ASN.1 updates from bc-java

- Integer cannot have empty contents octets
- Enumerated values can't be negative

4 files changed, 50 insertions, 37 deletions

diff --git a/crypto/src/asn1/Asn1Set.cs b/crypto/src/asn1/Asn1Set.cs
index 07605f5e1..68ede2275 100644
--- a/crypto/src/asn1/Asn1Set.cs
+++ b/crypto/src/asn1/Asn1Set.cs
@@ -16,7 +16,7 @@ namespace Org.BouncyCastle.Asn1
     abstract public class Asn1Set
         : Asn1Object, IEnumerable
     {
-        // NOTE: Only non-readonly to support LazyDerSequence
+        // NOTE: Only non-readonly to support LazyDerSet
         internal Asn1Encodable[] elements;
 
         /**
diff --git a/crypto/src/asn1/DerEnumerated.cs b/crypto/src/asn1/DerEnumerated.cs
index 6690feceb..1344926bd 100644
--- a/crypto/src/asn1/DerEnumerated.cs
+++ b/crypto/src/asn1/DerEnumerated.cs
@@ -49,30 +49,28 @@ namespace Org.BouncyCastle.Asn1
             return FromOctetString(((Asn1OctetString)o).GetOctets());
         }
 
-        public DerEnumerated(
-            int val)
+        public DerEnumerated(int val)
         {
+            if (val < 0)
+                throw new ArgumentException("enumerated must be non-negative", "val");
+
             bytes = BigInteger.ValueOf(val).ToByteArray();
         }
 
-        public DerEnumerated(
-            BigInteger val)
+        public DerEnumerated(BigInteger val)
         {
+            if (val.SignValue < 0)
+                throw new ArgumentException("enumerated must be non-negative", "val");
+
             bytes = val.ToByteArray();
         }
 
-        public DerEnumerated(
-            byte[] bytes)
+        public DerEnumerated(byte[] bytes)
         {
-            if (bytes.Length > 1)
-            {
-                if ((bytes[0] == 0 && (bytes[1] & 0x80) == 0)
-                    || (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0))
-                {
-                    if (!DerInteger.AllowUnsafe())
-                        throw new ArgumentException("malformed enumerated");
-                }
-            }
+            if (DerInteger.IsMalformed(bytes))
+                throw new ArgumentException("malformed enumerated", "bytes");
+            if (0 != (bytes[0] & 0x80))
+                throw new ArgumentException("enumerated must be non-negative", "bytes");
 
             this.bytes = Arrays.Clone(bytes);
         }
diff --git a/crypto/src/asn1/DerInteger.cs b/crypto/src/asn1/DerInteger.cs
index ae14d2a9f..fec7b9420 100644
--- a/crypto/src/asn1/DerInteger.cs
+++ b/crypto/src/asn1/DerInteger.cs
@@ -60,14 +60,12 @@ namespace Org.BouncyCastle.Asn1
 			return new DerInteger(Asn1OctetString.GetInstance(o).GetOctets());
         }
 
-		public DerInteger(
-            int value)
+		public DerInteger(int value)
         {
             bytes = BigInteger.ValueOf(value).ToByteArray();
         }
 
-		public DerInteger(
-            BigInteger value)
+		public DerInteger(BigInteger value)
         {
             if (value == null)
                 throw new ArgumentNullException("value");
@@ -75,27 +73,20 @@ namespace Org.BouncyCastle.Asn1
 			bytes = value.ToByteArray();
         }
 
-		public DerInteger(
-            byte[] bytes)
+        public DerInteger(byte[] bytes)
+            : this(bytes, true)
         {
-            if (bytes.Length > 1)
-            {
-                if ((bytes[0] == 0 && (bytes[1] & 0x80) == 0)
-                    || (bytes[0] == (byte)0xff && (bytes[1] & 0x80) != 0))
-                {
-                    if (!AllowUnsafe())
-                        throw new ArgumentException("malformed integer");
-                }
-            }
-            this.bytes = Arrays.Clone(bytes);
         }
 
-		public BigInteger Value
+        internal DerInteger(byte[] bytes, bool clone)
         {
-            get { return new BigInteger(bytes); }
+            if (IsMalformed(bytes))
+                throw new ArgumentException("malformed integer", "bytes");
+
+            this.bytes = clone ? Arrays.Clone(bytes) : bytes;
         }
 
-		/**
+        /**
          * in some cases positive values Get crammed into a space,
          * that's not quite big enough...
          */
@@ -104,6 +95,11 @@ namespace Org.BouncyCastle.Asn1
             get { return new BigInteger(1, bytes); }
         }
 
+        public BigInteger Value
+        {
+            get { return new BigInteger(bytes); }
+        }
+
         internal override void Encode(
             DerOutputStream derOut)
         {
@@ -130,5 +126,24 @@ namespace Org.BouncyCastle.Asn1
 		{
 			return Value.ToString();
 		}
-	}
+
+        /**
+         * Apply the correct validation for an INTEGER primitive following the BER rules.
+         *
+         * @param bytes The raw encoding of the integer.
+         * @return true if the (in)put fails this validation.
+         */
+        internal static bool IsMalformed(byte[] bytes)
+        {
+            switch (bytes.Length)
+            {
+            case 0:
+                return true;
+            case 1:
+                return false;
+            default:
+                return (sbyte)bytes[0] == ((sbyte)bytes[1] >> 7) && !AllowUnsafe();
+            }
+        }
+    }
 }
diff --git a/crypto/src/asn1/pkcs/CertBag.cs b/crypto/src/asn1/pkcs/CertBag.cs
index b6f4c8a30..e561fb890 100644
--- a/crypto/src/asn1/pkcs/CertBag.cs
+++ b/crypto/src/asn1/pkcs/CertBag.cs
@@ -17,7 +17,7 @@ namespace Org.BouncyCastle.Asn1.Pkcs
 
 //			this.seq = seq;
             this.certID = DerObjectIdentifier.GetInstance(seq[0]);
-            this.certValue = DerTaggedObject.GetInstance(seq[1]).GetObject();
+            this.certValue = Asn1TaggedObject.GetInstance(seq[1]).GetObject();
         }
 
 		public CertBag(