Security-55471.14.18.tar.gz

[apple/security.git] / libsecurity_asn1 / lib / secasn1e.c

/*
 * The contents of this file are subject to the Mozilla Public
 * License Version 1.1 (the "License"); you may not use this file
 * except in compliance with the License. You may obtain a copy of
 * the License at http://www.mozilla.org/MPL/
 * 
 * Software distributed under the License is distributed on an "AS
 * IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * rights and limitations under the License.
 * 
 * The Original Code is the Netscape security libraries.
 * 
 * The Initial Developer of the Original Code is Netscape
 * Communications Corporation.  Portions created by Netscape are 
 * Copyright (C) 1994-2000 Netscape Communications Corporation.  All
 * Rights Reserved.
 * 
 * Contributor(s):
 * 
 * Alternatively, the contents of this file may be used under the
 * terms of the GNU General Public License Version 2 or later (the
 * "GPL"), in which case the provisions of the GPL are applicable 
 * instead of those above.  If you wish to allow use of your 
 * version of this file only under the terms of the GPL and not to
 * allow others to use your version of this file under the MPL,
 * indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by
 * the GPL.  If you do not delete the provisions above, a recipient
 * may use your version of this file under either the MPL or the
 * GPL.
 */

/*
 * Support for ENcoding ASN.1 data based on BER/DER (Basic/Distinguished
 * Encoding Rules).
 *
 * $Id: secasn1e.c,v 1.7 2004/05/13 15:29:13 dmitch Exp $
 */

#include "secasn1.h"

typedef enum {
    beforeHeader,
    duringContents,
    duringGroup,
    duringSequence,
    afterContents,
    afterImplicit,
    afterInline,
    afterPointer,
    afterChoice,
    notInUse
} sec_asn1e_parse_place;

typedef enum {
    allDone,
    encodeError,
    keepGoing,
    needBytes
} sec_asn1e_parse_status;

typedef struct sec_asn1e_state_struct {
    SEC_ASN1EncoderContext *top;
    const SecAsn1Template *theTemplate;
    void *src;

    struct sec_asn1e_state_struct *parent;	/* aka prev */
    struct sec_asn1e_state_struct *child;	/* aka next */

    sec_asn1e_parse_place place;	/* where we are in encoding process */

    /*
     * XXX explain the next fields as clearly as possible...
     */
    unsigned char tag_modifiers;
    unsigned char tag_number;
    unsigned long underlying_kind;

    int depth;

    PRBool explicit,		/* we are handling an explicit header */
	   indefinite,		/* need end-of-contents */
	   is_string,		/* encoding a simple string or an ANY */
	   may_stream,		/* when streaming, do indefinite encoding */
	   optional,		/* omit field if it has no contents */
	   ignore_stream	/* ignore streaming value of sub-template */	
		#ifdef	__APPLE__
		,
		signedInt	/* signed alternate to SEC_ASN1_INTEGER */
		#endif
		;
} sec_asn1e_state;

/*
 * An "outsider" will have an opaque pointer to this, created by calling
 * SEC_ASN1EncoderStart().  It will be passed back in to all subsequent
 * calls to SEC_ASN1EncoderUpdate() and related routines, and when done
 * it is passed to SEC_ASN1EncoderFinish().
 */
struct sec_EncoderContext_struct {
    PRArenaPool *our_pool;		/* for our internal allocs */

    sec_asn1e_state *current;
    sec_asn1e_parse_status status;

    PRBool streaming;
    PRBool from_buf;

    SEC_ASN1NotifyProc notify_proc;	/* call before/after handling field */
    void *notify_arg;			/* argument to notify_proc */
    PRBool during_notify;		/* true during call to notify_proc */

    SEC_ASN1WriteProc output_proc;	/* pass encoded bytes to this  */
    void *output_arg;			/* argument to that function */
};


static sec_asn1e_state *
sec_asn1e_push_state (SEC_ASN1EncoderContext *cx,
		      const SecAsn1Template *theTemplate,
		      const void *src, PRBool new_depth)
{
    sec_asn1e_state *state, *new_state;

    state = cx->current;

    new_state = (sec_asn1e_state*)PORT_ArenaZAlloc (cx->our_pool, 
						    sizeof(*new_state));
    if (new_state == NULL) {
	cx->status = encodeError;
	return NULL;
    }

    new_state->top = cx;
    new_state->parent = state;
    new_state->theTemplate = theTemplate;
    new_state->place = notInUse;
    if (src != NULL)
	new_state->src = (char *)src + theTemplate->offset;

    if (state != NULL) {
	new_state->depth = state->depth;
	if (new_depth)
	    new_state->depth++;
	state->child = new_state;
    }

    cx->current = new_state;
    return new_state;
}


static void
sec_asn1e_scrub_state (sec_asn1e_state *state)
{
    /*
     * Some default "scrubbing".
     * XXX right set of initializations?
     */
    state->place = beforeHeader;
    state->indefinite = PR_FALSE;
}


static void
sec_asn1e_notify_before (SEC_ASN1EncoderContext *cx, void *src, int depth)
{
    if (cx->notify_proc == NULL)
	return;

    cx->during_notify = PR_TRUE;
    (* cx->notify_proc) (cx->notify_arg, PR_TRUE, src, depth);
    cx->during_notify = PR_FALSE;
}


static void
sec_asn1e_notify_after (SEC_ASN1EncoderContext *cx, void *src, int depth)
{
    if (cx->notify_proc == NULL)
	return;

    cx->during_notify = PR_TRUE;
    (* cx->notify_proc) (cx->notify_arg, PR_FALSE, src, depth);
    cx->during_notify = PR_FALSE;
}


static sec_asn1e_state *
sec_asn1e_init_state_based_on_template (sec_asn1e_state *state)
{
    PRBool explicit, is_string, may_stream, optional, universal, ignore_stream;
    unsigned char tag_modifiers;
    unsigned long encode_kind, under_kind;
    unsigned long tag_number;
	#ifdef	__APPLE__
	PRBool signedInt, dynamic;
	#endif

    encode_kind = state->theTemplate->kind;

    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
		? PR_TRUE : PR_FALSE;

    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_EXPLICIT;

    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_OPTIONAL;

    PORT_Assert (!(explicit && universal));	/* bad templates */

    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_MAY_STREAM;

    ignore_stream = (encode_kind & SEC_ASN1_NO_STREAM) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_NO_STREAM;

 	#ifdef	__APPLE__
	signedInt = (encode_kind & SEC_ASN1_SIGNED_INT) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_SIGNED_INT;
	#endif

	#ifdef	__APPLE__
	dynamic = (encode_kind & SEC_ASN1_DYNAMIC) ? PR_TRUE : PR_FALSE;
	#endif
    encode_kind &= ~SEC_ASN1_DYNAMIC;

    if( encode_kind & SEC_ASN1_CHOICE ) {
      under_kind = SEC_ASN1_CHOICE;
    } else

    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || (!universal
							      && !explicit)) {
		const SecAsn1Template *subt;
		void *src;
	
		PORT_Assert ((encode_kind & (SEC_ASN1_ANY | SEC_ASN1_SKIP)) == 0);
	
		sec_asn1e_scrub_state (state);
	
		if (encode_kind & SEC_ASN1_POINTER) {
			/*
			* XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
			* but that was too restrictive.  This needs to be fixed,
			* probably copying what the decoder now checks for, and
			* adding a big comment here to explain what the checks mean.
			*/
			src = *(void **)state->src;
			state->place = afterPointer;
			if (src == NULL) {
			/*
			* If this is optional, but NULL, then the field does
			* not need to be encoded.  In this case we are done;
			* we do not want to push a subtemplate.
			*/
			if (optional)
				return state;
	
			/*
			* XXX this is an error; need to figure out
			* how to handle this
			*/
			}
		} else {
			src = state->src;
			if (encode_kind & SEC_ASN1_INLINE) {
				/* check that there are no extraneous bits */
				PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
				state->place = afterInline;
			} else {
				/*
				 * Save the tag modifiers and tag number here before moving
				 * on to the next state in case this is a member of a
				 * SEQUENCE OF
				 */
				state->tag_modifiers = (unsigned char)encode_kind & SEC_ASN1_TAG_MASK
							& ~SEC_ASN1_TAGNUM_MASK;
				state->tag_number = (unsigned char)encode_kind & SEC_ASN1_TAGNUM_MASK;
				
				state->place = afterImplicit;
				state->optional = optional;
			}
		}
	
		subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src, PR_TRUE,
			NULL /* __APPLE__ */);
		state = sec_asn1e_push_state (state->top, subt, src, PR_FALSE);
		if (state == NULL)
			return NULL;
	
		if (universal) {
			/*
			* This is a POINTER or INLINE; just init based on that
			* and we are done.
			*/
			return sec_asn1e_init_state_based_on_template (state);
		}
	
		/*
		* This is an implicit, non-universal (meaning, application-private
		* or context-specific) field.  This results in a "magic" tag but
		* encoding based on the underlying type.  We pushed a new state
		* that is based on the subtemplate (the underlying type), but
		* now we will sort of alias it to give it some of our properties
		* (tag, optional status, etc.).
		*/
	
		under_kind = state->theTemplate->kind;
		if (under_kind & SEC_ASN1_MAY_STREAM) {
			if (!ignore_stream)
			may_stream = PR_TRUE;
			under_kind &= ~SEC_ASN1_MAY_STREAM;
		}
    } else {
		under_kind = encode_kind;
    }

    /*
     * Sanity check that there are no unwanted bits marked in under_kind.
     * These bits were either removed above (after we recorded them) or
     * they simply should not be found (signalling a bad/broken template).
     * XXX is this the right set of bits to test here? (i.e. need to add
     * or remove any?)
     */
    PORT_Assert ((under_kind & (/*SEC_ASN1_EXPLICIT | */SEC_ASN1_OPTIONAL
				| SEC_ASN1_SKIP | SEC_ASN1_INNER
				| SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
				| SEC_ASN1_INLINE | SEC_ASN1_POINTER)) == 0);

    if (encode_kind & SEC_ASN1_ANY) {
		PORT_Assert (encode_kind == under_kind);
		tag_modifiers = 0;
		tag_number = 0;
		is_string = PR_TRUE;
    } else {
		tag_modifiers = (unsigned char)encode_kind & SEC_ASN1_TAG_MASK & 
					~SEC_ASN1_TAGNUM_MASK;
		/*
		 * XXX This assumes only single-octet identifiers.  To handle
		 * the HIGH TAG form we would need to do some more work, especially
		 * in how to specify them in the template, because right now we
		 * do not provide a way to specify more *tag* bits in encode_kind.
		 */
		
		#ifdef	__APPLE__
		/*
		 * Apple change: if this is a DYNAMIC template, use the tag number
		 * from the subtemplate's kind
		 */
		if(dynamic) {
			tag_number = state->theTemplate->kind & SEC_ASN1_TAGNUM_MASK;
			explicit = (state->theTemplate->kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
			tag_modifiers |= (state->theTemplate->kind & SEC_ASN1_CONSTRUCTED);
		}
		else 
		#endif	/* __APPLE__ */
		tag_number = encode_kind & SEC_ASN1_TAGNUM_MASK;
	
		is_string = PR_FALSE;
		switch (under_kind & SEC_ASN1_TAGNUM_MASK) {
		case SEC_ASN1_SET:
			/*
			* XXX A plain old SET (as opposed to a SET OF) is not implemented.
			* If it ever is, remove this assert...
			*/
			PORT_Assert ((under_kind & SEC_ASN1_GROUP) != 0);
			/* fallthru */
		case SEC_ASN1_SEQUENCE:
			tag_modifiers |= SEC_ASN1_CONSTRUCTED;
			break;
		case SEC_ASN1_BIT_STRING:
		case SEC_ASN1_BMP_STRING: 
		case SEC_ASN1_GENERALIZED_TIME:
		case SEC_ASN1_IA5_STRING:
		case SEC_ASN1_OCTET_STRING:
		case SEC_ASN1_PRINTABLE_STRING:
		case SEC_ASN1_T61_STRING:
		case SEC_ASN1_UNIVERSAL_STRING: 
		case SEC_ASN1_UTC_TIME:
		case SEC_ASN1_UTF8_STRING:
		case SEC_ASN1_VISIBLE_STRING: 
			/*
			* We do not yet know if we will be constructing the string,
			* so we have to wait to do this final tag modification.
			*/
			is_string = PR_TRUE;
			break;
		}
    }

    state->tag_modifiers = tag_modifiers;
    state->tag_number = (unsigned char)tag_number;
    state->underlying_kind = under_kind;
    state->explicit = explicit;
    state->may_stream = may_stream;
    state->is_string = is_string;
    state->optional = optional;
    state->ignore_stream = ignore_stream;
	#ifdef	__APPLE__
	state->signedInt = signedInt;
	#endif

    sec_asn1e_scrub_state (state);

    return state;
}


static void
sec_asn1e_write_part (sec_asn1e_state *state,
		      const char *buf, size_t len,
		      SEC_ASN1EncodingPart part)
{
    SEC_ASN1EncoderContext *cx;

    cx = state->top;
    (* cx->output_proc) (cx->output_arg, buf, len, state->depth, part);
}


/*
 * XXX This assumes only single-octet identifiers.  To handle
 * the HIGH TAG form we would need to modify this interface and
 * teach it to properly encode the special form.
 */
static void
sec_asn1e_write_identifier_bytes (sec_asn1e_state *state, unsigned char value)
{
    char byte;

    byte = (char) value;
    sec_asn1e_write_part (state, &byte, 1, SEC_ASN1_Identifier);
}

int
SEC_ASN1EncodeLength(unsigned char *buf,unsigned long value) {
    int lenlen;

    lenlen = SEC_ASN1LengthLength (value);
    if (lenlen == 1) {
	buf[0] = value;
    } else {
	int i;

	i = lenlen - 1;
	buf[0] = 0x80 | i;
	while (i) {
	    buf[i--] = value;
	    value >>= 8;
	}
        PORT_Assert (value == 0);
    }
    return lenlen;
}

static void
sec_asn1e_write_length_bytes (sec_asn1e_state *state, unsigned long value,
			      PRBool indefinite)
{
    int lenlen;
    unsigned char buf[sizeof(unsigned long) + 1];

    if (indefinite) {
	PORT_Assert (value == 0);
	buf[0] = 0x80;
	lenlen = 1;
    } else {
	lenlen = SEC_ASN1EncodeLength(buf,value);
    }

    sec_asn1e_write_part (state, (char *) buf, lenlen, SEC_ASN1_Length);
}


static void
sec_asn1e_write_contents_bytes (sec_asn1e_state *state,
				const char *buf, unsigned long len)
{
    sec_asn1e_write_part (state, buf, len, SEC_ASN1_Contents);
}


static void
sec_asn1e_write_end_of_contents_bytes (sec_asn1e_state *state)
{
    const char eoc[2] = {0, 0};

    sec_asn1e_write_part (state, eoc, 2, SEC_ASN1_EndOfContents);
}

static int
sec_asn1e_which_choice
(
  void *src,
  const SecAsn1Template *theTemplate
)
{
  int rv;
  unsigned int which = *(unsigned int *)src;

  for( rv = 1, theTemplate++; theTemplate->kind != 0; rv++, theTemplate++ ) {
    if( which == theTemplate->size ) {
      return rv;
    }
  }

  return 0;
}

static unsigned long
sec_asn1e_contents_length (const SecAsn1Template *theTemplate, void *src,
			   PRBool ignoresubstream, PRBool *noheaderp)
{
    unsigned long encode_kind, underlying_kind;
    PRBool explicit, optional, universal, may_stream;
    unsigned long len;
	#ifdef	__APPLE__
	PRBool signedInt;
	#endif
	
    /*
     * This function currently calculates the length in all cases
     * except the following: when writing out the contents of a 
     * template that belongs to a state where it was a sub-template
     * with the SEC_ASN1_MAY_STREAM bit set and it's parent had the
     * optional bit set.  The information that the parent is optional
     * and that we should return the length of 0 when that length is 
     * present since that means the optional field is no longer present.
     * So we add the ignoresubstream flag which is passed in when
     * writing the contents, but for all recursive calls to 
     * sec_asn1e_contents_length, we pass PR_FALSE, because this
     * function correctly calculates the length for children templates
     * from that point on.  Confused yet?  At least you didn't have
     * to figure it out.  ;)  -javi
     */
    encode_kind = theTemplate->kind;

    universal = ((encode_kind & SEC_ASN1_CLASS_MASK) == SEC_ASN1_UNIVERSAL)
		? PR_TRUE : PR_FALSE;

    explicit = (encode_kind & SEC_ASN1_EXPLICIT) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_EXPLICIT;

    optional = (encode_kind & SEC_ASN1_OPTIONAL) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_OPTIONAL;

    PORT_Assert (!(explicit && universal));	/* bad templates */

    may_stream = (encode_kind & SEC_ASN1_MAY_STREAM) ? PR_TRUE : PR_FALSE;
    encode_kind &= ~SEC_ASN1_MAY_STREAM;

    /* Just clear this to get it out of the way; we do not need it here */
    encode_kind &= ~SEC_ASN1_DYNAMIC;
    encode_kind &= ~SEC_ASN1_NO_STREAM;

    if( encode_kind & SEC_ASN1_CHOICE ) {
      void *src2;
      int indx = sec_asn1e_which_choice(src, theTemplate);
      if( 0 == indx ) {
        /* XXX set an error? "choice not found" */
        /* state->top->status = encodeError; */
        return 0;
      }

      src2 = (void *)((char *)src - theTemplate->offset + theTemplate[indx].offset);

      return sec_asn1e_contents_length(&theTemplate[indx], src2, 
                                       PR_FALSE, noheaderp);
    }

    if ((encode_kind & (SEC_ASN1_POINTER | SEC_ASN1_INLINE)) || !universal) {

	/* XXX any bits we want to disallow (PORT_Assert against) here? */

	theTemplate = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE,
		NULL /* __APPLE__ */);

	if (encode_kind & SEC_ASN1_POINTER) {
	    /*
	     * XXX This used to PORT_Assert (encode_kind == SEC_ASN1_POINTER);
	     * but that was too restrictive.  This needs to be fixed,
	     * probably copying what the decoder now checks for, and
	     * adding a big comment here to explain what the checks mean.
	     * Alternatively, the check here could be omitted altogether
	     * just letting sec_asn1e_init_state_based_on_template
	     * do it, since that routine can do better error handling, too.
	     */
	    src = *(void **)src;
	    if (src == NULL) {
		if (optional)
		    *noheaderp = PR_TRUE;
		else 
		    *noheaderp = PR_FALSE;
		return 0;
	    }
	} else if (encode_kind & SEC_ASN1_INLINE) {
	    /* check that there are no extraneous bits */
	    PORT_Assert (encode_kind == SEC_ASN1_INLINE && !optional);
	}

	src = (char *)src + theTemplate->offset;

	if (explicit) {
	    len = sec_asn1e_contents_length (theTemplate, src, PR_FALSE,
                                             noheaderp);
	    if (len == 0 && optional) {
		*noheaderp = PR_TRUE;
	    } else if (*noheaderp) {
		/* Okay, *we* do not want to add in a header, but our caller still does. */
		*noheaderp = PR_FALSE;
	    } else {
		/* if the inner content exists, our length is
		 * len(identifier) + len(length) + len(innercontent)
		 * XXX we currently assume len(identifier) == 1;
		 * to support a high-tag-number this would need to be smarter.
		 */
		len += 1 + SEC_ASN1LengthLength (len);
	    }
	    return len;
	}

	underlying_kind = theTemplate->kind;
	underlying_kind &= ~SEC_ASN1_MAY_STREAM;
	/* XXX Should we recurse here? */
    } else {
	underlying_kind = encode_kind;
    }

	#ifdef	__APPLE__
	signedInt = (underlying_kind & SEC_ASN1_SIGNED_INT) ? 
		PR_TRUE : PR_FALSE;
	#endif
	
    /* This is only used in decoding; it plays no part in encoding.  */
    if (underlying_kind & SEC_ASN1_SAVE) {
	/* check that there are no extraneous bits */
	PORT_Assert (underlying_kind == SEC_ASN1_SAVE);
	*noheaderp = PR_TRUE;
	return 0;
    }

    /* Having any of these bits is not expected here...  */
    PORT_Assert ((underlying_kind & (SEC_ASN1_EXPLICIT | SEC_ASN1_OPTIONAL
				     | SEC_ASN1_INLINE | SEC_ASN1_POINTER
				     | SEC_ASN1_DYNAMIC | SEC_ASN1_MAY_STREAM
				     | SEC_ASN1_SAVE | SEC_ASN1_SKIP)) == 0);

    if( underlying_kind & SEC_ASN1_CHOICE ) {
      void *src2;
      int indx = sec_asn1e_which_choice(src, theTemplate);
      if( 0 == indx ) {
        /* XXX set an error? "choice not found" */
        /* state->top->status = encodeError; */
        return 0;
      }

      src2 = (void *)((char *)src - theTemplate->offset + theTemplate[indx].offset);
      len = sec_asn1e_contents_length(&theTemplate[indx], src2, PR_FALSE,
                                      noheaderp);
    } else

    switch (underlying_kind) {
      case SEC_ASN1_SEQUENCE_OF:
      case SEC_ASN1_SET_OF:
	{
	    const SecAsn1Template *tmpt;
	    void *sub_src;
	    unsigned long sub_len;
	    void **group;

	    len = 0;

	    group = *(void ***)src;
	    if (group == NULL)
		break;

	    tmpt = SEC_ASN1GetSubtemplate (theTemplate, src, PR_TRUE,
			NULL /* __APPLE__ */);

	    for (; *group != NULL; group++) {
			sub_src = (char *)(*group) + tmpt->offset;
			sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE,
														noheaderp);
			len += sub_len;
			/*
			* XXX The 1 below is the presumed length of the identifier;
			* to support a high-tag-number this would need to be smarter.
			*/
			if (!*noheaderp)
				len += 1 + SEC_ASN1LengthLength (sub_len);
	    }
	}
	break;

      case SEC_ASN1_SEQUENCE:
      case SEC_ASN1_SET:
	{
	    const SecAsn1Template *tmpt;
	    void *sub_src;
	    unsigned long sub_len;

	    len = 0;
	    for (tmpt = theTemplate + 1; tmpt->kind; tmpt++) {
		sub_src = (char *)src + tmpt->offset;
		sub_len = sec_asn1e_contents_length (tmpt, sub_src, PR_FALSE,
                                                     noheaderp);
		len += sub_len;
		/*
		 * XXX The 1 below is the presumed length of the identifier;
		 * to support a high-tag-number this would need to be smarter.
		 */
		if (!*noheaderp)
		    len += 1 + SEC_ASN1LengthLength (sub_len);
	    }
	}
	break;

      case SEC_ASN1_BIT_STRING:
	/* convert bit length to byte */
	len = (((SecAsn1Item *)src)->Length + 7) >> 3;
	/* bit string contents involve an extra octet */
	if (len)
	    len++;
	break;

      case SEC_ASN1_INTEGER:
	/* ASN.1 INTEGERs are signed.
	 * If the source is an unsigned integer, the encoder will need 
	 * to handle the conversion here.
	 */
	{
	    unsigned char *buf = ((SecAsn1Item *)src)->Data;
		#ifndef	__APPLE__
	    SecAsn1ItemType integerType = ((SecAsn1Item *)src)->type;
		#endif
	    len = ((SecAsn1Item *)src)->Length;
	    while (len > 0) {
		if (*buf != 0) {
			#ifdef	__APPLE__
		    if (*buf & 0x80 && !signedInt) {
			#else
		    if (*buf & 0x80 && integerType == siUnsignedInteger) {
            #endif	// __APPLE__
			len++; /* leading zero needed to make number signed */
		    }
		    break; /* reached beginning of number */
		}
		if (len == 1) {
		    break; /* the number 0 */
		}
		if (buf[1] & 0x80) {
		    break; /* leading zero already present */
		} 
		/* extraneous leading zero, keep going */
		buf++;
		len--;
	    }
	}
	break;

      default:
	len = ((SecAsn1Item *)src)->Length;
	if (may_stream && len == 0 && !ignoresubstream)
	    len = 1;	/* if we're streaming, we may have a secitem w/len 0 as placeholder */
	break;
    }

    if ((len == 0 && optional) || underlying_kind == SEC_ASN1_ANY)
	*noheaderp = PR_TRUE;
    else 
	*noheaderp = PR_FALSE;

    return len;
}


static void
sec_asn1e_write_header (sec_asn1e_state *state)
{
    unsigned long contents_length;
    unsigned char tag_number, tag_modifiers;
    PRBool noheader;

    PORT_Assert (state->place == beforeHeader);

    tag_number = state->tag_number;
    tag_modifiers = state->tag_modifiers;

    if (state->underlying_kind == SEC_ASN1_ANY) {
	state->place = duringContents;
	return;
    }

    if( state->underlying_kind & SEC_ASN1_CHOICE ) {
      int indx = sec_asn1e_which_choice(state->src, state->theTemplate);
      if( 0 == indx ) {
        /* XXX set an error? "choice not found" */
        state->top->status = encodeError;
        return;
      }

      state->place = afterChoice;
      state = sec_asn1e_push_state(state->top, &state->theTemplate[indx],
                                   (char *)state->src - state->theTemplate->offset, 
                                   PR_TRUE);

      if( (sec_asn1e_state *)NULL != state ) {
        /*
         * Do the "before" field notification.
         */
        sec_asn1e_notify_before (state->top, state->src, state->depth);
        state = sec_asn1e_init_state_based_on_template (state);
      }
      
      return;
    }

    /*
     * We are doing a definite-length encoding.  First we have to
     * walk the data structure to calculate the entire contents length.
     */
    contents_length = sec_asn1e_contents_length (state->theTemplate,
						 state->src, 
                                                 state->ignore_stream,
                                                 &noheader);
    /*
     * We might be told explicitly not to put out a header.
     * But it can also be the case, via a pushed subtemplate, that
     * sec_asn1e_contents_length could not know that this field is
     * really optional.  So check for that explicitly, too.
     */
    if (noheader || (contents_length == 0 && state->optional)) {
	state->place = afterContents;
	if (state->top->streaming && state->may_stream && state->top->from_buf)
	    /* we did not find an optional indefinite string, so we don't encode it.
	     * However, if TakeFromBuf is on, we stop here anyway to give our caller
	     * a chance to intercept at the same point where we would stop if the
	     * field were present. */
	    state->top->status = needBytes;
	return;
    }

    if (state->top->streaming && state->may_stream
			      && (state->top->from_buf || !state->is_string)) {
	/*
	 * We need to put out an indefinite-length encoding.
	 */
	state->indefinite = PR_TRUE;
	/*
	 * The only universal types that can be constructed are SETs,
	 * SEQUENCEs, and strings; so check that it is one of those,
	 * or that it is not universal (e.g. context-specific).
	 */
	PORT_Assert ((tag_number == SEC_ASN1_SET)
		     || (tag_number == SEC_ASN1_SEQUENCE)
		     || ((tag_modifiers & SEC_ASN1_CLASS_MASK) != 0)
		     || state->is_string);
	tag_modifiers |= SEC_ASN1_CONSTRUCTED;
	contents_length = 0;
    }

    sec_asn1e_write_identifier_bytes (state, (unsigned char)(tag_number | tag_modifiers));
    sec_asn1e_write_length_bytes (state, contents_length, state->indefinite);

    if (contents_length == 0 && !state->indefinite) {
	/*
	 * If no real contents to encode, then we are done with this field.
	 */
	state->place = afterContents;
	return;
    }

    /*
     * An EXPLICIT is nothing but an outer header, which we have already
     * written.  Now we need to do the inner header and contents.
     */
    if (state->explicit) {
	state->place = afterContents;
	state = sec_asn1e_push_state (state->top,
				      SEC_ASN1GetSubtemplate(state->theTemplate,
							     state->src,
							     PR_TRUE,
								 NULL /* __APPLE__ */),
				      state->src, PR_TRUE);
	if (state != NULL)
	    state = sec_asn1e_init_state_based_on_template (state);
	return;
    }

    switch (state->underlying_kind) {
      case SEC_ASN1_SET_OF:
      case SEC_ASN1_SEQUENCE_OF:
	/*
	 * We need to push a child to handle each member.
	 */
	{
	    void **group;
	    const SecAsn1Template *subt;

	    group = *(void ***)state->src;
	    if (group == NULL || *group == NULL) {
		/*
		 * Group is empty; we are done.
		 */
		state->place = afterContents;
		return;
	    }
	    state->place = duringGroup;
	    subt = SEC_ASN1GetSubtemplate (state->theTemplate, state->src,
					   PR_TRUE, NULL /* __APPLE__ */);
	    state = sec_asn1e_push_state (state->top, subt, *group, PR_TRUE);
	    if (state != NULL)
		state = sec_asn1e_init_state_based_on_template (state);
	}
	break;

      case SEC_ASN1_SEQUENCE:
      case SEC_ASN1_SET:
	/*
	 * We need to push a child to handle the individual fields.
	 */
	state->place = duringSequence;
	state = sec_asn1e_push_state (state->top, state->theTemplate + 1,
				      state->src, PR_TRUE);
	if (state != NULL) {
	    /*
	     * Do the "before" field notification.
	     */
	    sec_asn1e_notify_before (state->top, state->src, state->depth);
	    state = sec_asn1e_init_state_based_on_template (state);
	}
	break;

      default:
	/*
	 * I think we do not need to do anything else.
	 * XXX Correct?
	 */
	state->place = duringContents;
	break;
    }
}


static void
sec_asn1e_write_contents (sec_asn1e_state *state,
			  const char *buf, unsigned long len)
{
    PORT_Assert (state->place == duringContents);

    if (state->top->from_buf) {
	/*
	 * Probably they just turned on "take from buf", but have not
	 * yet given us any bytes.  If there is nothing in the buffer
	 * then we have nothing to do but return and wait.
	 */
	if (buf == NULL || len == 0) {
	    state->top->status = needBytes;
	    return;
	}
	/*
	 * We are streaming, reading from a passed-in buffer.
	 * This means we are encoding a simple string or an ANY.
	 * For the former, we need to put out a substring, with its
	 * own identifier and length.  For an ANY, we just write it
	 * out as is (our caller is required to ensure that it
	 * is a properly encoded entity).
	 */
	PORT_Assert (state->is_string);		/* includes ANY */
	if (state->underlying_kind != SEC_ASN1_ANY) {
	    unsigned char identifier;

	    /*
	     * Create the identifier based on underlying_kind.  We cannot
	     * use tag_number and tag_modifiers because this can be an
	     * implicitly encoded field.  In that case, the underlying
	     * substrings *are* encoded with their real tag.
	     */
	    identifier = (unsigned char)state->underlying_kind & SEC_ASN1_TAG_MASK;
	    /*
	     * The underlying kind should just be a simple string; there
	     * should be no bits like CONTEXT_SPECIFIC or CONSTRUCTED set.
	     */
	    PORT_Assert ((identifier & SEC_ASN1_TAGNUM_MASK) == identifier);
	    /*
	     * Write out the tag and length for the substring.
	     */
	    sec_asn1e_write_identifier_bytes (state, identifier);
	    if (state->underlying_kind == SEC_ASN1_BIT_STRING) {
		char byte;
		/*
		 * Assume we have a length in bytes but we need to output
		 * a proper bit string.  This interface only works for bit
		 * strings that are full multiples of 8.  If support for
		 * real, variable length bit strings is needed then the
		 * caller will have to know to pass in a bit length instead
		 * of a byte length and then this code will have to
		 * perform the encoding necessary (length written is length
		 * in bytes plus 1, and the first octet of string is the
		 * number of bits remaining between the end of the bit
		 * string and the next byte boundary).
		 */
		sec_asn1e_write_length_bytes (state, len + 1, PR_FALSE);
		byte = 0;
		sec_asn1e_write_contents_bytes (state, &byte, 1);
	    } else {
		sec_asn1e_write_length_bytes (state, len, PR_FALSE);
	    }
	}
	sec_asn1e_write_contents_bytes (state, buf, len);
	state->top->status = needBytes;
    } else {
	switch (state->underlying_kind) {
	  case SEC_ASN1_SET:
	  case SEC_ASN1_SEQUENCE:
	    PORT_Assert (0);
	    break;

	  case SEC_ASN1_BIT_STRING:
	    {
		SecAsn1Item *item;
		char rem;

		item = (SecAsn1Item *)state->src;
		len = (item->Length + 7) >> 3;
		rem = (unsigned char)((len << 3) - item->Length);	/* remaining bits */
		sec_asn1e_write_contents_bytes (state, &rem, 1);
		sec_asn1e_write_contents_bytes (state, (char *) item->Data,
						len);
	    }
	    break;

	  case SEC_ASN1_BMP_STRING:
	    /* The number of bytes must be divisable by 2 */
	    if ((((SecAsn1Item *)state->src)->Length) % 2) {
		SEC_ASN1EncoderContext *cx;

		cx = state->top;
		cx->status = encodeError;
		break;
	    }
	    /* otherwise, fall through to write the content */
	    goto process_string;

	  case SEC_ASN1_UNIVERSAL_STRING:
	    /* The number of bytes must be divisable by 4 */
	    if ((((SecAsn1Item *)state->src)->Length) % 4) {
		SEC_ASN1EncoderContext *cx;

		cx = state->top;
		cx->status = encodeError;
		break;
	    }
	    /* otherwise, fall through to write the content */
	    goto process_string;

	  case SEC_ASN1_INTEGER:
	   /* ASN.1 INTEGERs are signed.  If the source is an unsigned
	    * integer, the encoder will need to handle the conversion here.
	    */
	    {
		size_t blen;
		unsigned char *intbuf;
		#ifdef	__APPLE__
		PRBool signedInt = state->signedInt;
		#else
		SECItemType integerType = ((SecAsn1Item *)state->src)->type;
		#endif 
		blen = ((SecAsn1Item *)state->src)->Length;
		intbuf = ((SecAsn1Item *)state->src)->Data;
		while (blen > 0) {
			#ifdef	__APPLE__
		    if (*intbuf & 0x80 && !signedInt) {
			#else
		    if (*intbuf & 0x80 && integerType == siUnsignedInteger) {
			#endif
				char zero = 0; /* write a leading 0 */
				sec_asn1e_write_contents_bytes(state, &zero, 1);
				/* and then the remaining buffer */
				sec_asn1e_write_contents_bytes(state, 
											(char *)intbuf, blen); 
				break;
		    } 
		    /* Check three possibilities:
		     * 1.  No leading zeros, msb of MSB is not 1;
		     * 2.  The number is zero itself;
		     * 3.  Encoding a signed integer with a leading zero,
		     *     keep the zero so that the number is positive.
		     */
		    if (*intbuf != 0 || 
		         blen == 1 || 
				 #ifdef	__APPLE__
		         (intbuf[1] & 0x80 && signedInt) ) 
				 #else
		         (intbuf[1] & 0x80 && integerType != siUnsignedInteger) ) 
				 #endif
		    {
				sec_asn1e_write_contents_bytes(state, 
											(char *)intbuf, blen); 
				break;
		    }
		    /* byte is 0, continue */
		    intbuf++;
		    blen--;
		}
	    }
	    /* done with this content */
	    break;
			
process_string:			
	  default:
	    {
		SecAsn1Item *item;

		item = (SecAsn1Item *)state->src;
		sec_asn1e_write_contents_bytes (state, (char *) item->Data,
						item->Length);
	    }
	    break;
	}
	state->place = afterContents;
    }
}


/*
 * We are doing a SET OF or SEQUENCE OF, and have just finished an item.
 */
static void
sec_asn1e_next_in_group (sec_asn1e_state *state)
{
    sec_asn1e_state *child;
    void **group;
    void *member;

    PORT_Assert (state->place == duringGroup);
    PORT_Assert (state->child != NULL);

    child = state->child;

    group = *(void ***)state->src;

    /*
     * Find placement of current item.
     */
    member = (char *)(state->child->src) - child->theTemplate->offset;
    while (*group != member)
	group++;

    /*
     * Move forward to next item.
     */
    group++;
    if (*group == NULL) {
	/*
	 * That was our last one; we are done now.
	 */
	child->place = notInUse;
	state->place = afterContents;
	return;
    }
    child->src = (char *)(*group) + child->theTemplate->offset;

    /*
     * Re-"push" child.
     */
    sec_asn1e_scrub_state (child);
    state->top->current = child;
}


/*
 * We are moving along through a sequence; move forward by one,
 * (detecting end-of-sequence when it happens).
 */
static void
sec_asn1e_next_in_sequence (sec_asn1e_state *state)
{
    sec_asn1e_state *child;

    PORT_Assert (state->place == duringSequence);
    PORT_Assert (state->child != NULL);

    child = state->child;

    /*
     * Do the "after" field notification.
     */
    sec_asn1e_notify_after (state->top, child->src, child->depth);

    /*
     * Move forward.
     */
    child->theTemplate++;
    if (child->theTemplate->kind == 0) {
	/*
	 * We are done with this sequence.
	 */
	child->place = notInUse;
	state->place = afterContents;
	return;
    }

    /*
     * Reset state and push.
     */

    child->src = (char *)state->src + child->theTemplate->offset;

    /*
     * Do the "before" field notification.
     */
    sec_asn1e_notify_before (state->top, child->src, child->depth);

    state->top->current = child;
    (void) sec_asn1e_init_state_based_on_template (child);
}


static void
sec_asn1e_after_contents (sec_asn1e_state *state)
{
    PORT_Assert (state->place == afterContents);

    if (state->indefinite)
	sec_asn1e_write_end_of_contents_bytes (state);

    /*
     * Just make my parent be the current state.  It will then clean
     * up after me and free me (or reuse me).
     */
    state->top->current = state->parent;
}


/*
 * This function is called whether or not we are streaming; if we
 * *are* streaming, our caller can also instruct us to take bytes
 * from the passed-in buffer (at buf, for length len, which is likely
 * bytes but could even mean bits if the current field is a bit string).
 * If we have been so instructed, we will gobble up bytes from there
 * (rather than from our src structure) and output them, and then
 * we will just return, expecting to be called again -- either with
 * more bytes or after our caller has instructed us that we are done
 * (for now) with the buffer.
 */
SECStatus
SEC_ASN1EncoderUpdate (SEC_ASN1EncoderContext *cx,
		       const char *buf, unsigned long len)
{
    sec_asn1e_state *state;

    if (cx->status == needBytes) {
	PORT_Assert (buf != NULL && len != 0);
	cx->status = keepGoing;
    }

    while (cx->status == keepGoing) {
	state = cx->current;
	switch (state->place) {
	  case beforeHeader:
	    sec_asn1e_write_header (state);
	    break;
	  case duringContents:
	    sec_asn1e_write_contents (state, buf, len);
	    break;
	  case duringGroup:
	    sec_asn1e_next_in_group (state);
	    break;
	  case duringSequence:
	    sec_asn1e_next_in_sequence (state);
	    break;
	  case afterContents:
	    sec_asn1e_after_contents (state);
	    break;
	  case afterImplicit:
	  case afterInline:
	  case afterPointer:
	  case afterChoice:
	    /*
	     * These states are more documentation than anything.
	     * They just need to force a pop.
	     */
	    PORT_Assert (!state->indefinite);
	    state->place = afterContents;
	    break;
	  case notInUse:
	  default:
	    /* This is not an error, but rather a plain old BUG! */
	    PORT_Assert (0);
	    cx->status = encodeError;
	    break;
	}

	if (cx->status == encodeError)
	    break;

	/* It might have changed, so we have to update our local copy.  */
	state = cx->current;

	/* If it is NULL, we have popped all the way to the top.  */
	if (state == NULL) {
	    cx->status = allDone;
	    break;
	}
    }

    if (cx->status == encodeError) {
	return SECFailure;
    }

    return SECSuccess;
}


void
SEC_ASN1EncoderFinish (SEC_ASN1EncoderContext *cx)
{
    /*
     * XXX anything else that needs to be finished?
     */

    PORT_FreeArena (cx->our_pool, PR_FALSE);
}


SEC_ASN1EncoderContext *
SEC_ASN1EncoderStart (const void *src, const SecAsn1Template *theTemplate,
		      SEC_ASN1WriteProc output_proc, void *output_arg)
{
    PRArenaPool *our_pool;
    SEC_ASN1EncoderContext *cx;

    our_pool = PORT_NewArena (SEC_ASN1_DEFAULT_ARENA_SIZE);
    if (our_pool == NULL)
	return NULL;

    cx = (SEC_ASN1EncoderContext*)PORT_ArenaZAlloc (our_pool, sizeof(*cx));
    if (cx == NULL) {
	PORT_FreeArena (our_pool, PR_FALSE);
	return NULL;
    }

    cx->our_pool = our_pool;
    cx->output_proc = output_proc;
    cx->output_arg = output_arg;

    cx->status = keepGoing;

    if (sec_asn1e_push_state(cx, theTemplate, src, PR_FALSE) == NULL
	|| sec_asn1e_init_state_based_on_template (cx->current) == NULL) {
	/*
	 * Trouble initializing (probably due to failed allocations)
	 * requires that we just give up.
	 */
	PORT_FreeArena (our_pool, PR_FALSE);
	return NULL;
    }

    return cx;
}


/*
 * XXX Do we need a FilterProc, too?
 */


void
SEC_ASN1EncoderSetNotifyProc (SEC_ASN1EncoderContext *cx,
			      SEC_ASN1NotifyProc fn, void *arg)
{
    cx->notify_proc = fn;
    cx->notify_arg = arg;
}


void
SEC_ASN1EncoderClearNotifyProc (SEC_ASN1EncoderContext *cx)
{
    cx->notify_proc = NULL;
    cx->notify_arg = NULL;	/* not necessary; just being clean */
}


void
SEC_ASN1EncoderAbort(SEC_ASN1EncoderContext *cx, int error)
{
    PORT_Assert(cx);
    PORT_SetError(error);
    cx->status = encodeError;
}


void
SEC_ASN1EncoderSetStreaming (SEC_ASN1EncoderContext *cx)
{
    /* XXX is there a way to check that we are "between" fields here? */

    cx->streaming = PR_TRUE;
}


void
SEC_ASN1EncoderClearStreaming (SEC_ASN1EncoderContext *cx)
{
    /* XXX is there a way to check that we are "between" fields here? */

    cx->streaming = PR_FALSE;
}


void
SEC_ASN1EncoderSetTakeFromBuf (SEC_ASN1EncoderContext *cx)
{
    /* 
     * XXX is there a way to check that we are "between" fields here?  this
     * needs to include a check for being in between groups of items in
     * a SET_OF or SEQUENCE_OF.
     */
    PORT_Assert (cx->streaming);

    cx->from_buf = PR_TRUE;
}


void
SEC_ASN1EncoderClearTakeFromBuf (SEC_ASN1EncoderContext *cx)
{
    /* we should actually be taking from buf *now* */
    PORT_Assert (cx->from_buf);
    if (! cx->from_buf)		/* if not, just do nothing */
	return;

    cx->from_buf = PR_FALSE;

    if (cx->status == needBytes) {
	cx->status = keepGoing;
	cx->current->place = afterContents;
    }
}


SECStatus
SEC_ASN1Encode (const void *src, const SecAsn1Template *theTemplate,
		SEC_ASN1WriteProc output_proc, void *output_arg)
{
    SEC_ASN1EncoderContext *ecx;
    SECStatus rv;

    ecx = SEC_ASN1EncoderStart (src, theTemplate, output_proc, output_arg);
    if (ecx == NULL)
	return SECFailure;

    rv = SEC_ASN1EncoderUpdate (ecx, NULL, 0);

    SEC_ASN1EncoderFinish (ecx);
    return rv;
}


/*
 * XXX depth and data_kind are unused; is there a PC way to silence warnings?
 * (I mean "politically correct", not anything to do with intel/win platform) 
 */
void
sec_asn1e_encode_item_count (void *arg, const char *buf, size_t len,
			     int depth, SEC_ASN1EncodingPart data_kind)
{
    size_t *count;

    count = (unsigned long*)arg;
    PORT_Assert (count != NULL);

    *count += len;
}


/* XXX depth and data_kind are unused; is there a PC way to silence warnings? */
void
sec_asn1e_encode_item_store (void *arg, const char *buf, size_t len,
			     int depth, SEC_ASN1EncodingPart data_kind)
{
    SecAsn1Item *dest;

    dest = (SecAsn1Item*)arg;
    PORT_Assert (dest != NULL);

    PORT_Memcpy (dest->Data + dest->Length, buf, len);
    dest->Length += len;
}


/*
 * Allocate an entire SecAsn1Item, or just the data part of it, to hold
 * "len" bytes of stuff.  Allocate from the given pool, if specified,
 * otherwise just do a vanilla PORT_Alloc.
 *
 * XXX This seems like a reasonable general-purpose function (for SECITEM_)?
 */
SecAsn1Item *
sec_asn1e_allocate_item (PRArenaPool *poolp, SecAsn1Item *dest, unsigned long len)
{
    if (poolp != NULL) {
	void *release;

	release = PORT_ArenaMark (poolp);
	if (dest == NULL)
	    dest = (SecAsn1Item*)PORT_ArenaAlloc (poolp, sizeof(SecAsn1Item));
	if (dest != NULL) {
	    dest->Data = (unsigned char*)PORT_ArenaAlloc (poolp, len);
	    if (dest->Data == NULL) {
		dest = NULL;
	    }
	}
	if (dest == NULL) {
	    /* one or both allocations failed; release everything */
	    PORT_ArenaRelease (poolp, release);
	} else {
	    /* everything okay; unmark the arena */
	    PORT_ArenaUnmark (poolp, release);
	}
    } else {
	SecAsn1Item *indest;

	indest = dest;
	if (dest == NULL)
	    dest = (SecAsn1Item*)PORT_Alloc (sizeof(SecAsn1Item));
	if (dest != NULL) {
		#ifndef	__APPLE__
	    dest->type = siBuffer;
		#endif
	    dest->Data = (unsigned char*)PORT_Alloc (len);
	    if (dest->Data == NULL) {
		if (indest == NULL)
		    PORT_Free (dest);
		dest = NULL;
	    }
	}
    }

    return dest;
}


SecAsn1Item *
SEC_ASN1EncodeItem (PRArenaPool *poolp, SecAsn1Item *dest, const void *src,
		    const SecAsn1Template *theTemplate)
{
    unsigned long encoding_length;
    SECStatus rv;

    PORT_Assert (dest == NULL || dest->Data == NULL);

    encoding_length = 0;
    rv = SEC_ASN1Encode (src, theTemplate,
			 sec_asn1e_encode_item_count, &encoding_length);
    if (rv != SECSuccess)
	return NULL;

    dest = sec_asn1e_allocate_item (poolp, dest, encoding_length);
    if (dest == NULL)
	return NULL;

    /* XXX necessary?  This really just checks for a bug in the allocate fn */
    PORT_Assert (dest->Data != NULL);
    if (dest->Data == NULL)
	return NULL;

    dest->Length = 0;
    (void) SEC_ASN1Encode (src, theTemplate, sec_asn1e_encode_item_store, dest);

    PORT_Assert (encoding_length == dest->Length);
    return dest;
}


static SecAsn1Item *
sec_asn1e_integer(PRArenaPool *poolp, SecAsn1Item *dest, unsigned long value,
		  PRBool make_unsigned)
{
    unsigned long copy;
    unsigned char sign;
    int len = 0;

    /*
     * Determine the length of the encoded value (minimum of 1).
     */
    copy = value;
    do {
	len++;
	sign = (unsigned char)(copy & 0x80);
	copy >>= 8;
    } while (copy);

    /*
     * If this is an unsigned encoding, and the high bit of the last
     * byte we counted was set, we need to add one to the length so
     * we put a high-order zero byte in the encoding.
     */
    if (sign && make_unsigned)
	len++;

    /*
     * Allocate the item (if necessary) and the data pointer within.
     */
    dest = sec_asn1e_allocate_item (poolp, dest, len);
    if (dest == NULL)
	return NULL;

    /*
     * Store the value, byte by byte, in the item.
     */
    dest->Length = len;
    while (len) {
	dest->Data[--len] = (unsigned char)value;
	value >>= 8;
    }
    PORT_Assert (value == 0);

    return dest;
}


SecAsn1Item *
SEC_ASN1EncodeInteger(PRArenaPool *poolp, SecAsn1Item *dest, long value)
{
    return sec_asn1e_integer (poolp, dest, (unsigned long) value, PR_FALSE);
}


extern SecAsn1Item *
SEC_ASN1EncodeUnsignedInteger(PRArenaPool *poolp,
			      SecAsn1Item *dest, unsigned long value)
{
    return sec_asn1e_integer (poolp, dest, value, PR_TRUE);
}