krypteia-arcana 0.1.0

Pure-Rust classical cryptographic primitives: RSA (PKCS#1 v1.5, OAEP), ECC (NIST P-256/384/521, secp256k1), ECDSA, EdDSA (Ed25519), X25519, AES (128/192/256, GCM/CBC), DES/3DES, SHA-1/2/3, HMAC. Side-channel-aware (Montgomery ladder, branchless point_add_ct). Targets embedded (no_std), STM32 M0/M4/M33, ESP32-C3 RISC-V. Zero runtime dependencies.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436

//! Minimal ASN.1 DER encoder/decoder.
//!
//! Supports only the tags needed by PKCS#1, PKCS#8, SEC1 and SPKI:
//! SEQUENCE, INTEGER, OCTET STRING, BIT STRING, OID, context-tagged
//! (explicit), and NULL.

// ====================================================================
// Tag constants
// ====================================================================

/// ASN.1 tag bytes.
pub const TAG_INTEGER: u8 = 0x02;
/// BIT STRING tag.
pub const TAG_BIT_STRING: u8 = 0x03;
/// OCTET STRING tag.
pub const TAG_OCTET_STRING: u8 = 0x04;
/// NULL tag.
pub const TAG_NULL: u8 = 0x05;
/// OBJECT IDENTIFIER tag.
pub const TAG_OID: u8 = 0x06;
/// SEQUENCE (constructed) tag.
pub const TAG_SEQUENCE: u8 = 0x30;

// ====================================================================
// Encoder
// ====================================================================

/// DER encoder: builds a byte vector by appending TLV items.
pub struct DerEncoder {
    buf: Vec<u8>,
}

impl DerEncoder {
    /// Create a new empty encoder.
    pub fn new() -> Self {
        Self { buf: Vec::new() }
    }

    /// Return the encoded bytes.
    pub fn finish(self) -> Vec<u8> {
        self.buf
    }

    /// Append a raw DER length.
    pub fn write_length(&mut self, len: usize) {
        if len < 0x80 {
            self.buf.push(len as u8);
        } else if len < 0x100 {
            self.buf.push(0x81);
            self.buf.push(len as u8);
        } else if len < 0x10000 {
            self.buf.push(0x82);
            self.buf.push((len >> 8) as u8);
            self.buf.push((len & 0xFF) as u8);
        } else {
            self.buf.push(0x83);
            self.buf.push((len >> 16) as u8);
            self.buf.push(((len >> 8) & 0xFF) as u8);
            self.buf.push((len & 0xFF) as u8);
        }
    }

    /// Append a SEQUENCE wrapping the given content.
    pub fn sequence(&mut self, content: &[u8]) {
        self.buf.push(TAG_SEQUENCE);
        self.write_length(content.len());
        self.buf.extend_from_slice(content);
    }

    /// Append an INTEGER from big-endian unsigned bytes.
    /// Adds a leading 0x00 if the MSB is set (to keep it positive).
    pub fn integer(&mut self, value: &[u8]) {
        // Strip leading zeros but keep at least one byte.
        let mut start = 0;
        while start < value.len() - 1 && value[start] == 0 {
            start += 1;
        }
        let val = &value[start..];
        let needs_pad = val[0] & 0x80 != 0;
        let total = val.len() + if needs_pad { 1 } else { 0 };

        self.buf.push(TAG_INTEGER);
        self.write_length(total);
        if needs_pad {
            self.buf.push(0x00);
        }
        self.buf.extend_from_slice(val);
    }

    /// Append a small non-negative INTEGER from a u64 (for version fields).
    pub fn integer_u64(&mut self, v: u64) {
        if v == 0 {
            self.buf.extend_from_slice(&[TAG_INTEGER, 1, 0]);
            return;
        }
        let be = v.to_be_bytes();
        let start = be.iter().position(|&b| b != 0).unwrap_or(7);
        self.integer(&be[start..]);
    }

    /// Append an OCTET STRING.
    pub fn octet_string(&mut self, data: &[u8]) {
        self.buf.push(TAG_OCTET_STRING);
        self.write_length(data.len());
        self.buf.extend_from_slice(data);
    }

    /// Append a BIT STRING (with zero unused-bits prefix).
    pub fn bit_string(&mut self, data: &[u8]) {
        self.buf.push(TAG_BIT_STRING);
        self.write_length(data.len() + 1);
        self.buf.push(0x00); // unused bits
        self.buf.extend_from_slice(data);
    }

    /// Append an OBJECT IDENTIFIER from its encoded byte form.
    pub fn oid(&mut self, encoded: &[u8]) {
        self.buf.push(TAG_OID);
        self.write_length(encoded.len());
        self.buf.extend_from_slice(encoded);
    }

    /// Append a NULL.
    pub fn null(&mut self) {
        self.buf.extend_from_slice(&[TAG_NULL, 0x00]);
    }

    /// Append an explicit context-tagged \[N\] CONSTRUCTED wrapping.
    pub fn context_explicit(&mut self, tag_num: u8, content: &[u8]) {
        self.buf.push(0xA0 | tag_num);
        self.write_length(content.len());
        self.buf.extend_from_slice(content);
    }

    /// Append raw bytes (for building inner content).
    pub fn raw(&mut self, data: &[u8]) {
        self.buf.extend_from_slice(data);
    }
}

// ====================================================================
// Decoder
// ====================================================================

/// DER decoder: reads TLV items from a byte slice.
pub struct DerDecoder<'a> {
    data: &'a [u8],
    pos: usize,
}

impl<'a> DerDecoder<'a> {
    /// Create a decoder over a byte slice.
    pub fn new(data: &'a [u8]) -> Self {
        Self { data, pos: 0 }
    }

    /// Bytes remaining.
    pub fn remaining(&self) -> usize {
        self.data.len() - self.pos
    }

    /// True if all bytes consumed.
    pub fn is_empty(&self) -> bool {
        self.pos >= self.data.len()
    }

    /// Peek at the next tag byte without advancing.
    pub fn peek_tag(&self) -> Option<u8> {
        self.data.get(self.pos).copied()
    }

    /// Read tag + length, return (tag, content_slice).
    pub fn read_tlv(&mut self) -> Option<(u8, &'a [u8])> {
        let tag = *self.data.get(self.pos)?;
        self.pos += 1;
        let len = self.read_length()?;
        if self.pos + len > self.data.len() {
            return None;
        }
        let content = &self.data[self.pos..self.pos + len];
        self.pos += len;
        Some((tag, content))
    }

    fn read_length(&mut self) -> Option<usize> {
        let first = *self.data.get(self.pos)?;
        self.pos += 1;
        if first < 0x80 {
            Some(first as usize)
        } else if first == 0x81 {
            let b = *self.data.get(self.pos)? as usize;
            self.pos += 1;
            Some(b)
        } else if first == 0x82 {
            let hi = *self.data.get(self.pos)? as usize;
            let lo = *self.data.get(self.pos + 1)? as usize;
            self.pos += 2;
            Some((hi << 8) | lo)
        } else if first == 0x83 {
            let a = *self.data.get(self.pos)? as usize;
            let b = *self.data.get(self.pos + 1)? as usize;
            let c = *self.data.get(self.pos + 2)? as usize;
            self.pos += 3;
            Some((a << 16) | (b << 8) | c)
        } else {
            None
        }
    }

    /// Read a SEQUENCE, return a sub-decoder over its content.
    pub fn read_sequence(&mut self) -> Option<DerDecoder<'a>> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_SEQUENCE {
            return None;
        }
        Some(DerDecoder::new(content))
    }

    /// Read an INTEGER, return the big-endian unsigned bytes
    /// (leading zero stripped).
    pub fn read_integer(&mut self) -> Option<&'a [u8]> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_INTEGER || content.is_empty() {
            return None;
        }
        // Strip leading zero used for sign padding.
        if content[0] == 0x00 && content.len() > 1 {
            Some(&content[1..])
        } else {
            Some(content)
        }
    }

    /// Read an INTEGER as u64 (small values like version fields).
    pub fn read_integer_u64(&mut self) -> Option<u64> {
        let bytes = self.read_integer()?;
        let mut v = 0u64;
        for &b in bytes {
            v = (v << 8) | b as u64;
        }
        Some(v)
    }

    /// Read an OCTET STRING.
    pub fn read_octet_string(&mut self) -> Option<&'a [u8]> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_OCTET_STRING {
            return None;
        }
        Some(content)
    }

    /// Read a BIT STRING, return the data bytes (skip unused-bits byte).
    pub fn read_bit_string(&mut self) -> Option<&'a [u8]> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_BIT_STRING || content.is_empty() {
            return None;
        }
        // First byte = number of unused bits in the last byte.
        Some(&content[1..])
    }

    /// Read an OID, return the encoded bytes.
    pub fn read_oid(&mut self) -> Option<&'a [u8]> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_OID {
            return None;
        }
        Some(content)
    }

    /// Read a NULL.
    pub fn read_null(&mut self) -> Option<()> {
        let (tag, content) = self.read_tlv()?;
        if tag != TAG_NULL || !content.is_empty() {
            return None;
        }
        Some(())
    }

    /// Read an explicit context-tagged \[N\] CONSTRUCTED, return a
    /// sub-decoder over its content. Returns None if the tag number
    /// doesn't match or the tag is absent.
    pub fn read_context_explicit(&mut self, tag_num: u8) -> Option<DerDecoder<'a>> {
        let expected = 0xA0 | tag_num;
        if self.peek_tag() != Some(expected) {
            return None;
        }
        let (_, content) = self.read_tlv()?;
        Some(DerDecoder::new(content))
    }

    /// Skip the next TLV element (any tag).
    pub fn skip(&mut self) -> Option<()> {
        self.read_tlv().map(|_| ())
    }
}

// ====================================================================
// Well-known OIDs (encoded form, without tag+length)
// ====================================================================

/// rsaEncryption (1.2.840.113549.1.1.1)
pub const OID_RSA: &[u8] = &[0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01];

/// id-ecPublicKey (1.2.840.10045.2.1)
pub const OID_EC_PUBLIC_KEY: &[u8] = &[0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x02, 0x01];

/// secp256r1 / P-256 (1.2.840.10045.3.1.7)
pub const OID_SECP256R1: &[u8] = &[0x2A, 0x86, 0x48, 0xCE, 0x3D, 0x03, 0x01, 0x07];

/// secp384r1 / P-384 (1.3.132.0.34)
pub const OID_SECP384R1: &[u8] = &[0x2B, 0x81, 0x04, 0x00, 0x22];

/// secp521r1 / P-521 (1.3.132.0.35)
pub const OID_SECP521R1: &[u8] = &[0x2B, 0x81, 0x04, 0x00, 0x23];

/// secp256k1 (1.3.132.0.10)
pub const OID_SECP256K1: &[u8] = &[0x2B, 0x81, 0x04, 0x00, 0x0A];

/// brainpoolP256r1 (1.3.36.3.3.2.8.1.1.7)
pub const OID_BRAINPOOL_P256R1: &[u8] = &[0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x07];

/// brainpoolP384r1 (1.3.36.3.3.2.8.1.1.11)
pub const OID_BRAINPOOL_P384R1: &[u8] = &[0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0B];

/// brainpoolP512r1 (1.3.36.3.3.2.8.1.1.13)
pub const OID_BRAINPOOL_P512R1: &[u8] = &[0x2B, 0x24, 0x03, 0x03, 0x02, 0x08, 0x01, 0x01, 0x0D];

/// id-Ed25519 (1.3.101.112)
pub const OID_ED25519: &[u8] = &[0x2B, 0x65, 0x70];

/// id-X25519 (1.3.101.110)
pub const OID_X25519: &[u8] = &[0x2B, 0x65, 0x6E];

/// id-X448 (1.3.101.111)
pub const OID_X448: &[u8] = &[0x2B, 0x65, 0x6F];

// ====================================================================
// Tests
// ====================================================================

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn roundtrip_integer() {
        let val = [0x00, 0x80, 0xFF]; // needs leading-zero strip then pad
        let mut enc = DerEncoder::new();
        enc.integer(&val);
        let der = enc.finish();
        let mut dec = DerDecoder::new(&der);
        let got = dec.read_integer().unwrap();
        assert_eq!(got, &[0x80, 0xFF]);
    }

    #[test]
    fn roundtrip_integer_u64() {
        for v in [0u64, 1, 127, 128, 255, 256, 65535, 0xDEADBEEF] {
            let mut enc = DerEncoder::new();
            enc.integer_u64(v);
            let der = enc.finish();
            let mut dec = DerDecoder::new(&der);
            assert_eq!(dec.read_integer_u64().unwrap(), v, "v={}", v);
        }
    }

    #[test]
    fn roundtrip_sequence() {
        let mut inner = DerEncoder::new();
        inner.integer_u64(42);
        inner.octet_string(b"hello");
        let content = inner.finish();

        let mut outer = DerEncoder::new();
        outer.sequence(&content);
        let der = outer.finish();

        let mut dec = DerDecoder::new(&der);
        let mut seq = dec.read_sequence().unwrap();
        assert_eq!(seq.read_integer_u64().unwrap(), 42);
        assert_eq!(seq.read_octet_string().unwrap(), b"hello");
        assert!(seq.is_empty());
    }

    #[test]
    fn roundtrip_bit_string() {
        let data = [0x04, 0x01, 0x02]; // uncompressed EC point prefix
        let mut enc = DerEncoder::new();
        enc.bit_string(&data);
        let der = enc.finish();

        let mut dec = DerDecoder::new(&der);
        let got = dec.read_bit_string().unwrap();
        assert_eq!(got, &data);
    }

    #[test]
    fn roundtrip_oid() {
        let mut enc = DerEncoder::new();
        enc.oid(OID_RSA);
        let der = enc.finish();

        let mut dec = DerDecoder::new(&der);
        assert_eq!(dec.read_oid().unwrap(), OID_RSA);
    }

    #[test]
    fn context_explicit_tag() {
        let mut inner = DerEncoder::new();
        inner.integer_u64(1);
        let content = inner.finish();

        let mut enc = DerEncoder::new();
        enc.context_explicit(0, &content);
        let der = enc.finish();

        let mut dec = DerDecoder::new(&der);
        let mut ctx = dec.read_context_explicit(0).unwrap();
        assert_eq!(ctx.read_integer_u64().unwrap(), 1);
    }

    #[test]
    fn large_length_encoding() {
        // 256 bytes → 0x82 0x01 0x00 encoding
        let data = vec![0xABu8; 256];
        let mut enc = DerEncoder::new();
        enc.octet_string(&data);
        let der = enc.finish();

        let mut dec = DerDecoder::new(&der);
        let got = dec.read_octet_string().unwrap();
        assert_eq!(got, &data[..]);
    }
}