tsumiki_der/

lib.rs

//! # tsumiki-der
//!
//! DER (Distinguished Encoding Rules) parsing and encoding.
//!
//! This crate implements DER encoding as defined in
//! [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690).
//!
//! ## What is DER?
//!
//! DER is a binary encoding format for ASN.1 data structures. It uses a
//! Tag-Length-Value (TLV) structure where:
//! - **Tag**: Identifies the data type (INTEGER, SEQUENCE, etc.)
//! - **Length**: The size of the value in bytes
//! - **Value**: The actual data
//!
//! ## Example
//!
//! ```
//! use tsumiki::decoder::Decoder;
//! use tsumiki_der::Der;
//!
//! // DER-encoded SEQUENCE with one INTEGER (value 42)
//! let bytes = vec![0x30, 0x03, 0x02, 0x01, 0x2a];
//!
//! // Parse DER
//! let der: Der = bytes.decode()?;
//!
//! assert_eq!(der.elements().len(), 1);
//! # Ok::<(), Box<dyn std::error::Error>>(())
//! ```
//!
//! ## Encoding
//!
//! ```
//! use tsumiki::encoder::Encoder;
//! use tsumiki_der::{Der, Tlv, Tag, PrimitiveTag};
//!
//! // Create DER structure
//! let tlv = Tlv::new_primitive(Tag::Primitive(PrimitiveTag::Integer, 0x02), vec![0x2a]);
//! let der = Der::new(vec![tlv]);
//!
//! // Encode to bytes
//! let bytes: Vec<u8> = der.encode()?;
//! # Ok::<(), Box<dyn std::error::Error>>(())
//! ```

#![forbid(unsafe_code)]

use error::Error;
use nom::{IResult, Parser};
use tsumiki::decoder::{DecodableFrom, Decoder};
use tsumiki::encoder::{EncodableTo, Encoder};
use tsumiki_pem::Pem;

pub mod error;

/// Represents a DER (Distinguished Encoding Rules) encoded structure.
///
/// A DER structure consists of one or more TLV (Tag-Length-Value) elements.
/// DER is a binary encoding format for ASN.1 data structures, commonly used
/// in cryptographic standards like X.509 certificates and PKCS formats.
///
/// Defined in [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690) Section 8.
///
/// # Example
///
/// ```
/// use tsumiki::decoder::Decoder;
/// use tsumiki_der::Der;
///
/// // DER-encoded INTEGER with value 42
/// let bytes = vec![0x02, 0x01, 0x2a];
/// let der: Der = bytes.decode()?;
/// # Ok::<(), Box<dyn std::error::Error>>(())
/// ```
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Der {
    elements: Vec<Tlv>,
}

impl Der {
    /// Returns a slice of TLV elements in this DER structure.
    pub fn elements(&self) -> &[Tlv] {
        &self.elements
    }

    /// Creates a new DER structure from a vector of TLV elements.
    ///
    /// # Example
    ///
    /// ```
    /// use tsumiki_der::{Der, Tlv, Tag, PrimitiveTag};
    ///
    /// let tlv = Tlv::new_primitive(Tag::Primitive(PrimitiveTag::Integer, 0x02), vec![0x2a]);
    /// let der = Der::new(vec![tlv]);
    /// ```
    pub fn new(elements: Vec<Tlv>) -> Self {
        Der { elements }
    }
}

impl EncodableTo<Der> for Vec<u8> {}

impl Encoder<Der, Vec<u8>> for Der {
    type Error = Error;

    fn encode(&self) -> Result<Vec<u8>, Self::Error> {
        self.elements
            .iter()
            .map(|tlv| tlv.encode())
            .collect::<Result<Vec<_>, _>>()
            .map(|vecs| vecs.into_iter().flatten().collect())
    }
}

impl DecodableFrom<Vec<u8>> for Der {}

impl Decoder<Vec<u8>, Der> for Vec<u8> {
    type Error = Error;

    fn decode(&self) -> Result<Der, Self::Error> {
        let mut tlvs = Vec::new();
        let mut input = self.as_slice();
        while !input.is_empty() {
            let (new_input, tlv) = Tlv::parse(input).map_err(|e| match e {
                nom::Err::Error(e) => Error::Parser(e.code),
                nom::Err::Incomplete(e) => Error::ParserIncomplete(e),
                nom::Err::Failure(e) => Error::Parser(e.code),
            })?;
            input = new_input;
            tlvs.push(tlv);
        }
        Ok(Der { elements: tlvs })
    }
}

impl DecodableFrom<&[u8]> for Der {}

impl Decoder<&[u8], Der> for &[u8] {
    type Error = Error;

    fn decode(&self) -> Result<Der, Self::Error> {
        let mut tlvs = Vec::new();
        let mut input = *self;
        while !input.is_empty() {
            let (new_input, tlv) = Tlv::parse(input).map_err(|e| match e {
                nom::Err::Error(e) => Error::Parser(e.code),
                nom::Err::Incomplete(e) => Error::ParserIncomplete(e),
                nom::Err::Failure(e) => Error::Parser(e.code),
            })?;
            input = new_input;
            tlvs.push(tlv);
        }
        Ok(Der { elements: tlvs })
    }
}

impl DecodableFrom<Pem> for Der {}

impl Decoder<Pem, Der> for Pem {
    type Error = Error;

    fn decode(&self) -> Result<Der, Self::Error> {
        // TODO: consider better syntax
        let data = Decoder::<Pem, Vec<u8>>::decode(self).map_err(Error::Pem)?;
        data.decode()
    }
}

/// Tag byte constructed flag (bit 5).
///
/// This bit is set in the tag byte to indicate that the TLV contains constructed
/// data (i.e., nested TLVs) rather than primitive data.
pub const TAG_CONSTRUCTED: u8 = 0b0010_0000;

/// Represents a DER tag that identifies the type of data in a TLV structure.
///
/// Tags can be either primitive ASN.1 types (INTEGER, SEQUENCE, etc.) or
/// context-specific tags used in structured data like X.509 extensions.
///
/// # Example
///
/// ```
/// use tsumiki_der::{Tag, PrimitiveTag};
///
/// // Primitive tag for INTEGER
/// let int_tag = Tag::Primitive(PrimitiveTag::Integer, 0x02);
///
/// // Context-specific tag [0] EXPLICIT
/// let ctx_tag = Tag::ContextSpecific { slot: 0, constructed: true };
/// ```
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Tag {
    /// Primitive ASN.1 tag with the primitive type and raw tag byte.
    Primitive(PrimitiveTag, u8),
    /// Context-specific tag with slot number and constructed flag.
    ContextSpecific { slot: u8, constructed: bool },
}

impl Tag {
    /// Returns whether this tag represents constructed data.
    ///
    /// Constructed data contains nested TLV structures, while primitive data
    /// contains raw bytes.
    pub(crate) fn is_constructed(&self) -> bool {
        match self {
            Tag::Primitive(_, inner) => (*inner) & TAG_CONSTRUCTED != 0,
            Tag::ContextSpecific { constructed, .. } => *constructed,
        }
    }
}

impl EncodableTo<Tag> for u8 {}

impl Encoder<Tag, u8> for Tag {
    type Error = Error;

    fn encode(&self) -> Result<u8, Self::Error> {
        Ok(match self {
            Tag::Primitive(_, value) => *value,
            Tag::ContextSpecific { slot, constructed } => {
                let base = 0x80; // Context-specific class
                let constructed_bit = if *constructed { TAG_CONSTRUCTED } else { 0 };
                base | constructed_bit | slot
            }
        })
    }
}

impl From<u8> for Tag {
    fn from(value: u8) -> Self {
        let is_context_specific = value & 0b1000_0000 != 0;

        if is_context_specific {
            // Context-specific tag
            // Bit 5 indicates constructed (1) or primitive (0)
            let constructed = value & TAG_CONSTRUCTED != 0;
            let slot_number = value & 0b0001_1111; // Bits 0-4 are the slot number
            Tag::ContextSpecific {
                slot: slot_number,
                constructed,
            }
        } else {
            let primitive = PrimitiveTag::from(value & 0b0001_1111);
            Tag::Primitive(primitive, value)
        }
    }
}

/// Primitive ASN.1 tag types.
///
/// These tags identify the data type in ASN.1 structures. The numeric values
/// correspond to the standard ASN.1 universal tag numbers defined in
/// [ITU-T X.680](https://www.itu.int/rec/T-REC-X.680) and encoded according to
/// [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690).
///
/// # Example
///
/// ```
/// use tsumiki_der::PrimitiveTag;
///
/// let tag = PrimitiveTag::Integer;
/// assert_eq!(u8::from(&tag), 0x02);
/// ```
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord)]
#[repr(u8)]
pub enum PrimitiveTag {
    /// BOOLEAN type (tag 0x01).
    Boolean = 0x01,
    /// INTEGER type (tag 0x02).
    Integer = 0x02,
    /// BIT STRING type (tag 0x03).
    BitString = 0x03,
    /// OCTET STRING type (tag 0x04).
    OctetString = 0x04,
    /// NULL type (tag 0x05).
    Null = 0x05,
    /// OBJECT IDENTIFIER type (tag 0x06).
    ObjectIdentifier = 0x06,
    /// UTF8String type (tag 0x0c).
    UTF8String = 0x0c,
    /// SEQUENCE and SEQUENCE OF type (tag 0x10).
    Sequence = 0x10,
    /// SET and SET OF type (tag 0x11).
    Set = 0x11,
    /// PrintableString type (tag 0x13).
    PrintableString = 0x13,
    /// IA5String type (tag 0x16).
    IA5String = 0x16,
    /// UTCTime type (tag 0x17).
    UTCTime = 0x17,
    /// GeneralizedTime type (tag 0x18).
    GeneralizedTime = 0x18,
    /// BMPString type (tag 0x1e).
    BMPString = 0x1e,
    /// Unimplemented or unknown tag type.
    Unimplemented(u8),
}

impl From<u8> for PrimitiveTag {
    fn from(value: u8) -> Self {
        match value {
            0x01 => Self::Boolean,
            0x02 => Self::Integer,
            0x03 => Self::BitString,
            0x04 => Self::OctetString,
            0x05 => Self::Null,
            0x06 => Self::ObjectIdentifier,
            0x0c => Self::UTF8String,
            0x10 => Self::Sequence,
            0x11 => Self::Set,
            0x13 => Self::PrintableString,
            0x16 => Self::IA5String,
            0x17 => Self::UTCTime,
            0x18 => Self::GeneralizedTime,
            0x1e => Self::BMPString,
            _ => PrimitiveTag::Unimplemented(value),
        }
    }
}

impl From<&PrimitiveTag> for u8 {
    fn from(value: &PrimitiveTag) -> Self {
        match value {
            PrimitiveTag::Boolean => 0x01,
            PrimitiveTag::Integer => 0x02,
            PrimitiveTag::BitString => 0x03,
            PrimitiveTag::OctetString => 0x04,
            PrimitiveTag::Null => 0x05,
            PrimitiveTag::ObjectIdentifier => 0x06,
            PrimitiveTag::UTF8String => 0x0c,
            PrimitiveTag::Sequence => 0x10,
            PrimitiveTag::Set => 0x11,
            PrimitiveTag::PrintableString => 0x13,
            PrimitiveTag::IA5String => 0x16,
            PrimitiveTag::UTCTime => 0x17,
            PrimitiveTag::GeneralizedTime => 0x18,
            PrimitiveTag::BMPString => 0x1e,
            PrimitiveTag::Unimplemented(value) => *value,
        }
    }
}

/// Tag-Length-Value structure representing a single DER element.
///
/// TLV is the basic building block of DER encoding. Each TLV consists of:
/// - **Tag**: Identifies the data type
/// - **Length**: Size of the value in bytes
/// - **Value**: The actual data (either primitive bytes or nested TLVs)
///
/// Defined in [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690) Section 8.1.1.
///
/// # Example
///
/// ```
/// use tsumiki_der::{Tlv, Tag, PrimitiveTag};
///
/// // Create a primitive TLV for INTEGER with value 42
/// let tlv = Tlv::new_primitive(Tag::Primitive(PrimitiveTag::Integer, 0x02), vec![0x2a]);
/// assert_eq!(tlv.data(), Some(&[0x2a][..]));
/// ```
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct Tlv {
    tag: Tag,
    // length: u64,
    value: Value,
}

#[derive(Debug, Clone, PartialEq, Eq)]
enum Value {
    Tlv(Vec<Tlv>),
    Data(Vec<u8>),
}

impl Tlv {
    /// Returns the tag identifying the type of this TLV element.
    pub fn tag(&self) -> &Tag {
        &self.tag
    }

    /// Creates a new primitive TLV with raw byte data.
    ///
    /// Use this for primitive types like INTEGER, OCTET STRING, etc.
    ///
    /// # Example
    ///
    /// ```
    /// use tsumiki_der::{Tlv, Tag, PrimitiveTag};
    ///
    /// let tlv = Tlv::new_primitive(Tag::Primitive(PrimitiveTag::Integer, 0x02), vec![0x2a]);
    /// ```
    pub fn new_primitive(tag: Tag, data: Vec<u8>) -> Self {
        Tlv {
            tag,
            value: Value::Data(data),
        }
    }

    /// Creates a new constructed TLV containing nested TLV elements.
    ///
    /// Use this for structured types like SEQUENCE or SET.
    ///
    /// # Example
    ///
    /// ```
    /// use tsumiki_der::{Tlv, Tag, PrimitiveTag};
    ///
    /// let inner = Tlv::new_primitive(Tag::Primitive(PrimitiveTag::Integer, 0x02), vec![0x2a]);
    /// let sequence = Tlv::new_constructed(Tag::Primitive(PrimitiveTag::Sequence, 0x30), vec![inner]);
    /// ```
    pub fn new_constructed(tag: Tag, tlvs: Vec<Tlv>) -> Self {
        Tlv {
            tag,
            value: Value::Tlv(tlvs),
        }
    }

    /// Returns the primitive data if this is a primitive TLV.
    ///
    /// Returns `None` if this is a constructed TLV containing nested elements.
    pub fn data(&self) -> Option<&[u8]> {
        match &self.value {
            Value::Data(data) => Some(data),
            Value::Tlv(_) => None,
        }
    }

    /// Returns the nested TLV elements if this is a constructed TLV.
    ///
    /// Returns `None` if this is a primitive TLV containing raw data.
    pub fn tlvs(&self) -> Option<&[Tlv]> {
        match &self.value {
            Value::Tlv(tlvs) => Some(tlvs),
            Value::Data(_) => None,
        }
    }

    /// Parses a TLV structure from DER-encoded bytes.
    ///
    /// This is an internal parsing function used by the decoder implementation.
    pub(crate) fn parse(input: &[u8]) -> IResult<&[u8], Tlv> {
        let (input, tag) = parse_tag(input)?;
        let (input, length) = parse_length(input)?;
        let (input, data) = nom::bytes::complete::take(length).parse(input)?;

        if tag.is_constructed() {
            // parse TLV recursively.
            let mut tlvs = Vec::new();
            let mut data = data;
            while !data.is_empty() {
                let (new_input, v) = Self::parse(data)?;
                data = new_input;
                tlvs.push(v);
            }

            return Ok((
                input,
                Tlv {
                    tag,
                    value: Value::Tlv(tlvs),
                },
            ));
        }

        Ok((
            input,
            Tlv {
                tag,
                value: Value::Data(data.to_vec()),
            },
        ))
    }
}

impl EncodableTo<Tlv> for Vec<u8> {}

impl Encoder<Tlv, Vec<u8>> for Tlv {
    type Error = Error;

    fn encode(&self) -> Result<Vec<u8>, Self::Error> {
        // Get content bytes
        let content = match &self.value {
            Value::Data(data) => data.clone(),
            Value::Tlv(tlvs) => tlvs
                .iter()
                .map(|tlv| tlv.encode())
                .collect::<Result<Vec<_>, _>>()?
                .into_iter()
                .flatten()
                .collect(),
        };

        // Build result: tag + length + content
        let tag = self.tag.encode()?;
        let length = encode_length(content.len());

        Ok([tag].into_iter().chain(length).chain(content).collect())
    }
}

/// Encodes a length value in DER format.
///
/// Uses short form (single byte) for lengths 0-127, and long form for larger lengths.
/// Defined in [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690) Section 8.1.3.
pub(crate) fn encode_length(length: usize) -> Vec<u8> {
    if length < 0x80 {
        // Short form: length fits in 7 bits (0-127)
        vec![length as u8]
    } else {
        // Long form: first byte = 0x80 | number_of_length_bytes, followed by length bytes
        let length_bytes: Vec<u8> = length
            .to_be_bytes()
            .into_iter()
            .skip_while(|&b| b == 0) // Skip leading zero bytes
            .collect();

        [0x80 | length_bytes.len() as u8]
            .into_iter()
            .chain(length_bytes)
            .collect()
    }
}

/// Parses a tag byte from DER-encoded input.
pub(crate) fn parse_tag(input: &[u8]) -> IResult<&[u8], Tag> {
    let (input, n) = nom::number::be_u8().parse(input)?;
    Ok((input, Tag::from(n)))
}

/// Parses a length field from DER-encoded input.
///
/// Supports both short form (0-127) and long form (128+) length encodings.
/// Defined in [ITU-T X.690](https://www.itu.int/rec/T-REC-X.690) Section 8.1.3.
pub(crate) fn parse_length(input: &[u8]) -> IResult<&[u8], u64> {
    let (input, n) = nom::number::be_u8().parse(input)?;
    if n & 0x80 == 0x80 {
        // long form
        // First 1 bit is a marker for long form.
        // Other bits represent bytes length of the length field.
        let length = n & 0x7f;

        // Sanity check: length field should not exceed 8 bytes for u64
        if length > 8 {
            return Err(nom::Err::Failure(nom::error::Error::new(
                input,
                nom::error::ErrorKind::TooLarge,
            )));
        }

        let (input, bs) = nom::bytes::complete::take(length).parse(input)?;
        let n = bs
            .iter()
            .enumerate()
            .try_fold(0u64, |n, (i, &b)| {
                let exp = (bs.len() - i - 1) as u32;
                let base = 256_u64.checked_pow(exp)?;
                let term = base.checked_mul(b as u64)?;
                n.checked_add(term)
            })
            .ok_or_else(|| {
                nom::Err::Failure(nom::error::Error::new(
                    input,
                    nom::error::ErrorKind::TooLarge,
                ))
            })?;
        return Ok((input, n));
    }
    // short form: 0-127
    Ok((input, n as u64))
}

#[cfg(test)]
mod tests {
    use rstest::rstest;

    use crate::{Der, PrimitiveTag, Tag, Tlv, Value, parse_length};
    use tsumiki::decoder::Decoder;
    use tsumiki::encoder::Encoder;
    use tsumiki_pem::Pem;

    #[rstest(
        input,
        expected,
        case(vec![0x02], Tag::Primitive(PrimitiveTag::Integer, 0x02)),
        case(vec![0x02, 0x01], Tag::Primitive(PrimitiveTag::Integer, 0x02)),
        case(vec![0x30, 0x01], Tag::Primitive(PrimitiveTag::Sequence, 0x30)),
        case(vec![0x0a, 0x02, 0x10], Tag::Primitive(PrimitiveTag::Unimplemented(0x0a), 0x0a)),
        // 0xA0 = 10100000 = context-specific [0] constructed
        case(vec![0xa0], Tag::ContextSpecific { slot: 0x00, constructed: true }),
        case(vec![0xa3], Tag::ContextSpecific { slot: 0x03, constructed: true }),
        // 0x80 = 10000000 = context-specific [0] primitive
        case(vec![0x80], Tag::ContextSpecific { slot: 0x00, constructed: false }),
        case(vec![0x82], Tag::ContextSpecific { slot: 0x02, constructed: false }),
    )]
    fn test_parse_tag(input: Vec<u8>, expected: Tag) {
        use crate::parse_tag;

        let actual = parse_tag(&input).unwrap();

        assert_eq!(expected, actual.1);
    }

    #[rstest(input, expected,
        case(vec![0x02], 0x02),
        case(vec![0x02, 0x01], 0x02),
        case(vec![0x30, 0x01], 0x30),
        case(vec![0x82, 0x02, 0x10], 256 * 0x02 + 0x10),
        case(vec![0x83, 0x01, 0x00, 0x00], 256 * 256),
        case(vec![0x82, 0xff, 0xff], 256 * 0xff + 0xff),
    )]
    fn test_parse_length(input: Vec<u8>, expected: u64) {
        let actual = parse_length(&input).unwrap();

        assert_eq!(expected, actual.1);
    }

    #[rstest(input, expected,
        case(
            vec![0x02, 0x01, 0x01],
            Tlv{
                tag: Tag::Primitive(PrimitiveTag::Integer, 0x02) ,
                value: Value::Data(vec![0x01])
            }
        ),
        case(
            vec![0x02, 0x09, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::Integer, 0x02),
                value: Value::Data(vec![0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01])
            }
        ),
        case(
            vec![0x13, 0x02, 0x68, 0x69],
            Tlv{
                tag: Tag::Primitive(PrimitiveTag::PrintableString, 0x13),
                value: Value::Data(vec![0x68, 0x69])
            }
        ),
        case(
            vec![0x16, 0x02, 0x68, 0x69],
            Tlv{
                tag: Tag::Primitive(PrimitiveTag::IA5String, 0x16),
                value: Value::Data(vec![0x68, 0x69])
            }
        ),
        case(
            vec![0x0c, 0x04, 0xf0, 0x9f, 0x98, 0x8e],
            Tlv{
                tag: Tag::Primitive(PrimitiveTag::UTF8String, 0x0c),
                value: Value::Data(vec![0xf0, 0x9f, 0x98, 0x8e])
            }
        ),
        case(
            vec![0x17, 0x11, 0x31, 0x39, 0x31, 0x32, 0x31, 0x35, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x2d, 0x30, 0x38, 0x30, 0x30],
            Tlv {
            tag: Tag::Primitive(PrimitiveTag::UTCTime, 0x17),
            value: Value::Data(vec![
                0x31, 0x39, 0x31, 0x32, 0x31, 0x35, 0x31, 0x39, 0x30, 0x32, 0x31, 0x30, 0x2d, 0x30,
                0x38, 0x30, 0x30,
        ])}),
        case(
            vec![0x18, 0x0d, 0x31, 0x39, 0x31, 0x32, 0x31, 0x36, 0x30, 0x33, 0x30, 0x32, 0x31, 0x30, 0x5a],
            Tlv{
                tag: Tag::Primitive(PrimitiveTag::GeneralizedTime, 0x18),
                value: Value::Data(vec![0x31, 0x39, 0x31, 0x32, 0x31, 0x36, 0x30, 0x33, 0x30, 0x32, 0x31, 0x30, 0x5a])
            }
        ),
        case(
            vec![0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::ObjectIdentifier, 0x06),
                 value: Value::Data(vec![0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b])
            }
        ),
        case(
            vec![0x05, 0x00],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::Null, 0x05),
                value: Value::Data(vec![])
            }
        ),
        case(
            vec![0x04, 0x04, 0x03, 0x02, 0x06, 0xa0],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::OctetString, 0x04),
                value: Value::Data(vec![0x03, 0x02, 0x06, 0xa0])
            }
        ),
        case(
            vec![0x03, 0x04, 0x06, 0x6e, 0x5d, 0xc0],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::BitString, 0x03),
                value: Value::Data(vec![0x06, 0x6e, 0x5d, 0xc0])
            }
        )
    )]
    fn test_tlv_parse_primitive(input: Vec<u8>, expected: Tlv) {
        let (_, actual) = Tlv::parse(&input).unwrap();
        compare_primitive_tlv(&expected, &actual);
    }

    #[rstest(input, expected,
        case(
            vec![0x30, 0x09, 0x02, 0x01, 0x07, 0x02, 0x01, 0x08, 0x02, 0x01, 0x09],
            Tlv {
                tag: Tag::Primitive(PrimitiveTag::Sequence,  0x30),
                value: Value::Tlv(
                    vec![
                        Tlv {
                            tag: Tag::Primitive(PrimitiveTag::Integer, 0x02),
                            value: Value::Data(vec![0x07])
                        },
                        Tlv {
                            tag: Tag::Primitive(PrimitiveTag::Integer, 0x02),
                            value: Value::Data(vec![0x08])
                        },
                        Tlv {
                            tag: Tag::Primitive(PrimitiveTag::Integer, 0x02),
                            value: Value::Data(vec![0x09])
                        }
                    ]
                )
            }
        )
    )]
    fn test_tlv_parse_structured(input: Vec<u8>, expected: Tlv) {
        let (_, actual) = Tlv::parse(&input).unwrap();
        assert_eq!(expected.tag, actual.tag);
        match actual.value {
            Value::Data(_) => panic!("expected: Value::Tlv, but got Value::Data"),
            Value::Tlv(actual_tlvs) => match expected.value {
                Value::Data(_) => panic!("test data is invalid. required Value::Tlv"),
                Value::Tlv(expected_tlvs) => {
                    if actual_tlvs.len() != expected_tlvs.len() {
                        panic!(
                            "expected nested TLV length is {}, but got length is {}",
                            expected_tlvs.len(),
                            actual_tlvs.len()
                        )
                    }
                    for (expected, actual) in expected_tlvs.iter().zip(actual_tlvs.iter()) {
                        compare_primitive_tlv(expected, actual);
                    }
                }
            },
        }
    }

    fn compare_primitive_tlv(v1: &Tlv, v2: &Tlv) {
        assert_eq!(v1.tag, v2.tag);
        match &v2.value {
            Value::Data(v2_data) => match &v1.value {
                Value::Data(v1_data) => assert_eq!(v2_data, v1_data),
                Value::Tlv(_) => panic!("test data is invalid. required Value::Data"),
            },
            Value::Tlv(tlvs) => {
                panic!("v1: Value::Data, but got Value::Tlv({:?})", tlvs)
            }
        }
    }

    const TEST_PEM_CERT1: &str = r"-----BEGIN CERTIFICATE-----
MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G
A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y
aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0
ZSBhdXRob3JpdHkwHhcNMTEwNTIzMjAzODIxWhcNMTIxMjIyMDc0MTUxWjB9MQsw
CQYDVQQGEwJCRTEPMA0GA1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2Vy
dGlmaWNhdGUgYXV0aG9yaXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdu
dVRMUyBjZXJ0aWZpY2F0ZSBhdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAARS2I0jiuNn14Y2sSALCX3IybqiIJUvxUpj+oNfzngvj/Niyv2394BWnW4X
uQ4RTEiywK87WRcWMGgJB5kX/t2no0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud
DwEB/wQFAwMHBgAwHQYDVR0OBBYEFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqG
SM49BAMCA0gAMEUCIDGuwD1KPyG+hRf88MeyMQcqOFZD0TbVleF+UsAGQ4enAiEA
l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo=
-----END CERTIFICATE-----";

    /*
    * Generated by
    $ openssl req -x509 -newkey rsa:2048 -nodes \
        -keyout test_key.pem \
        -out test_cert.pem \
        -days 365 \
        -subj "/C=JP/ST=Tokyo/L=Chiyoda/O=Test Org/OU=Test Unit/CN=localhost"
    */
    const TEST_PEM_CERT2: &str = r"-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUaFA0CT8XkKbEtG6JefcmPZp6ThowDQYJKoZIhvcNAQEL
BQAwajELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRAwDgYDVQQHDAdDaGl5
b2RhMREwDwYDVQQKDAhUZXN0IE9yZzESMBAGA1UECwwJVGVzdCBVbml0MRIwEAYD
VQQDDAlsb2NhbGhvc3QwHhcNMjUwNTIzMDkxMDQ3WhcNMjYwNTIzMDkxMDQ3WjBq
MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xEDAOBgNVBAcMB0NoaXlvZGEx
ETAPBgNVBAoMCFRlc3QgT3JnMRIwEAYDVQQLDAlUZXN0IFVuaXQxEjAQBgNVBAMM
CWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZBodqN
qwafTo+pEyxjMfxHdGPsMLzdHAyHbnfIoaegpaSNG+Gj3XYg8om/F4IPwe73L9wf
2QXjrA86fW4eSumwff+AlIc70wMUOHcJTRdRLNfF3O7BHgtS1Am9P3cANsw1IVec
0DBYB8SZG0v7kt6EZ24ygznz1ptl0noKkVp6ocEUYC8B+Kr5qsm7qz2vef9QPlli
IEm9Za0UFs/r1jjcxfz3GwYQkburRU+bdIO61SCiFyTsqp166XRNSN5ECINwjkxC
CB/9QjeiKjNkyHfC6u1N8Is8fJVA6kUKFyTsPlvs9dzAi3AtNlQsN8p3uRKxZ7Ks
E2hTchypMWozHCkCAwEAAaNTMFEwHQYDVR0OBBYEFPwPDgsW4wRdDj25yLSUYFzB
YX8LMB8GA1UdIwQYMBaAFPwPDgsW4wRdDj25yLSUYFzBYX8LMA8GA1UdEwEB/wQF
MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAJOMSkpB5GWZRw4grEmDKmT8CODNvDBT
S/btPF+unH0fssiqjdQ/qm/Q23Ry1y8paIvXT9IaCRDF5vYhM5A1S9+ryylIM+G4
bAvsEgXUDmLB7LHzETg+7HSYe32iyh0p3EA/LAKdr3zh12bOAdQhRXooQdVjffhc
AKftLxa4Xx7P+w/oPqOdt/f1BQyqsSdQ9iTCnvCbuZ2q3qzFf0ehZXiebXbU5zDc
gqAQgXRgYgyMebhkGdi+V+G75ZSYgOD0zfcoL/p1fW9hr5PPqX7SXcyh8f8Q/ZIL
fgx5sjr+fC3fvET/buw4EnKBhR+sSxn1T70hwP3aXd6wHN0vkMgaJPM=
-----END CERTIFICATE-----";

    const TEST_PEM_PRIV_KEY1: &str = r"-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC2QaHajasGn06P
qRMsYzH8R3Rj7DC83RwMh253yKGnoKWkjRvho912IPKJvxeCD8Hu9y/cH9kF46wP
On1uHkrpsH3/gJSHO9MDFDh3CU0XUSzXxdzuwR4LUtQJvT93ADbMNSFXnNAwWAfE
mRtL+5LehGduMoM589abZdJ6CpFaeqHBFGAvAfiq+arJu6s9r3n/UD5ZYiBJvWWt
FBbP69Y43MX89xsGEJG7q0VPm3SDutUgohck7Kqdeul0TUjeRAiDcI5MQggf/UI3
oiozZMh3wurtTfCLPHyVQOpFChck7D5b7PXcwItwLTZULDfKd7kSsWeyrBNoU3Ic
qTFqMxwpAgMBAAECggEABSbYyOE9Rtwk79mjIZuSM6Pfbd2kyQnk+5OuczNYInFf
jUWx1pB3t5mZ0Xv10abZYARbtXiu/UQgvnN0TTMNAgsLnLfJOwNdZRZivDaml7Sj
NFwy8QrDayWFudrAGwCGDAKqdRwJJHywh4WeaGjtj12lwM8rt20lkVHw/6Mh1bFa
Yo2mprDvq/xxqtmqL3I9iqbWPHRg4uGbq2lRD3UAE+Ig1nlY9TmdekNOvQxDLQGV
0yGLVEE3Yjn9QYE+zs21iyYgV7NjEDw+FLzJ3yWb4UBtSiwAzd0XeOUgWx3IYEXF
J/pSEFgBZdRm0JviQ2+qYH/4zKaWnhjwERa4D/H/UwKBgQD3wjoHG7bVCW7BMOWw
mSFM7wZZ6nZItuaobPZbKXQxmXlbPEWJatW6bPcb9YAaw+VUWLXJyvD52N8M9r4E
hUvUermCLrWU0rqD+0q1+j2iLqfzAg8X0jKYAJMR2ESBmDC8p/40xNOtFxG6uhST
cUnykNbl0SYlDbWtYTSdkf5EowKBgQC8UZ/vCPx1PnF2ycdlGqZ/2valuR1EgHXK
ce+mZmg62l4imkAxI3oJJHJh0r99x75yyzBMRhPJKq5P80x6KpqZfH8DBMfWF4fu
83ark/KQXe4M6RAkH+/MH2jsFWpg9c6WQleizoky8bLaDfBGZyVfHfY+FL0Z/zHj
IXhtDyEcwwKBgQDkjs7NQ+nUedEsc5lQ4tLvkAmB5WOdDO2YLnzN+F3ya6yiV+Wm
MWJdiqwjpMS67EChIP0C3S6UrlaGNRFyRi2AJH8B82kbk5Lwsl9npSQ6e2QAL8QQ
q550zwLdkW8RRn6fazJ9J55GrWNzqLnWksou9SLp+5l+0TjqayQIwGealQKBgGby
rF7tZ63kg/yvVBzWU90jY6C3MOPI4hvY62zpIOPDiqCZ+KukPEuRLCKEJoDpWBjD
MVURHjHj7kTwuYczkS6FG54X1/MXDA259M7ZY0o+vys5ocRN3TaWmTIuhugYmGYW
QHhVNjWuYdrIseia7Jgx9fJ8PeBfXPNQ0de05KInAoGAbbsbgtWqL5E9aWn2d0BN
MYfyU9h1doVwVB/ZdzPtS6BuzrtfZ+Oov86tHqnEvUPs7C8Nvzx8HXbT5mdnSgea
RJi/eAqNhqr/YHf8CvlRjMWHnNLlzqrST9aHKeZwPNr+1o/2PeEZCPShUAHZKmf9
e8ZYGIc4gvs5McdrVUyYGUs=
-----END PRIVATE KEY-----";

    #[rstest(
        input,
        _expected,
        case(TEST_PEM_CERT1, None),
        case(TEST_PEM_CERT2, None),
        case(TEST_PEM_PRIV_KEY1, None)
    )]
    fn test_decode_der_from_pem(input: &str, _expected: Option<()>) {
        let pem = input.decode().unwrap();
        // Assuming not to panic here.
        let der: Der = pem.decode().unwrap();
        println!("{:?}", der);
    }

    #[rstest(cert_pem, case(TEST_PEM_CERT1), case(TEST_PEM_CERT2))]
    fn test_roundtrip_der_encode(cert_pem: &str) {
        // PEM -> Der -> Vec<u8> -> Der
        let pem: Pem = cert_pem.parse().expect("Failed to parse PEM");
        let original_der: Der = pem.decode().expect("Failed to decode PEM to Der");

        let encoded_bytes = original_der
            .encode()
            .expect("Failed to encode Der to Vec<u8>");
        let decoded_der: Der = encoded_bytes
            .decode()
            .expect("Failed to decode Vec<u8> to Der");

        assert_eq!(original_der, decoded_der);
    }
}