| lh | 9ed821d | 2023-04-07 01:36:19 -0700 | [diff] [blame] | 1 | =pod |
| 2 | |
| 3 | =head1 NAME |
| 4 | |
| 5 | openssl-asn1parse, |
| 6 | asn1parse - ASN.1 parsing tool |
| 7 | |
| 8 | =head1 SYNOPSIS |
| 9 | |
| 10 | B<openssl> B<asn1parse> |
| 11 | [B<-help>] |
| 12 | [B<-inform PEM|DER>] |
| 13 | [B<-in filename>] |
| 14 | [B<-out filename>] |
| 15 | [B<-noout>] |
| 16 | [B<-offset number>] |
| 17 | [B<-length number>] |
| 18 | [B<-i>] |
| 19 | [B<-oid filename>] |
| 20 | [B<-dump>] |
| 21 | [B<-dlimit num>] |
| 22 | [B<-strparse offset>] |
| 23 | [B<-genstr string>] |
| 24 | [B<-genconf file>] |
| 25 | [B<-strictpem>] |
| 26 | [B<-item name>] |
| 27 | |
| 28 | =head1 DESCRIPTION |
| 29 | |
| 30 | The B<asn1parse> command is a diagnostic utility that can parse ASN.1 |
| 31 | structures. It can also be used to extract data from ASN.1 formatted data. |
| 32 | |
| 33 | =head1 OPTIONS |
| 34 | |
| 35 | =over 4 |
| 36 | |
| 37 | =item B<-help> |
| 38 | |
| 39 | Print out a usage message. |
| 40 | |
| 41 | =item B<-inform> B<DER|PEM> |
| 42 | |
| 43 | The input format. B<DER> is binary format and B<PEM> (the default) is base64 |
| 44 | encoded. |
| 45 | |
| 46 | =item B<-in filename> |
| 47 | |
| 48 | The input file, default is standard input. |
| 49 | |
| 50 | =item B<-out filename> |
| 51 | |
| 52 | Output file to place the DER encoded data into. If this |
| 53 | option is not present then no data will be output. This is most useful when |
| 54 | combined with the B<-strparse> option. |
| 55 | |
| 56 | =item B<-noout> |
| 57 | |
| 58 | Don't output the parsed version of the input file. |
| 59 | |
| 60 | =item B<-offset number> |
| 61 | |
| 62 | Starting offset to begin parsing, default is start of file. |
| 63 | |
| 64 | =item B<-length number> |
| 65 | |
| 66 | Number of bytes to parse, default is until end of file. |
| 67 | |
| 68 | =item B<-i> |
| 69 | |
| 70 | Indents the output according to the "depth" of the structures. |
| 71 | |
| 72 | =item B<-oid filename> |
| 73 | |
| 74 | A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this |
| 75 | file is described in the NOTES section below. |
| 76 | |
| 77 | =item B<-dump> |
| 78 | |
| 79 | Dump unknown data in hex format. |
| 80 | |
| 81 | =item B<-dlimit num> |
| 82 | |
| 83 | Like B<-dump>, but only the first B<num> bytes are output. |
| 84 | |
| 85 | =item B<-strparse offset> |
| 86 | |
| 87 | Parse the contents octets of the ASN.1 object starting at B<offset>. This |
| 88 | option can be used multiple times to "drill down" into a nested structure. |
| 89 | |
| 90 | =item B<-genstr string>, B<-genconf file> |
| 91 | |
| 92 | Generate encoded data based on B<string>, B<file> or both using |
| 93 | L<ASN1_generate_nconf(3)> format. If B<file> only is |
| 94 | present then the string is obtained from the default section using the name |
| 95 | B<asn1>. The encoded data is passed through the ASN1 parser and printed out as |
| 96 | though it came from a file, the contents can thus be examined and written to a |
| 97 | file using the B<out> option. |
| 98 | |
| 99 | =item B<-strictpem> |
| 100 | |
| 101 | If this option is used then B<-inform> will be ignored. Without this option any |
| 102 | data in a PEM format input file will be treated as being base64 encoded and |
| 103 | processed whether it has the normal PEM BEGIN and END markers or not. This |
| 104 | option will ignore any data prior to the start of the BEGIN marker, or after an |
| 105 | END marker in a PEM file. |
| 106 | |
| 107 | =item B<-item name> |
| 108 | |
| 109 | Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to |
| 110 | print out the fields of any supported ASN.1 structure if the type is known. |
| 111 | |
| 112 | =back |
| 113 | |
| 114 | =head2 Output |
| 115 | |
| 116 | The output will typically contain lines like this: |
| 117 | |
| 118 | 0:d=0 hl=4 l= 681 cons: SEQUENCE |
| 119 | |
| 120 | ..... |
| 121 | |
| 122 | 229:d=3 hl=3 l= 141 prim: BIT STRING |
| 123 | 373:d=2 hl=3 l= 162 cons: cont [ 3 ] |
| 124 | 376:d=3 hl=3 l= 159 cons: SEQUENCE |
| 125 | 379:d=4 hl=2 l= 29 cons: SEQUENCE |
| 126 | 381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier |
| 127 | 386:d=5 hl=2 l= 22 prim: OCTET STRING |
| 128 | 410:d=4 hl=2 l= 112 cons: SEQUENCE |
| 129 | 412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier |
| 130 | 417:d=5 hl=2 l= 105 prim: OCTET STRING |
| 131 | 524:d=4 hl=2 l= 12 cons: SEQUENCE |
| 132 | |
| 133 | ..... |
| 134 | |
| 135 | This example is part of a self-signed certificate. Each line starts with the |
| 136 | offset in decimal. B<d=XX> specifies the current depth. The depth is increased |
| 137 | within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length |
| 138 | (tag and length octets) of the current type. B<l=XX> gives the length of |
| 139 | the contents octets. |
| 140 | |
| 141 | The B<-i> option can be used to make the output more readable. |
| 142 | |
| 143 | Some knowledge of the ASN.1 structure is needed to interpret the output. |
| 144 | |
| 145 | In this example the BIT STRING at offset 229 is the certificate public key. |
| 146 | The contents octets of this will contain the public key information. This can |
| 147 | be examined using the option B<-strparse 229> to yield: |
| 148 | |
| 149 | 0:d=0 hl=3 l= 137 cons: SEQUENCE |
| 150 | 3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897 |
| 151 | 135:d=1 hl=2 l= 3 prim: INTEGER :010001 |
| 152 | |
| 153 | =head1 NOTES |
| 154 | |
| 155 | If an OID is not part of OpenSSL's internal table it will be represented in |
| 156 | numerical form (for example 1.2.3.4). The file passed to the B<-oid> option |
| 157 | allows additional OIDs to be included. Each line consists of three columns, |
| 158 | the first column is the OID in numerical format and should be followed by white |
| 159 | space. The second column is the "short name" which is a single word followed |
| 160 | by white space. The final column is the rest of the line and is the |
| 161 | "long name". B<asn1parse> displays the long name. Example: |
| 162 | |
| 163 | C<1.2.3.4 shortName A long name> |
| 164 | |
| 165 | =head1 EXAMPLES |
| 166 | |
| 167 | Parse a file: |
| 168 | |
| 169 | openssl asn1parse -in file.pem |
| 170 | |
| 171 | Parse a DER file: |
| 172 | |
| 173 | openssl asn1parse -inform DER -in file.der |
| 174 | |
| 175 | Generate a simple UTF8String: |
| 176 | |
| 177 | openssl asn1parse -genstr 'UTF8:Hello World' |
| 178 | |
| 179 | Generate and write out a UTF8String, don't print parsed output: |
| 180 | |
| 181 | openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der |
| 182 | |
| 183 | Generate using a config file: |
| 184 | |
| 185 | openssl asn1parse -genconf asn1.cnf -noout -out asn1.der |
| 186 | |
| 187 | Example config file: |
| 188 | |
| 189 | asn1=SEQUENCE:seq_sect |
| 190 | |
| 191 | [seq_sect] |
| 192 | |
| 193 | field1=BOOL:TRUE |
| 194 | field2=EXP:0, UTF8:some random string |
| 195 | |
| 196 | |
| 197 | =head1 BUGS |
| 198 | |
| 199 | There should be options to change the format of output lines. The output of some |
| 200 | ASN.1 types is not well handled (if at all). |
| 201 | |
| 202 | =head1 SEE ALSO |
| 203 | |
| 204 | L<ASN1_generate_nconf(3)> |
| 205 | |
| 206 | =head1 COPYRIGHT |
| 207 | |
| 208 | Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. |
| 209 | |
| 210 | Licensed under the OpenSSL license (the "License"). You may not use |
| 211 | this file except in compliance with the License. You can obtain a copy |
| 212 | in the file LICENSE in the source distribution or at |
| 213 | L<https://www.openssl.org/source/license.html>. |
| 214 | |
| 215 | =cut |