img4-dump 1.1.0

Extracts payloads and metadata from IMG4/IM4P/IM4M; decrypts with user-supplied IV+Key; optional LZFSE/LZSS decompress.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717

use anyhow::{anyhow, bail, Result};
use der_parser::der::{parse_der, Class, DerObject};
use serde::Serialize;
use log::{debug, warn};

/// Top-level kind detected
#[derive(Copy, Clone, Debug, Serialize)]
pub enum ContainerKind {
    Img4,
    Im4pStandalone,
    Im4mStandalone,
}

/// Fully-owned parse result (no lifetime ties to local parser temps)
#[derive(Debug)]
pub struct Parsed {
    pub kind: ContainerKind,
    pub im4p: Option<Im4p>,
    pub im4m: Option<Im4m>,
    pub im4r: Option<Vec<u8>>,
}

#[derive(Debug, Clone, Serialize)]
pub struct KbagEntry {
    pub kclass: u64,   // 1=prod, 2=dev
    pub iv: Vec<u8>,   // 16 bytes
    pub key: Vec<u8>,  // 16/24/32 bytes
}

#[derive(Debug)]
pub struct Im4p {
    pub r#type: String,
    pub description: String,
    pub data: Vec<u8>,
    pub kbag_der: Option<Vec<u8>>,
    pub kbag_summary: Option<Vec<KbagEntry>>,
}

#[derive(Debug)]
pub struct Im4m {
    /// Raw DER bytes of the IM4M sequence (owned).
    pub raw: Vec<u8>,
}

#[derive(Debug, Clone, Serialize)]
#[serde(tag = "type", content = "value")]
pub enum Im4mValue {
    Integer(u128),                     // DER INTEGER (non-negative, as commonly used in IM4M)
    Boolean(bool),                     // DER BOOLEAN
    Ia5String(String),                 // DER IA5String
    OctetString(String),               // hex
    BitString(String),                 // hex (unused bits not modeled)
    Null,                              // DER NULL
    SequenceLen(usize),                // for unexpected SEQUENCE payloads
    SetLen(usize),                     // for unexpected SET payloads
    Unknown { class_id: u8, tag: u32, len: usize },
}

#[derive(Debug, Clone, Serialize)]
pub struct Im4mProperty {
    pub key: String,   // 4-char IA5 tag (e.g., "DGST","CEPO")
    pub value: Im4mValue,
}

#[derive(Debug, Clone, Serialize)]
pub struct Im4mImageManifest {
    pub fourcc: String,  // e.g. "krnl", "bstc"
    pub properties: Vec<Im4mProperty>,
}

#[derive(Debug, Clone, Serialize)]
pub struct Im4pInfo {
    pub r#type: String,
    pub description: String,
    pub data_len: usize,
    pub kbag: Option<Vec<KbagEntry>>,
}

#[derive(Debug, Clone, Serialize)]
pub struct Im4mInfoSummary {
    pub version: Option<u64>,
    pub manifest_property_tags: Vec<String>,
    pub images_present: Vec<String>,
    pub cert_chain_len: Option<usize>,
    pub signature_len: Option<usize>,
}

pub fn parse_img4_like(bytes: &[u8]) -> Result<Parsed> {
    debug!("parse_img4_like: starting, input length {}", bytes.len());
    let (_, obj) = parse_der(bytes).map_err(|e| anyhow!("DER: {}", e))?;
    let seq = obj.as_sequence().map_err(|_| anyhow!("top-level not SEQUENCE"))?;

    let label_str = seq
        .get(0)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("missing label"))?;
    debug!("top-level label: {}", label_str);

    if label_str == "IMG4" {
        // IMG4: ["IMG4", IM4P, [0] IM4M?, [1] IM4R?]
        debug!("Detected IMG4 container");
        let im4p = parse_im4p_from_der_obj(
            seq.get(1)
                .ok_or_else(|| anyhow!("IMG4 missing IM4P"))?,
        )?;
        debug!("Parsed IM4P successfully");

        let mut im4m = None;
        let mut im4r = None;

        for child in &seq[2..] {
            let hdr = child.header.clone();
            if hdr.class() == Class::ContextSpecific {
                let t = hdr.tag().0;
                if t == 0 {
                    debug!("Found context-specific [0] (IM4M)");
                    // [0] contains the complete DER of IM4M: keep raw bytes, validate label
                    if let Ok(inner_der) = child.as_slice() {
                        im4m = Some(im4m_from_bytes(inner_der)?);
                        debug!("Parsed IM4M from context-specific tag");
                    }
                } else if t == 1 {
                    debug!("Found context-specific [1] (IM4R)");
                    // [1] IM4R opaque
                    if let Ok(bytes) = child.as_slice() {
                        im4r = Some(bytes.to_vec());
                        debug!("Captured IM4R payload, {} bytes", bytes.len());
                    }
                }
            }
        }

        Ok(Parsed {
            kind: ContainerKind::Img4,
            im4p: Some(im4p),
            im4m,
            im4r,
        })
    } else if label_str == "IM4P" {
        debug!("Detected standalone IM4P");
        let im4p = parse_im4p_from_der_obj(&obj)?;
        Ok(Parsed {
            kind: ContainerKind::Im4pStandalone,
            im4p: Some(im4p),
            im4m: None,
            im4r: None,
        })
    } else if label_str == "IM4M" {
        debug!("Detected standalone IM4M");
        // Standalone IM4M: use the entire input as raw DER, validate label
        let im4m = im4m_from_bytes(bytes)?;
        Ok(Parsed {
            kind: ContainerKind::Im4mStandalone,
            im4p: None,
            im4m: Some(im4m),
            im4r: None,
        })
    } else {
        warn!("Unknown top-level label: {}", label_str);
        bail!("unknown top-level label: {label_str}");
    }
}

fn parse_im4p_from_der_obj(obj: &DerObject) -> Result<Im4p> {
    debug!("parse_im4p_from_der_obj: entering");
    let seq = obj.as_sequence().map_err(|_| anyhow!("IM4P not SEQUENCE"))?;

    // 0: "IM4P"
    let s0 = seq
        .get(0)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("IM4P label missing"))?;
    if s0 != "IM4P" {
        bail!("IM4P[0] != \"IM4P\"");
    }
    debug!("IM4P label confirmed");

    // 1: type (4 ASCII)
    let ty = seq
        .get(1)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("IM4P type missing"))?
        .to_string();
    debug!("IM4P type: {}", ty);

    // 2: description
    let desc = seq
        .get(2)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("IM4P description missing"))?
        .to_string();
    debug!("IM4P description length: {}", desc.len());

    // 3: payload data
    let data = seq
        .get(3)
        .and_then(as_bytes)
        .ok_or_else(|| anyhow!("IM4P data missing"))?
        .to_vec();
    debug!("IM4P payload size: {} bytes", data.len());

    // 4: optional KBAG (OCTET STRING containing DER)
    let kbag_der_vec = seq.get(4).and_then(as_bytes).map(|b| b.to_vec());
    if kbag_der_vec.is_some() {
        debug!("IM4P contains KBAG");
    } else {
        debug!("IM4P does not contain KBAG");
    }

    let kbag_summary = if let Some(ref kraw) = kbag_der_vec {
        match parse_kbag_summary(kraw) {
            Ok(summary) => {
                debug!("Parsed KBAG with {} entries", summary.len());
                Some(summary)
            }
            Err(e) => {
                warn!("Failed to parse KBAG: {}", e);
                None
            }
        }
    } else {
        None
    };

    Ok(Im4p {
        r#type: ty,
        description: desc,
        data,
        kbag_der: kbag_der_vec,
        kbag_summary,
    })
}

fn parse_kbag_summary(kbag_der: &[u8]) -> Result<Vec<KbagEntry>> {
    debug!(
        "parse_kbag_summary: entering, KBAG DER size {} bytes",
        kbag_der.len()
    );
    let (_, obj) = parse_der(kbag_der).map_err(|e| anyhow!("KBAG DER: {e}"))?;
    let seq = obj.as_sequence().map_err(|_| anyhow!("KBAG not SEQUENCE"))?;

    let mut out = Vec::new();
    for (idx, entry) in seq.iter().enumerate() {
        let es = entry
            .as_sequence()
            .map_err(|_| anyhow!("KBAG entry not SEQUENCE"))?;
        if es.len() != 3 {
            bail!("KBAG entry malformed");
        }
        let kclass = es[0].as_u64().map_err(|_| anyhow!("KBAG class not INTEGER"))?;
        let iv = es[1].as_slice().map_err(|_| anyhow!("KBAG iv not OCTET STRING"))?.to_vec();
        let key = es[2].as_slice().map_err(|_| anyhow!("KBAG key not OCTET STRING"))?.to_vec();
        debug!(
            "KBAG entry {}: class={}, iv_len={}, key_len={}",
            idx,
            kclass,
            iv.len(),
            key.len()
        );
        out.push(KbagEntry { kclass, iv, key });
    }
    debug!("parse_kbag_summary: finished, total {} entries", out.len());
    Ok(out)
}

/// Build an Im4m by **owning the exact raw DER bytes** and validating the label.
fn im4m_from_bytes(bytes: &[u8]) -> Result<Im4m> {
    debug!(
        "im4m_from_bytes: entering, candidate DER size {} bytes",
        bytes.len()
    );
    let (_, obj) = parse_der(bytes).map_err(|e| anyhow!("IM4M DER: {e}"))?;
    let seq = obj.as_sequence().map_err(|_| anyhow!("IM4M not SEQUENCE"))?;
    let lbl = seq
        .get(0)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("IM4M label missing"))?;
    if lbl != "IM4M" {
        bail!("label != IM4M");
    }
    debug!("IM4M label confirmed");
    Ok(Im4m { raw: bytes.to_vec() })
}

pub fn summarize_im4m(im4m: &Im4m) -> Result<Im4mInfoSummary> {
    debug!(
        "summarize_im4m: start, raw DER size {} bytes",
        im4m.raw.len()
    );
    // Decode top-level to extract version, signature, cert chain lengths (as before)
    let (_, obj) = parse_der(&im4m.raw).map_err(|e| anyhow!("IM4M DER: {e}"))?;
    let seq = obj.as_sequence().map_err(|_| anyhow!("IM4M not SEQUENCE"))?;

    let lbl = seq
        .get(0)
        .and_then(ia5str)
        .ok_or_else(|| anyhow!("IM4M label missing"))?;
    if lbl != "IM4M" {
        bail!("label != IM4M");
    }
    debug!("IM4M label validated");

    let version = seq.get(1).and_then(|o| o.as_u64().ok());
    debug!("IM4M version: {:?}", version);

    let signature_len = seq
        .get(3)
        .and_then(|o| o.as_slice().ok())
        .map(|b| b.len());
    debug!("IM4M signature length: {:?}", signature_len);

    let cert_chain_len = seq
        .get(4)
        .and_then(|o| o.as_sequence().ok())
        .map(|s| s.len());
    debug!("IM4M cert chain length: {:?}", cert_chain_len);

    // NEW: collect all IA5 strings (4-char) anywhere inside IM4M (including under private/context-specific)
    let mut tokens = Vec::<String>::new();
    scan_der_collect_ia5_fourccs(&im4m.raw, &mut tokens)?;
    debug!("Collected {} IA5 tokens before dedup", tokens.len());
    dedup_stable(&mut tokens);
    debug!("Token count after dedup: {}", tokens.len());

    // Populate fields
    let manifest_property_tags = tokens
        .iter()
        .filter(|s| s.as_str() == "MANB" || s.as_str() == "MANP")
        .cloned()
        .collect::<Vec<_>>();
    debug!(
        "Manifest property tags identified: {:?}",
        manifest_property_tags
    );

    // Heuristic: image 4CCs are commonly lowercase (e.g., "krnl","sepi"), but avoid false positives
    // We exclude well-known property keys that are 4-char IA5.
    const NON_IMAGE_KEYS: &[&str] = &[
        "IM4M", "MANB", "MANP", "DGST", "CEPO", "CPRO", "SDOM", "augs", "clas", "fchp", "pave", "srvn",
        "styp", "type", "upcl", "vnum", "gdmg", "ginc", "ginf", "gtcd", "gtgv",
    ];
    let images_present = tokens
        .iter()
        .filter(|s| {
            s.len() == 4
                && !NON_IMAGE_KEYS.contains(&s.as_str())
                && s.chars().all(|c| c.is_ascii_lowercase())
        })
        .cloned()
        .collect::<Vec<_>>();
    debug!("Images present identified: {:?}", images_present);

    Ok(Im4mInfoSummary {
        version,
        manifest_property_tags,
        images_present,
        cert_chain_len,
        signature_len,
    })
}

/// Extract certificate chain from IM4M.
/// Returns a Vec of DER-encoded X.509 certificates (owned).
pub fn extract_im4m_cert_chain(raw: &[u8]) -> anyhow::Result<Vec<Vec<u8>>> {
    // Manually parse to extract raw DER bytes including headers
    let mut out: Vec<Vec<u8>> = Vec::new();
    
    // Parse top-level IM4M SEQUENCE to find chain at index 4
    let mut pos = 0usize;
    let (tag_len, _, _, _) = der_read_tag(&raw[pos..]).map_err(|e| anyhow::anyhow!("IM4M tag: {e}"))?;
    pos += tag_len;
    let (len_len, _) = der_read_len(&raw[pos..]).map_err(|e| anyhow::anyhow!("IM4M len: {e}"))?;
    pos += len_len;
    
    // Skip to index 4 by parsing elements 0..4
    for idx in 0..5 {
        let elem_start = pos;
        let (tag_len, class, constructed, tag_no) = der_read_tag(&raw[pos..])
            .map_err(|e| anyhow::anyhow!("elem[{idx}] tag: {e}"))?;
        pos += tag_len;
        let (len_len, elem_len) = der_read_len(&raw[pos..])
            .map_err(|e| anyhow::anyhow!("elem[{idx}] len: {e}"))?;
        pos += len_len;
        
        if idx == 4 {
            // This is the cert chain container (should be SEQUENCE)
            if class != 0 || tag_no != 16 {
                return Ok(Vec::new()); // Not a SEQUENCE, no certs
            }
            
            // Parse inner SEQUENCE of certificates
            let chain_end = pos + elem_len;
            while pos < chain_end {
                let cert_start = pos;
                let (cert_tag_len, cert_class, cert_constructed, cert_tag) = der_read_tag(&raw[pos..])
                    .map_err(|e| anyhow::anyhow!("cert tag: {e}"))?;
                pos += cert_tag_len;
                let (cert_len_len, cert_len) = der_read_len(&raw[pos..])
                    .map_err(|e| anyhow::anyhow!("cert len: {e}"))?;
                pos += cert_len_len;
                let cert_full_len = cert_tag_len + cert_len_len + cert_len;
                
                debug!("cert[{}]: @{:04x} class={}, tag={}, len={}", out.len(), cert_start, cert_class, cert_tag, cert_len);
                
                // Extract certificate based on encoding
                match (cert_class, cert_tag) {
                    (0, 4) => {
                        // OCTET STRING: content is the DER cert
                        out.push(raw[pos..pos + cert_len].to_vec());
                    }
                    (0, 16) => {
                        // SEQUENCE: full TLV is the DER cert
                        out.push(raw[cert_start..cert_start + cert_full_len].to_vec());
                    }
                    _ => {
                        // Unknown: try to handle gracefully
                        let content = &raw[pos..pos + cert_len];
                        if !content.is_empty() && content[0] == 0x30 {
                            out.push(content.to_vec());
                        } else {
                            out.push(encode_der_sequence(content));
                        }
                    }
                }
                
                pos += cert_len;
            }
            break;
        } else {
            // Skip this element
            pos += elem_len;
        }
    }
    
    Ok(out)
}

/// Build a valid DER SEQUENCE (0x30) around `content`.
fn encode_der_sequence(content: &[u8]) -> Vec<u8> {
    let mut v = Vec::with_capacity(1 + der_len_encoded_bytes(content.len()) + content.len());
    v.push(0x30); // UNIVERSAL SEQUENCE (constructed)
    write_der_len(&mut v, content.len());
    v.extend_from_slice(content);
    v
}

fn der_len_encoded_bytes(len: usize) -> usize {
    if len < 128 { 1 } else {
        let mut n = 0usize;
        let mut tmp = len;
        while tmp > 0 { n += 1; tmp >>= 8; }
        1 + n
    }
}

fn write_der_len(buf: &mut Vec<u8>, len: usize) {
    if len < 128 {
        buf.push(len as u8);
    } else {
        // Long-form definite length per DER
        let mut bytes = [0u8; 8]; // enough for usize on 64-bit
        let mut n = 0usize;
        let mut tmp = len;
        while tmp > 0 {
            bytes[7 - n] = (tmp & 0xFF) as u8;
            tmp >>= 8;
            n += 1;
        }
        buf.push(0x80 | (n as u8));
        buf.extend_from_slice(&bytes[8 - n..]);
    }
}

/// Extracts all properties of the form SEQUENCE { IA5String(4CC), ANY } found anywhere in the IM4M.
pub fn extract_im4m_properties(raw: &[u8]) -> Result<Vec<Im4mProperty>> {
    let (_, obj) = parse_der(raw).map_err(|e| anyhow!("IM4M DER: {e}"))?;
    let mut out = Vec::<Im4mProperty>::new();
    collect_props_from_obj(&obj, &mut out)?;
    Ok(out)
}

fn collect_props_from_obj(o: &DerObject, out: &mut Vec<Im4mProperty>) -> Result<()> {
    // If this is a SEQUENCE, check for the { IA5String(4CC), ANY } pattern
    if let Ok(seq) = o.as_sequence() {
        if seq.len() >= 2 {
            if let Some(k) = ia5str(&seq[0]) {
                if k.len() == 4 && k.chars().all(|c| c.is_ascii_graphic()) {
                    let v = decode_any_value(&seq[1])?;
                    out.push(Im4mProperty { key: k.to_string(), value: v });
                }
            }
        }
        // Recurse into children regardless, since properties can nest
        for ch in seq {
            collect_props_from_obj(ch, out)?;
        }
        return Ok(());
    }

    // If this is a SET, also recurse
    if let Ok(set) = o.as_set() {
        for ch in set {
            collect_props_from_obj(ch, out)?;
        }
        return Ok(());
    }

    // For any constructed object (context/private/application), parse its content as DER and recurse
    let h = &o.header;
    if h.is_constructed() {
        if let Ok(bytes) = o.as_slice() {
            let mut off = 0usize;
            while off < bytes.len() {
                let (rem, child) = parse_der(&bytes[off..]).map_err(|e| anyhow!("inner DER: {e}"))?;
                let consumed = bytes[off..].len() - rem.len();
                collect_props_from_obj(&child, out)?;
                off += consumed;
            }
        }
    }
    Ok(())
}

fn decode_any_value(o: &DerObject) -> Result<Im4mValue> {
    let h = &o.header;
    // Convert the Class enum into its underlying integer representation
    let class_num = h.class() as u8;
    let tag = h.tag().0;
    // UNIVERSAL = 0; tag numbers per X.690
    if class_num == 0 {
        match tag {
            1 => {
                // BOOLEAN
                let b = o.as_bool().map_err(|_| anyhow!("BOOLEAN decode"))?;
                return Ok(Im4mValue::Boolean(b));
            }
            2 => {
                // INTEGER (treat as non-negative big-int; IM4M integers are typically small)
                // If negative occurs, map via two's complement to u128 magnitude.
                if let Ok(u) = o.as_u64() {
                    return Ok(Im4mValue::Integer(u as u128));
                }
                // Fallback: read raw bytes and decode as unsigned magnitude
                if let Ok(bytes) = o.as_slice() {
                    let mut acc: u128 = 0;
                    for &b in bytes {
                        acc = (acc << 8) | (b as u128);
                    }
                    return Ok(Im4mValue::Integer(acc));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            3 => {
                // BIT STRING
                if let Ok(bytes) = o.as_slice() {
                    return Ok(Im4mValue::BitString(hex::encode(bytes)));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            4 => {
                // OCTET STRING
                if let Ok(bytes) = o.as_slice() {
                    return Ok(Im4mValue::OctetString(hex::encode(bytes)));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            5 => return Ok(Im4mValue::Null),
            16 => {
                if let Ok(seq) = o.as_sequence() {
                    return Ok(Im4mValue::SequenceLen(seq.len()));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            17 => {
                if let Ok(set) = o.as_set() {
                    return Ok(Im4mValue::SetLen(set.len()));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            22 => {
                if let Some(s) = ia5str(o) {
                    return Ok(Im4mValue::Ia5String(s.to_string()));
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
            _ => {
                if let Ok(bytes) = o.as_slice() {
                    return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: bytes.len() });
                }
                return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? });
            }
        }
    } else {
        // Non-universal: leave as Unknown, but include tag class/tag number
        if let Ok(bytes) = o.as_slice() {
            return Ok(Im4mValue::Unknown { class_id: class_num, tag, len: bytes.len() });
        }
        Ok(Im4mValue::Unknown { class_id: class_num, tag, len: o.length().definite()? })
    }
}

// ---------- helpers (append these near existing helpers) ----------

fn dedup_stable(v: &mut Vec<String>) {
    v.sort();
    v.dedup();
}

/// Class-agnostic DER walker that collects IA5String tokens of length 4, recursively.
/// Handles constructed UNIVERSAL/PRIVATE/CONTEXT-SPECIFIC by parsing child DER items inside the value region.
///
/// DER assumptions: definite length (Image4 is DER). Indefinite lengths are rejected.
fn scan_der_collect_ia5_fourccs(input: &[u8], out: &mut Vec<String>) -> Result<()> {
    let mut off = 0usize;
    while off < input.len() {
        let (tag_len, class, constructed, tag_no) = der_read_tag(&input[off..])?;
        let len_off = off + tag_len;
        let (len_len, content_len) = der_read_len(&input[len_off..])?;
        let hdr_len = tag_len + len_len;

        let val_start = off + hdr_len;
        let val_end = val_start
            .checked_add(content_len)
            .ok_or_else(|| anyhow!("overflow"))?;
        if val_end > input.len() {
            bail!("IM4M: element exceeds buffer");
        }

        // Collect IA5String 4CCs (UNIVERSAL class, tag_no == 22)
        if class == 0 && tag_no == 22 {
            let s = &input[val_start..val_end];
            if let Ok(su) = std::str::from_utf8(s) {
                if su.len() == 4 && su.chars().all(|c| c.is_ascii_graphic()) {
                    out.push(su.to_string());
                    debug!("Found IA5 token: {}", su);
                }
            }
        }

        // Recurse into constructed values (any class): their content is a concatenation of DER elements.
        if constructed {
            debug!(
                "Recursing into constructed tag (class={}, tag_no={}) at offset {}",
                class, tag_no, off
            );
            scan_der_collect_ia5_fourccs(&input[val_start..val_end], out)?;
        }

        off = val_end;
    }
    Ok(())
}

/// Parse DER tag header: returns (bytes_consumed, class(0..3), constructed, tag_number)
fn der_read_tag(i: &[u8]) -> Result<(usize, u8, bool, u32)> {
    if i.is_empty() {
        bail!("short tag");
    }
    let b0 = i[0];
    let class = (b0 & 0b1100_0000) >> 6; // 0=universal,1=application,2=context,3=private
    let constructed = (b0 & 0b0010_0000) != 0;
    let mut tag_no = (b0 & 0b0001_1111) as u32;
    let mut idx = 1usize;

    if tag_no == 0b1_1111 {
        // High-tag-number form: base-128 big-endian, MSB=1 continuation, last MSB=0
        tag_no = 0;
        loop {
            if idx >= i.len() {
                bail!("short high-tag-number");
            }
            let b = i[idx];
            idx += 1;
            tag_no = (tag_no << 7) | (b & 0x7F) as u32;
            if (b & 0x80) == 0 {
                break;
            }
            // DER requires shortest form; unlimited loop bounded by buffer size here
        }
    }

    Ok((idx, class, constructed, tag_no))
}

/// Parse DER definite length: returns (bytes_consumed, content_length)
fn der_read_len(i: &[u8]) -> Result<(usize, usize)> {
    if i.is_empty() {
        bail!("short length");
    }
    let b0 = i[0];
    if (b0 & 0x80) == 0 {
        // short form
        Ok((1, (b0 & 0x7F) as usize))
    } else {
        let n = (b0 & 0x7F) as usize;
        if n == 0 {
            bail!("indefinite length not allowed in DER");
        }
        if i.len() < 1 + n {
            bail!("short long-form length");
        }
        let mut len: usize = 0;
        for &b in &i[1..=n] {
            len = (len << 8) | (b as usize);
        }
        Ok((1 + n, len))
    }
}

/* ---------- helpers ---------- */

fn as_bytes<'a>(o: &'a DerObject<'a>) -> Option<&'a [u8]> {
    o.as_slice().ok()
}
fn ia5str<'a>(o: &'a DerObject<'a>) -> Option<&'a str> {
    o.as_slice().ok().and_then(|s| std::str::from_utf8(s).ok())
}