winreg-format 0.1.0

Windows Registry (REGF) binary format definitions
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732

//! Cell types and the `CellOffset` newtype.

use crate::flags::{KeyFlags, ValueFlags, ValueType};
use binrw::BinRead;

/// Offset to a cell within hive bins data.
///
/// All cell offsets in the REGF format are relative to the start of the hive
/// bins data area (which begins at file offset 4096). This newtype prevents
/// accidentally mixing cell offsets with file offsets.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, BinRead)]
#[br(little)]
pub struct CellOffset(pub u32);

impl CellOffset {
    /// Null/empty sentinel value (0xFFFFFFFF).
    pub const NULL: Self = Self(0xFFFF_FFFF);

    /// Convert a cell offset to an absolute file offset.
    ///
    /// `file_offset = 4096 + cell_offset`
    pub fn file_offset(self) -> u64 {
        4096 + u64::from(self.0)
    }

    /// Check if this is a null/empty reference.
    pub fn is_null(self) -> bool {
        self.0 == 0xFFFF_FFFF
    }
}

impl std::fmt::Display for CellOffset {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        if self.is_null() {
            write!(f, "NULL")
        } else {
            write!(f, "0x{:08X}", self.0)
        }
    }
}

/// Raw cell header — the first 4 bytes of every cell.
///
/// Cell size is a signed i32:
/// - **Negative** = allocated cell (use absolute value for size)
/// - **Positive** = free/unallocated cell
///
/// All cell sizes are 8-byte aligned.
#[derive(Debug, Clone, Copy)]
pub struct CellHeader {
    /// Raw size field (negative = allocated, positive = free).
    pub raw_size: i32,
}

impl CellHeader {
    /// Parse cell header from 4 bytes.
    pub fn from_bytes(bytes: &[u8; 4]) -> Self {
        Self {
            raw_size: i32::from_le_bytes(*bytes),
        }
    }

    /// Whether this cell is allocated.
    pub fn is_allocated(&self) -> bool {
        self.raw_size < 0
    }

    /// Absolute cell size in bytes (including the 4-byte size field).
    pub fn size(&self) -> u32 {
        self.raw_size.unsigned_abs()
    }
}

/// Two-byte cell signature identifying the cell type.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CellSignature {
    /// `nk` — Key Node
    KeyNode,
    /// `vk` — Key Value
    KeyValue,
    /// `sk` — Security Key
    SecurityKey,
    /// `lf` — Fast Leaf (subkey index with name hints)
    FastLeaf,
    /// `lh` — Hash Leaf (subkey index with name hashes)
    HashLeaf,
    /// `li` — Index Leaf (simple subkey index)
    IndexLeaf,
    /// `ri` — Root Index (index of subkey indices)
    RootIndex,
    /// `db` — Big Data
    BigData,
}

impl CellSignature {
    /// Parse a 2-byte signature.
    pub fn from_bytes(bytes: &[u8; 2]) -> Option<Self> {
        match bytes {
            b"nk" => Some(Self::KeyNode),
            b"vk" => Some(Self::KeyValue),
            b"sk" => Some(Self::SecurityKey),
            b"lf" => Some(Self::FastLeaf),
            b"lh" => Some(Self::HashLeaf),
            b"li" => Some(Self::IndexLeaf),
            b"ri" => Some(Self::RootIndex),
            b"db" => Some(Self::BigData),
            _ => None,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn cell_offset_file_conversion() {
        let offset = CellOffset(0x20);
        assert_eq!(offset.file_offset(), 4096 + 0x20);
    }

    #[test]
    fn cell_offset_null() {
        assert!(CellOffset::NULL.is_null());
        assert!(!CellOffset(0).is_null());
    }

    #[test]
    fn cell_offset_display() {
        assert_eq!(format!("{}", CellOffset::NULL), "NULL");
        assert_eq!(format!("{}", CellOffset(0x20)), "0x00000020");
    }

    #[test]
    fn cell_header_allocated() {
        let bytes = (-128i32).to_le_bytes();
        let header = CellHeader::from_bytes(&bytes);
        assert!(header.is_allocated());
        assert_eq!(header.size(), 128);
    }

    #[test]
    fn cell_header_free() {
        let bytes = 64i32.to_le_bytes();
        let header = CellHeader::from_bytes(&bytes);
        assert!(!header.is_allocated());
        assert_eq!(header.size(), 64);
    }

    #[test]
    fn cell_signatures() {
        assert_eq!(
            CellSignature::from_bytes(b"nk"),
            Some(CellSignature::KeyNode)
        );
        assert_eq!(
            CellSignature::from_bytes(b"vk"),
            Some(CellSignature::KeyValue)
        );
        assert_eq!(
            CellSignature::from_bytes(b"sk"),
            Some(CellSignature::SecurityKey)
        );
        assert_eq!(
            CellSignature::from_bytes(b"lf"),
            Some(CellSignature::FastLeaf)
        );
        assert_eq!(
            CellSignature::from_bytes(b"lh"),
            Some(CellSignature::HashLeaf)
        );
        assert_eq!(
            CellSignature::from_bytes(b"li"),
            Some(CellSignature::IndexLeaf)
        );
        assert_eq!(
            CellSignature::from_bytes(b"ri"),
            Some(CellSignature::RootIndex)
        );
        assert_eq!(
            CellSignature::from_bytes(b"db"),
            Some(CellSignature::BigData)
        );
        assert_eq!(CellSignature::from_bytes(b"xx"), None);
    }
}

/// Raw NK (Key Node) cell data — parsed from bytes after the cell size field.
///
/// Fixed header: 76 bytes (0x4C) + variable-length key name.
#[derive(Debug, Clone)]
pub struct RawKeyNode {
    pub flags: KeyFlags,
    pub last_written: u64,
    pub access_bits: u32,
    pub parent: CellOffset,
    pub subkey_count: u32,
    pub volatile_subkey_count: u32,
    pub subkeys_list_offset: CellOffset,
    pub volatile_subkeys_list_offset: CellOffset,
    pub value_count: u32,
    pub values_list_offset: CellOffset,
    pub security_offset: CellOffset,
    pub class_name_offset: CellOffset,
    pub max_subkey_name_compound: u32,
    pub max_subkey_class_len: u32,
    pub max_value_name_len: u32,
    pub max_value_data_size: u32,
    pub work_var: u32,
    pub key_name_len: u16,
    pub class_name_len: u16,
    pub key_name_raw: Vec<u8>,
}

impl RawKeyNode {
    pub const HEADER_SIZE: usize = 0x4C;

    /// Parse an NK cell from a byte slice (starting after the 2-byte "nk" signature).
    pub fn parse(data: &[u8]) -> Option<Self> {
        if data.len() < Self::HEADER_SIZE - 2 {
            return None;
        }
        let flags = KeyFlags::from_bits_truncate(u16::from_le_bytes([data[0], data[1]]));
        let last_written = u64::from_le_bytes(data[2..10].try_into().ok()?);
        let access_bits = u32::from_le_bytes(data[10..14].try_into().ok()?);
        let parent = CellOffset(u32::from_le_bytes(data[14..18].try_into().ok()?));
        let subkey_count = u32::from_le_bytes(data[18..22].try_into().ok()?);
        let volatile_subkey_count = u32::from_le_bytes(data[22..26].try_into().ok()?);
        let subkeys_list_offset = CellOffset(u32::from_le_bytes(data[26..30].try_into().ok()?));
        let volatile_subkeys_list_offset =
            CellOffset(u32::from_le_bytes(data[30..34].try_into().ok()?));
        let value_count = u32::from_le_bytes(data[34..38].try_into().ok()?);
        let values_list_offset = CellOffset(u32::from_le_bytes(data[38..42].try_into().ok()?));
        let security_offset = CellOffset(u32::from_le_bytes(data[42..46].try_into().ok()?));
        let class_name_offset = CellOffset(u32::from_le_bytes(data[46..50].try_into().ok()?));
        let max_subkey_name_compound = u32::from_le_bytes(data[50..54].try_into().ok()?);
        let max_subkey_class_len = u32::from_le_bytes(data[54..58].try_into().ok()?);
        let max_value_name_len = u32::from_le_bytes(data[58..62].try_into().ok()?);
        let max_value_data_size = u32::from_le_bytes(data[62..66].try_into().ok()?);
        let work_var = u32::from_le_bytes(data[66..70].try_into().ok()?);
        let key_name_len = u16::from_le_bytes([data[70], data[71]]);
        let class_name_len = u16::from_le_bytes([data[72], data[73]]);

        let name_start = 74;
        let name_end = name_start + usize::from(key_name_len);
        if data.len() < name_end {
            return None;
        }
        let key_name_raw = data[name_start..name_end].to_vec();

        Some(Self {
            flags,
            last_written,
            access_bits,
            parent,
            subkey_count,
            volatile_subkey_count,
            subkeys_list_offset,
            volatile_subkeys_list_offset,
            value_count,
            values_list_offset,
            security_offset,
            class_name_offset,
            max_subkey_name_compound,
            max_subkey_class_len,
            max_value_name_len,
            max_value_data_size,
            work_var,
            key_name_len,
            class_name_len,
            key_name_raw,
        })
    }

    pub fn key_name(&self) -> String {
        if self.flags.contains(KeyFlags::COMP_NAME) {
            self.key_name_raw.iter().map(|&b| b as char).collect()
        } else {
            let u16s: Vec<u16> = self
                .key_name_raw
                .chunks_exact(2)
                .map(|c| u16::from_le_bytes([c[0], c[1]]))
                .collect();
            String::from_utf16_lossy(&u16s)
        }
    }

    pub fn is_root(&self) -> bool {
        self.flags.contains(KeyFlags::HIVE_ENTRY)
    }
}

/// Raw VK (Key Value) cell data — parsed from bytes after the cell size field.
///
/// Fixed header: 20 bytes (0x14) + variable-length value name.
#[derive(Debug, Clone)]
pub struct RawKeyValue {
    pub name_len: u16,
    pub data_size_raw: u32,
    pub data_offset_raw: u32,
    pub data_type: ValueType,
    pub flags: ValueFlags,
    pub name_raw: Vec<u8>,
}

impl RawKeyValue {
    pub const HEADER_SIZE: usize = 0x14;

    pub fn parse(data: &[u8]) -> Option<Self> {
        if data.len() < Self::HEADER_SIZE - 2 {
            return None;
        }
        let name_len = u16::from_le_bytes([data[0], data[1]]);
        let data_size_raw = u32::from_le_bytes(data[2..6].try_into().ok()?);
        let data_offset_raw = u32::from_le_bytes(data[6..10].try_into().ok()?);
        let data_type = ValueType::from_raw(u32::from_le_bytes(data[10..14].try_into().ok()?));
        let flags = ValueFlags::from_bits_truncate(u16::from_le_bytes([data[14], data[15]]));

        let name_start = 18;
        let name_end = name_start + usize::from(name_len);
        if data.len() < name_end {
            return None;
        }
        let name_raw = data[name_start..name_end].to_vec();

        Some(Self {
            name_len,
            data_size_raw,
            data_offset_raw,
            data_type,
            flags,
            name_raw,
        })
    }

    pub fn is_resident(&self) -> bool {
        self.data_size_raw & 0x8000_0000 != 0
    }

    pub fn data_size(&self) -> u32 {
        self.data_size_raw & 0x7FFF_FFFF
    }

    pub fn data_offset(&self) -> CellOffset {
        CellOffset(self.data_offset_raw)
    }

    pub fn inline_data(&self) -> Vec<u8> {
        let size = self.data_size() as usize;
        let bytes = self.data_offset_raw.to_le_bytes();
        bytes[..size.min(4)].to_vec()
    }

    pub fn value_name(&self) -> String {
        if self.name_len == 0 {
            return String::new();
        }
        if self.flags.contains(ValueFlags::COMP_NAME) {
            self.name_raw.iter().map(|&b| b as char).collect()
        } else {
            let u16s: Vec<u16> = self
                .name_raw
                .chunks_exact(2)
                .map(|c| u16::from_le_bytes([c[0], c[1]]))
                .collect();
            String::from_utf16_lossy(&u16s)
        }
    }
}

#[cfg(test)]
mod nk_vk_tests {
    use super::*;
    use crate::flags::KeyFlags;

    fn build_nk_bytes(name: &str, flags: KeyFlags, subkey_count: u32, value_count: u32) -> Vec<u8> {
        let name_bytes = name.as_bytes();
        let mut buf = vec![0u8; 74 + name_bytes.len()];
        buf[0..2].copy_from_slice(&flags.bits().to_le_bytes());
        buf[2..10].copy_from_slice(&1000u64.to_le_bytes());
        buf[14..18].copy_from_slice(&0x20u32.to_le_bytes());
        buf[18..22].copy_from_slice(&subkey_count.to_le_bytes());
        let sk_offset = if subkey_count > 0 {
            0x100u32
        } else {
            0xFFFF_FFFFu32
        };
        buf[26..30].copy_from_slice(&sk_offset.to_le_bytes());
        buf[34..38].copy_from_slice(&value_count.to_le_bytes());
        let vl_offset = if value_count > 0 {
            0x200u32
        } else {
            0xFFFF_FFFFu32
        };
        buf[38..42].copy_from_slice(&vl_offset.to_le_bytes());
        buf[42..46].copy_from_slice(&0x300u32.to_le_bytes());
        buf[46..50].copy_from_slice(&0xFFFF_FFFFu32.to_le_bytes());
        buf[70..72].copy_from_slice(&(name_bytes.len() as u16).to_le_bytes());
        buf[74..74 + name_bytes.len()].copy_from_slice(name_bytes);
        buf
    }

    #[test]
    fn parse_nk_root_key() {
        let data = build_nk_bytes(
            "CMI-CreateHive{2A7FB991}",
            KeyFlags::HIVE_ENTRY | KeyFlags::COMP_NAME,
            3,
            0,
        );
        let nk = RawKeyNode::parse(&data).unwrap();
        assert!(nk.is_root());
        assert_eq!(nk.key_name(), "CMI-CreateHive{2A7FB991}");
        assert_eq!(nk.subkey_count, 3);
        assert_eq!(nk.value_count, 0);
        assert!(nk.flags.contains(KeyFlags::COMP_NAME));
    }

    #[test]
    fn parse_nk_child_key() {
        let data = build_nk_bytes("Software", KeyFlags::COMP_NAME, 0, 2);
        let nk = RawKeyNode::parse(&data).unwrap();
        assert!(!nk.is_root());
        assert_eq!(nk.key_name(), "Software");
        assert_eq!(nk.value_count, 2);
    }

    #[test]
    fn nk_rejects_truncated_data() {
        let data = vec![0u8; 10];
        assert!(RawKeyNode::parse(&data).is_none());
    }

    fn build_vk_bytes(name: &str, data_type: u32, data_size: u32, data_offset: u32) -> Vec<u8> {
        let name_bytes = name.as_bytes();
        let comp_flag: u16 = if name.is_empty() { 0 } else { 0x0001 };
        let mut buf = vec![0u8; 18 + name_bytes.len()];
        buf[0..2].copy_from_slice(&(name_bytes.len() as u16).to_le_bytes());
        buf[2..6].copy_from_slice(&data_size.to_le_bytes());
        buf[6..10].copy_from_slice(&data_offset.to_le_bytes());
        buf[10..14].copy_from_slice(&data_type.to_le_bytes());
        buf[14..16].copy_from_slice(&comp_flag.to_le_bytes());
        buf[18..18 + name_bytes.len()].copy_from_slice(name_bytes);
        buf
    }

    #[test]
    fn parse_vk_dword_resident() {
        let data = build_vk_bytes("Start", 4, 0x8000_0004, 0x0000_0003);
        let vk = RawKeyValue::parse(&data).unwrap();
        assert_eq!(vk.value_name(), "Start");
        assert!(matches!(vk.data_type, ValueType::Dword));
        assert!(vk.is_resident());
        assert_eq!(vk.data_size(), 4);
        assert_eq!(vk.inline_data(), vec![3, 0, 0, 0]);
    }

    #[test]
    fn parse_vk_string_non_resident() {
        let data = build_vk_bytes("ImagePath", 1, 42, 0x500);
        let vk = RawKeyValue::parse(&data).unwrap();
        assert_eq!(vk.value_name(), "ImagePath");
        assert!(matches!(vk.data_type, ValueType::Sz));
        assert!(!vk.is_resident());
        assert_eq!(vk.data_size(), 42);
        assert_eq!(vk.data_offset(), CellOffset(0x500));
    }

    #[test]
    fn parse_vk_unnamed_default_value() {
        let data = build_vk_bytes("", 1, 10, 0x600);
        let vk = RawKeyValue::parse(&data).unwrap();
        assert_eq!(vk.value_name(), "");
        assert_eq!(vk.name_len, 0);
    }

    #[test]
    fn vk_rejects_truncated_data() {
        let data = vec![0u8; 5];
        assert!(RawKeyValue::parse(&data).is_none());
    }
}

/// LF (Fast Leaf) element: key node offset + 4-byte name hint.
#[derive(Debug, Clone, Copy)]
pub struct LfElement {
    pub key_offset: CellOffset,
    /// First 4 ASCII characters of key name (uppercase).
    pub name_hint: [u8; 4],
}

/// LH (Hash Leaf) element: key node offset + 32-bit name hash.
#[derive(Debug, Clone, Copy)]
pub struct LhElement {
    pub key_offset: CellOffset,
    /// Hash: H = 37*H + C[i] over uppercase key name.
    pub name_hash: u32,
}

/// Parsed subkey index — dispatches across LF, LH, LI, RI.
#[derive(Debug, Clone)]
pub enum SubkeyIndex {
    FastLeaf(Vec<LfElement>),
    HashLeaf(Vec<LhElement>),
    IndexLeaf(Vec<CellOffset>),
    RootIndex(Vec<CellOffset>),
}

impl SubkeyIndex {
    pub fn parse_lf(data: &[u8]) -> Option<Self> {
        if data.len() < 2 {
            return None;
        }
        let count = u16::from_le_bytes([data[0], data[1]]) as usize;
        let elements_data = &data[2..];
        if elements_data.len() < count * 8 {
            return None;
        }
        let elements = (0..count)
            .map(|i| {
                let base = i * 8;
                LfElement {
                    key_offset: CellOffset(crate::bytes::le_u32(elements_data, base)),
                    name_hint: crate::bytes::read4(elements_data, base + 4),
                }
            })
            .collect();
        Some(Self::FastLeaf(elements))
    }

    pub fn parse_lh(data: &[u8]) -> Option<Self> {
        if data.len() < 2 {
            return None;
        }
        let count = u16::from_le_bytes([data[0], data[1]]) as usize;
        let elements_data = &data[2..];
        if elements_data.len() < count * 8 {
            return None;
        }
        let elements = (0..count)
            .map(|i| {
                let base = i * 8;
                LhElement {
                    key_offset: CellOffset(crate::bytes::le_u32(elements_data, base)),
                    name_hash: crate::bytes::le_u32(elements_data, base + 4),
                }
            })
            .collect();
        Some(Self::HashLeaf(elements))
    }

    pub fn parse_li(data: &[u8]) -> Option<Self> {
        if data.len() < 2 {
            return None;
        }
        let count = u16::from_le_bytes([data[0], data[1]]) as usize;
        let elements_data = &data[2..];
        if elements_data.len() < count * 4 {
            return None;
        }
        let offsets = (0..count)
            .map(|i| {
                let base = i * 4;
                CellOffset(crate::bytes::le_u32(elements_data, base))
            })
            .collect();
        Some(Self::IndexLeaf(offsets))
    }

    pub fn parse_ri(data: &[u8]) -> Option<Self> {
        if data.len() < 2 {
            return None;
        }
        let count = u16::from_le_bytes([data[0], data[1]]) as usize;
        let elements_data = &data[2..];
        if elements_data.len() < count * 4 {
            return None;
        }
        let offsets = (0..count)
            .map(|i| {
                let base = i * 4;
                CellOffset(crate::bytes::le_u32(elements_data, base))
            })
            .collect();
        Some(Self::RootIndex(offsets))
    }
}

/// Compute LH name hash: H = 37*H + C[i] over uppercase name.
pub fn lh_hash(name: &str) -> u32 {
    let mut h: u32 = 0;
    for c in name.to_ascii_uppercase().bytes() {
        h = h.wrapping_mul(37).wrapping_add(u32::from(c));
    }
    h
}

/// Raw SK (Security Key) cell data.
#[derive(Debug, Clone)]
pub struct RawSecurityKey {
    pub flink: CellOffset,
    pub blink: CellOffset,
    pub reference_count: u32,
    pub descriptor_size: u32,
    pub descriptor: Vec<u8>,
}

impl RawSecurityKey {
    pub fn parse(data: &[u8]) -> Option<Self> {
        if data.len() < 18 {
            return None;
        }
        let flink = CellOffset(u32::from_le_bytes(data[2..6].try_into().ok()?));
        let blink = CellOffset(u32::from_le_bytes(data[6..10].try_into().ok()?));
        let reference_count = u32::from_le_bytes(data[10..14].try_into().ok()?);
        let descriptor_size = u32::from_le_bytes(data[14..18].try_into().ok()?);
        let desc_end = 18 + descriptor_size as usize;
        if data.len() < desc_end {
            return None;
        }
        let descriptor = data[18..desc_end].to_vec();
        Some(Self {
            flink,
            blink,
            reference_count,
            descriptor_size,
            descriptor,
        })
    }
}

/// Raw DB (Big Data) cell.
#[derive(Debug, Clone)]
pub struct RawBigData {
    pub segment_count: u16,
    pub segment_list_offset: CellOffset,
}

impl RawBigData {
    pub fn parse(data: &[u8]) -> Option<Self> {
        if data.len() < 6 {
            return None;
        }
        let segment_count = u16::from_le_bytes([data[0], data[1]]);
        let segment_list_offset = CellOffset(u32::from_le_bytes(data[2..6].try_into().ok()?));
        Some(Self {
            segment_count,
            segment_list_offset,
        })
    }
}

#[cfg(test)]
mod index_tests {
    use super::*;

    #[test]
    fn parse_lh_with_two_elements() {
        let mut data = vec![0u8; 2 + 2 * 8];
        data[0..2].copy_from_slice(&2u16.to_le_bytes());
        data[2..6].copy_from_slice(&0x100u32.to_le_bytes());
        data[6..10].copy_from_slice(&0xABCDu32.to_le_bytes());
        data[10..14].copy_from_slice(&0x200u32.to_le_bytes());
        data[14..18].copy_from_slice(&0x1234u32.to_le_bytes());
        let index = SubkeyIndex::parse_lh(&data).unwrap();
        if let SubkeyIndex::HashLeaf(elements) = index {
            assert_eq!(elements.len(), 2);
            assert_eq!(elements[0].key_offset, CellOffset(0x100));
            assert_eq!(elements[0].name_hash, 0xABCD);
            assert_eq!(elements[1].key_offset, CellOffset(0x200));
        } else {
            panic!("expected HashLeaf");
        }
    }

    #[test]
    fn parse_li_with_three_offsets() {
        let mut data = vec![0u8; 2 + 3 * 4];
        data[0..2].copy_from_slice(&3u16.to_le_bytes());
        data[2..6].copy_from_slice(&0x100u32.to_le_bytes());
        data[6..10].copy_from_slice(&0x200u32.to_le_bytes());
        data[10..14].copy_from_slice(&0x300u32.to_le_bytes());
        let index = SubkeyIndex::parse_li(&data).unwrap();
        if let SubkeyIndex::IndexLeaf(offsets) = index {
            assert_eq!(offsets.len(), 3);
            assert_eq!(offsets[0], CellOffset(0x100));
        } else {
            panic!("expected IndexLeaf");
        }
    }

    #[test]
    fn lh_hash_algorithm() {
        let hash = lh_hash("SOFTWARE");
        assert_eq!(hash, lh_hash("software")); // case-insensitive
    }

    #[test]
    fn parse_sk_cell() {
        let mut data = vec![0u8; 18 + 20];
        data[2..6].copy_from_slice(&0x100u32.to_le_bytes());
        data[6..10].copy_from_slice(&0x200u32.to_le_bytes());
        data[10..14].copy_from_slice(&3u32.to_le_bytes());
        data[14..18].copy_from_slice(&20u32.to_le_bytes());
        data[18..38].fill(0xAA);
        let sk = RawSecurityKey::parse(&data).unwrap();
        assert_eq!(sk.flink, CellOffset(0x100));
        assert_eq!(sk.reference_count, 3);
        assert_eq!(sk.descriptor.len(), 20);
    }

    #[test]
    fn parse_db_cell() {
        let mut data = vec![0u8; 6];
        data[0..2].copy_from_slice(&3u16.to_le_bytes());
        data[2..6].copy_from_slice(&0x500u32.to_le_bytes());
        let db = RawBigData::parse(&data).unwrap();
        assert_eq!(db.segment_count, 3);
        assert_eq!(db.segment_list_offset, CellOffset(0x500));
    }

    #[test]
    fn empty_index_parses() {
        let data = vec![0u8; 2];
        let index = SubkeyIndex::parse_lh(&data).unwrap();
        if let SubkeyIndex::HashLeaf(elements) = index {
            assert!(elements.is_empty());
        } else {
            panic!("expected empty HashLeaf");
        }
    }
}