Primitive;
-import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DEROctetString;
 import org.bouncycastle.asn1.DERSet;
 import org.bouncycastle.asn1.DERTaggedObject;
 import org.bouncycastle.asn1.DLSequence;
 
-import java.io.IOException;
 import java.math.BigInteger;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.X509Certificate;
@@ -136,7 +135,8 @@ private AndroidKeyStoreAttestation(Integer keymasterVersion, byte[] attestationC
   public static AndroidKeyStoreAttestation Parse(X509Certificate cert)
       throws CertificateParsingException {
     // Extract the extension from the certificate
-    byte[] extensionValue = extractExtensionValue(cert);
+    DEROctetString extensionValue =
+        X509ExtentionParsingUtil.extractExtensionValue(cert, KEY_DESCRIPTION_OID);
 
     // Get the KeyDescription sequence
     DLSequence keyDescriptionSequence = getKeyDescriptionSequence(extensionValue);
@@ -151,8 +151,8 @@ public static AndroidKeyStoreAttestation Parse(X509Certificate cert)
     DLSequence softwareEnforcedSequence = getSoftwareEncodedSequence(keyDescriptionSequence);
     AuthorizationList softwareAuthorizationList =
         extractAuthorizationList(softwareEnforcedSequence);
-    
-    // TODO(aczeskis) Extract the tee authorization list 
+
+    // TODO(aczeskis) Extract the TEE authorization list
 
     return new AndroidKeyStoreAttestation(keymasterVersion, challenge, softwareAuthorizationList);
   }
@@ -178,43 +178,10 @@ public byte[] getAttestationChallenge() {
     return attestationChallenge;
   }
 
-  private static byte[] extractExtensionValue(X509Certificate cert)
-      throws CertificateParsingException {
-    byte[] extensionValue = cert.getExtensionValue(KEY_DESCRIPTION_OID);
-
-    if (extensionValue == null || extensionValue.length == 0) {
-      throw new CertificateParsingException(
-          "Did not find KeyDescription extension with OID " + KEY_DESCRIPTION_OID);
-    }
-
-    return extensionValue;
-  }
-
-  private static DLSequence getKeyDescriptionSequence(byte[] extensionValue)
+  private static DLSequence getKeyDescriptionSequence(DEROctetString octet)
       throws CertificateParsingException {
-    ASN1InputStream ais = new ASN1InputStream(extensionValue);
-    ASN1Object asn1Object;
-
-    // Read the key description octet string
-    try {
-      asn1Object = ais.readObject();
-      ais.close();
-    } catch (IOException e) {
-      throw new CertificateParsingException("Not able to read KeyDescription ASN.1 object", e);
-    }
-    if (asn1Object == null || !(asn1Object instanceof DEROctetString)) {
-      throw new CertificateParsingException("Expected KeyDescription Octet String.");
-    }
-    DEROctetString octet = (DEROctetString) asn1Object;
-
     // Read out the Sequence
-    ais = new ASN1InputStream(octet.getOctets());
-    try {
-      asn1Object = ais.readObject();
-      ais.close();
-    } catch (IOException e) {
-      throw new CertificateParsingException("Not able to read KeyDescription Octet String.", e);
-    }
+    ASN1Object asn1Object = X509ExtentionParsingUtil.getAsn1Object(octet.getOctets());
     if (asn1Object == null || !(asn1Object instanceof DLSequence)) {
       throw new CertificateParsingException("Expected KeyDescription Sequence.");
     }
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/AuthorizationList.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/AuthorizationList.java
@@ -1,4 +1,4 @@
-package com.google.u2f.server.impl.androidattestation;
+package com.google.u2f.server.impl.attestation.android;
 
 import java.util.List;
 
diff --git a/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/Purpose.java b/u2f-ref-code/java/src/com/google/u2f/server/impl/attestation/android/Purpose.java
@@ -1,4 +1,4 @@
-package com.google.u2f.server.impl.androidattestation;
+package com.google.u2f.server.impl.attestation.android;
 
 import java.security.cert.CertificateParsingException;
 
diff --git a/u2f-ref-code/java/tests/com/google/u2f/server/impl/attestation/android/AndroidKeyStoreAttestationTest.java b/u2f-ref-code/java/tests/com/google/u2f/server/impl/attestation/android/AndroidKeyStoreAttestationTest.java
@@ -1,4 +1,4 @@
-package com.google.u2f.server.impl.androidattestation;
+package com.google.u2f.server.impl.attestation.android;
 
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package com.google.u2f.server.impl.androidattestation;`
	`1`	`+package com.google.u2f.server.impl.attestation.android;`
`2`	`2`
`3`	`3`	`import java.security.cert.CertificateParsingException;`
`4`	`4`