Difference between revisions of "DER"

From OpenSSLWiki
Jump to navigationJump to search
m (Typo and grammatical fixes)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
DER is a binary format for data structures described by ASN.1.
 
DER is a binary format for data structures described by ASN.1.
  
by example x509 is described in ASN1 and encoded in DER. It exists other encoding formats for ASN.1 but DER is the one choose for security since ther is only one possible encoding given a ASN.1. encoding ( what is not the case for BER used in ldap by example ).
+
For example, x509 is described in ASN1 and encoded in DER. It exists other encoding formats for ASN.1 but DER is the one chosen for security since there is only one possible encoding given a ASN.1. encoding (which is not the case for BER used in ldap, for example).
  
  
== command ==
+
== Command ==
  
openssl ''asn1parse'' is the command to display internal structure of a DER document.
+
openssl ''asn1parse'' is the command to display the internal structure of a DER document.
  
 
[[Category:Shell level]]
 
[[Category:Shell level]]
  
== sample ==
+
== Sample ==
 +
 
 +
When using i2d_X509_fp(FILE * outcert, X509 * x509_cert) file result is the raw DER-encoded value of the X509 Certificate.
 +
 
 +
C code to dump a X509 into DER format:
 +
<pre>
 +
void dump_x509_cert(X509* x509_cert)
 +
{
 +
  const char * dumpcertfile = "dumpcertfile";
 +
  if (x509_cert != NULL)
 +
    {
 +
      FILE * outcert = fopen(dumpcertfile,"w");
 +
      if ( outcert )
 +
{
 +
  i2d_X509_fp(outcert, x509_cert);
 +
  fclose(outcert);
 +
}
 +
      else
 +
{
 +
  fprintf(stderr,"[ERROR] Can't create %s file\n", dumpcerfile);
 +
}
 +
    }
 +
}
 +
</pre>
 +
 
 +
To view the content:
 +
 
 +
openssl asn1parse -in dumpcertfile -inform DER
 +
 
 +
<pre>
 +
    0:d=0  hl=4 l= 981 cons: SEQUENCE         
 +
    4:d=1  hl=4 l= 701 cons: SEQUENCE         
 +
    8:d=2  hl=2 l=  3 cons: cont [ 0 ]       
 +
  10:d=3  hl=2 l=  1 prim: INTEGER          :02
 +
  13:d=2  hl=2 l=  4 prim: INTEGER          :5631333F
 +
  19:d=2  hl=2 l=  13 cons: SEQUENCE         
 +
  21:d=3  hl=2 l=  9 prim: OBJECT            :sha1WithRSAEncryption
 +
  32:d=3  hl=2 l=  0 prim: NULL             
 +
  34:d=2  hl=2 l= 127 cons: SEQUENCE         
 +
  36:d=3  hl=2 l=  11 cons: SET             
 +
  38:d=4  hl=2 l=  9 cons: SEQUENCE         
 +
  40:d=5  hl=2 l=  3 prim: OBJECT            :countryName
 +
  45:d=5  hl=2 l=  2 prim: PRINTABLESTRING  :FR
 +
  49:d=3  hl=2 l=  28 cons: SET             
 +
  51:d=4  hl=2 l=  26 cons: SEQUENCE         
 +
  53:d=5  hl=2 l=  3 prim: OBJECT            :commonName
 +
  58:d=5  hl=2 l=  19 prim: PRINTABLESTRING  :pavilionartlogiciel
 +
  79:d=3  hl=2 l=  28 cons: SET             
 +
  81:d=4  hl=2 l=  26 cons: SEQUENCE         
 +
  83:d=5  hl=2 l=  3 prim: OBJECT            :organizationName
 +
  88:d=5  hl=2 l=  19 prim: PRINTABLESTRING  :pavilionartlogiciel
 +
  109:d=3  hl=2 l=  16 cons: SET             
 +
  111:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  113:d=5  hl=2 l=  3 prim: OBJECT            :organizationalUnitName
 +
  118:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  127:d=3  hl=2 l=  16 cons: SET             
 +
  129:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  131:d=5  hl=2 l=  3 prim: OBJECT            :stateOrProvinceName
 +
  136:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  145:d=3  hl=2 l=  16 cons: SET             
 +
  147:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  149:d=5  hl=2 l=  3 prim: OBJECT            :localityName
 +
  154:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  163:d=2  hl=2 l=  34 cons: SEQUENCE         
 +
  165:d=3  hl=2 l=  15 prim: GENERALIZEDTIME  :20151028204239Z
 +
  182:d=3  hl=2 l=  15 prim: GENERALIZEDTIME  :20251025204239Z
 +
  199:d=2  hl=2 l= 127 cons: SEQUENCE         
 +
  201:d=3  hl=2 l=  11 cons: SET             
 +
  203:d=4  hl=2 l=  9 cons: SEQUENCE         
 +
  205:d=5  hl=2 l=  3 prim: OBJECT            :countryName
 +
  210:d=5  hl=2 l=  2 prim: PRINTABLESTRING  :FR
 +
  214:d=3  hl=2 l=  28 cons: SET             
 +
  216:d=4  hl=2 l=  26 cons: SEQUENCE         
 +
  218:d=5  hl=2 l=  3 prim: OBJECT            :commonName
 +
  223:d=5  hl=2 l=  19 prim: PRINTABLESTRING  :pavilionartlogiciel
 +
  244:d=3  hl=2 l=  28 cons: SET             
 +
  246:d=4  hl=2 l=  26 cons: SEQUENCE         
 +
  248:d=5  hl=2 l=  3 prim: OBJECT            :organizationName
 +
  253:d=5  hl=2 l=  19 prim: PRINTABLESTRING  :pavilionartlogiciel
 +
  274:d=3  hl=2 l=  16 cons: SET             
 +
  276:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  278:d=5  hl=2 l=  3 prim: OBJECT            :organizationalUnitName
 +
  283:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  292:d=3  hl=2 l=  16 cons: SET             
 +
  294:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  296:d=5  hl=2 l=  3 prim: OBJECT            :stateOrProvinceName
 +
  301:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  310:d=3  hl=2 l=  16 cons: SET             
 +
  312:d=4  hl=2 l=  14 cons: SEQUENCE         
 +
  314:d=5  hl=2 l=  3 prim: OBJECT            :localityName
 +
  319:d=5  hl=2 l=  7 prim: PRINTABLESTRING  :Unknown
 +
  328:d=2  hl=4 l= 290 cons: SEQUENCE         
 +
  332:d=3  hl=2 l=  13 cons: SEQUENCE         
 +
  334:d=4  hl=2 l=  9 prim: OBJECT            :rsaEncryption
 +
  345:d=4  hl=2 l=  0 prim: NULL             
 +
  347:d=3  hl=4 l= 271 prim: BIT STRING       
 +
  622:d=2  hl=2 l=  85 cons: cont [ 3 ]       
 +
  624:d=3  hl=2 l=  83 cons: SEQUENCE         
 +
  626:d=4  hl=2 l=  12 cons: SEQUENCE         
 +
  628:d=5  hl=2 l=  3 prim: OBJECT            :X509v3 Basic Constraints
 +
  633:d=5  hl=2 l=  1 prim: BOOLEAN          :255
 +
  636:d=5  hl=2 l=  2 prim: OCTET STRING      [HEX DUMP]:3000
 +
  640:d=4  hl=2 l=  19 cons: SEQUENCE         
 +
  642:d=5  hl=2 l=  3 prim: OBJECT            :X509v3 Extended Key Usage
 +
  647:d=5  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070301
 +
  661:d=4  hl=2 l=  15 cons: SEQUENCE         
 +
  663:d=5  hl=2 l=  3 prim: OBJECT            :X509v3 Key Usage
 +
  668:d=5  hl=2 l=  1 prim: BOOLEAN          :255
 +
  671:d=5  hl=2 l=  5 prim: OCTET STRING      [HEX DUMP]:0303072000
 +
  678:d=4  hl=2 l=  29 cons: SEQUENCE         
 +
  680:d=5  hl=2 l=  3 prim: OBJECT            :X509v3 Subject Key Identifier
 +
  685:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414304610060805E69AE14F84CC366012C0EB9E3D99
 +
  709:d=1  hl=2 l=  13 cons: SEQUENCE         
 +
  711:d=2  hl=2 l=  9 prim: OBJECT            :sha1WithRSAEncryption
 +
  722:d=2  hl=2 l=  0 prim: NULL             
 +
  724:d=1  hl=4 l= 257 prim: BIT STRING 
 +
</pre>
 +
 
 +
Since it is an X509 certificate the best way to view content is:
 +
 
 +
openssl x509 -in dumpcertfile -inform DER -text
  
TODO
 
  
 
[[Category:Encoding]]
 
[[Category:Encoding]]

Latest revision as of 23:23, 14 January 2022

DER is a binary format for data structures described by ASN.1.

For example, x509 is described in ASN1 and encoded in DER. It exists other encoding formats for ASN.1 but DER is the one chosen for security since there is only one possible encoding given a ASN.1. encoding (which is not the case for BER used in ldap, for example).


Command[edit]

openssl asn1parse is the command to display the internal structure of a DER document.

Sample[edit]

When using i2d_X509_fp(FILE * outcert, X509 * x509_cert) file result is the raw DER-encoded value of the X509 Certificate.

C code to dump a X509 into DER format:

void dump_x509_cert(X509* x509_cert)
{
  const char * dumpcertfile = "dumpcertfile";
  if (x509_cert != NULL)
    {
      FILE * outcert = fopen(dumpcertfile,"w");
      if ( outcert )
	{
	  i2d_X509_fp(outcert, x509_cert);
	  fclose(outcert);
	}
      else
	{
	  fprintf(stderr,"[ERROR] Can't create %s file\n", dumpcerfile);
	}
    }
}

To view the content:

openssl asn1parse -in dumpcertfile -inform DER

    0:d=0  hl=4 l= 981 cons: SEQUENCE          
    4:d=1  hl=4 l= 701 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   4 prim: INTEGER           :5631333F
   19:d=2  hl=2 l=  13 cons: SEQUENCE          
   21:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   32:d=3  hl=2 l=   0 prim: NULL              
   34:d=2  hl=2 l= 127 cons: SEQUENCE          
   36:d=3  hl=2 l=  11 cons: SET               
   38:d=4  hl=2 l=   9 cons: SEQUENCE          
   40:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   45:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :FR
   49:d=3  hl=2 l=  28 cons: SET               
   51:d=4  hl=2 l=  26 cons: SEQUENCE          
   53:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   58:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :pavilionartlogiciel
   79:d=3  hl=2 l=  28 cons: SET               
   81:d=4  hl=2 l=  26 cons: SEQUENCE          
   83:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   88:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :pavilionartlogiciel
  109:d=3  hl=2 l=  16 cons: SET               
  111:d=4  hl=2 l=  14 cons: SEQUENCE          
  113:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  118:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  127:d=3  hl=2 l=  16 cons: SET               
  129:d=4  hl=2 l=  14 cons: SEQUENCE          
  131:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  136:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  145:d=3  hl=2 l=  16 cons: SET               
  147:d=4  hl=2 l=  14 cons: SEQUENCE          
  149:d=5  hl=2 l=   3 prim: OBJECT            :localityName
  154:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  163:d=2  hl=2 l=  34 cons: SEQUENCE          
  165:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20151028204239Z
  182:d=3  hl=2 l=  15 prim: GENERALIZEDTIME   :20251025204239Z
  199:d=2  hl=2 l= 127 cons: SEQUENCE          
  201:d=3  hl=2 l=  11 cons: SET               
  203:d=4  hl=2 l=   9 cons: SEQUENCE          
  205:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  210:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :FR
  214:d=3  hl=2 l=  28 cons: SET               
  216:d=4  hl=2 l=  26 cons: SEQUENCE          
  218:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  223:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :pavilionartlogiciel
  244:d=3  hl=2 l=  28 cons: SET               
  246:d=4  hl=2 l=  26 cons: SEQUENCE          
  248:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  253:d=5  hl=2 l=  19 prim: PRINTABLESTRING   :pavilionartlogiciel
  274:d=3  hl=2 l=  16 cons: SET               
  276:d=4  hl=2 l=  14 cons: SEQUENCE          
  278:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  283:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  292:d=3  hl=2 l=  16 cons: SET               
  294:d=4  hl=2 l=  14 cons: SEQUENCE          
  296:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  301:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  310:d=3  hl=2 l=  16 cons: SET               
  312:d=4  hl=2 l=  14 cons: SEQUENCE          
  314:d=5  hl=2 l=   3 prim: OBJECT            :localityName
  319:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Unknown
  328:d=2  hl=4 l= 290 cons: SEQUENCE          
  332:d=3  hl=2 l=  13 cons: SEQUENCE          
  334:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  345:d=4  hl=2 l=   0 prim: NULL              
  347:d=3  hl=4 l= 271 prim: BIT STRING        
  622:d=2  hl=2 l=  85 cons: cont [ 3 ]        
  624:d=3  hl=2 l=  83 cons: SEQUENCE          
  626:d=4  hl=2 l=  12 cons: SEQUENCE          
  628:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  633:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  636:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
  640:d=4  hl=2 l=  19 cons: SEQUENCE          
  642:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Extended Key Usage
  647:d=5  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070301
  661:d=4  hl=2 l=  15 cons: SEQUENCE          
  663:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  668:d=5  hl=2 l=   1 prim: BOOLEAN           :255
  671:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:0303072000
  678:d=4  hl=2 l=  29 cons: SEQUENCE          
  680:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  685:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414304610060805E69AE14F84CC366012C0EB9E3D99
  709:d=1  hl=2 l=  13 cons: SEQUENCE          
  711:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  722:d=2  hl=2 l=   0 prim: NULL              
  724:d=1  hl=4 l= 257 prim: BIT STRING   

Since it is an X509 certificate the best way to view content is:

openssl x509 -in dumpcertfile -inform DER -text