PKI Certificate Tutorials - Herong's Tutorial Examples - v1.10, by Herong Yang
PKI Certificate File ASN.1 Parser
This section provides a quick introduction on ASN.1 parsers, which can be used to parse PKI certificates back to ASN.1 data structure.
If you want to see the ASN.1 data structure in PKI certificates, you need to use a ASN.1 parser like the "openssl asn1parse" command.
Here is the ASN.1 data structure printed out by the "openssl asn1parse" command for the same certificate from the previous tutorial:
herong$ openssl asn1parse -inform DER -in ISRG-Root-X2.der 0:d=0 hl=4 l= 539 cons: SEQUENCE 4:d=1 hl=4 l= 417 cons: SEQUENCE 8:d=2 hl=2 l= 3 cons: cont [ 0 ] 10:d=3 hl=2 l= 1 prim: INTEGER :02 13:d=2 hl=2 l= 16 prim: INTEGER :41D29DD172EAEEA780C12C6CE92F8752 31:d=2 hl=2 l= 10 cons: SEQUENCE 33:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA384 43:d=2 hl=2 l= 79 cons: SEQUENCE 45:d=3 hl=2 l= 11 cons: SET 47:d=4 hl=2 l= 9 cons: SEQUENCE 49:d=5 hl=2 l= 3 prim: OBJECT :countryName 54:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 58:d=3 hl=2 l= 41 cons: SET 60:d=4 hl=2 l= 39 cons: SEQUENCE 62:d=5 hl=2 l= 3 prim: OBJECT :organizationName 67:d=5 hl=2 l= 32 prim: PRINTABLESTRING :Internet Security Research Group 101:d=3 hl=2 l= 21 cons: SET 103:d=4 hl=2 l= 19 cons: SEQUENCE 105:d=5 hl=2 l= 3 prim: OBJECT :commonName 110:d=5 hl=2 l= 12 prim: PRINTABLESTRING :ISRG Root X2 124:d=2 hl=2 l= 30 cons: SEQUENCE 126:d=3 hl=2 l= 13 prim: UTCTIME :200904000000Z 141:d=3 hl=2 l= 13 prim: UTCTIME :400917160000Z 156:d=2 hl=2 l= 79 cons: SEQUENCE 158:d=3 hl=2 l= 11 cons: SET 160:d=4 hl=2 l= 9 cons: SEQUENCE 162:d=5 hl=2 l= 3 prim: OBJECT :countryName 167:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 171:d=3 hl=2 l= 41 cons: SET 173:d=4 hl=2 l= 39 cons: SEQUENCE 175:d=5 hl=2 l= 3 prim: OBJECT :organizationName 180:d=5 hl=2 l= 32 prim: PRINTABLESTRING :Internet Security Research Group 214:d=3 hl=2 l= 21 cons: SET 216:d=4 hl=2 l= 19 cons: SEQUENCE 218:d=5 hl=2 l= 3 prim: OBJECT :commonName 223:d=5 hl=2 l= 12 prim: PRINTABLESTRING :ISRG Root X2 237:d=2 hl=2 l= 118 cons: SEQUENCE 239:d=3 hl=2 l= 16 cons: SEQUENCE 241:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey 250:d=4 hl=2 l= 5 prim: OBJECT :secp384r1 257:d=3 hl=2 l= 98 prim: BIT STRING 357:d=2 hl=2 l= 66 cons: cont [ 3 ] 359:d=3 hl=2 l= 64 cons: SEQUENCE 361:d=4 hl=2 l= 14 cons: SEQUENCE 363:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage 368:d=5 hl=2 l= 1 prim: BOOLEAN :255 371:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106 377:d=4 hl=2 l= 15 cons: SEQUENCE 379:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints 384:d=5 hl=2 l= 1 prim: BOOLEAN :255 387:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF 394:d=4 hl=2 l= 29 cons: SEQUENCE 396:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 401:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04147C4296AEDE4B483BF... 425:d=1 hl=2 l= 10 cons: SEQUENCE 427:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA384 437:d=1 hl=2 l= 104 prim: BIT STRING
There is also a good online ASN.1 parser at holtstrom.com/michael/tools/asn1decoder.php. You can follow their instructions to parse PKI certificates in DER or PEM format.
The output of this parser has a much better format than the "openssl asn1parse" command. See the output below for the same certificate from the previous tutorial:
U.P.SEQUENCE { U.P.SEQUENCE { [C.P.0] { U.P.INTEGER 0x02 (2 decimal) } U.P.INTEGER 0x41d29dd172eaeea780c12c6ce92f8752 U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 1.2.840.10045.4.3.3 (ecdsa-with-SHA384) } U.P.SEQUENCE { U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.6 (countryName) U.P.PrintableString 'US' } } U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.10 (organizationName) U.P.PrintableString 'Internet Security Research Group' } } U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.3 (commonName) U.P.PrintableString 'ISRG Root X2' } } } U.P.SEQUENCE { U.P.UTCTime '200904000000Z' U.P.UTCTime '400917160000Z' } U.P.SEQUENCE { U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.6 (countryName) U.P.PrintableString 'US' } } U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.10 (organizationName) U.P.PrintableString 'Internet Security Research Group' } } U.P.SET { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.4.3 (commonName) U.P.PrintableString 'ISRG Root X2' } } } U.P.SEQUENCE { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 1.2.840.10045.2.1 (ecPublicKey) U.P.OBJECTIDENTIFIER 1.3.132.0.34 (P-384) } U.P.BITSTRING # 0004cd9bd59f80830aec094af3164a3e5ccf77acde... 04cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4b... } [C.P.3] { U.P.SEQUENCE { U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.29.15 (KeyUsage (b0:digitalSignature b1:...)) U.P.BOOLEAN TRUE U.P.OCTETSTRING # 03020106 U.P.BITSTRING 110 : 1 unused bit(s); } U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.29.19 (basicConstraints) U.P.BOOLEAN TRUE U.P.OCTETSTRING # 30030101ff U.P.SEQUENCE { U.P.BOOLEAN TRUE } } U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 2.5.29.14 (subjectKeyIdentifier) U.P.OCTETSTRING # 04147c4296aede4b483bfa92f89e8ccf6d8ba9723795 U.P.OCTETSTRING 7c4296aede4b483bfa92f89e8ccf6d8ba9723795 } } } } U.P.SEQUENCE { U.P.OBJECTIDENTIFIER 1.2.840.10045.4.3.3 (ecdsa-with-SHA384) } U.P.BITSTRING # 00306502307b794e465084c24487461b4570ff5899def4fd... U.P.SEQUENCE { U.P.INTEGER 0x7b794e465084c24487461b4570ff5899def4fda4d255a6202d74... U.P.INTEGER 0x008bf5776cd4c865aae00b2cee149d2737a4f953a551e42983d7... } : 0 unused bit(s); }
Note that ASN.1 parsers only show you ASN.1 data type names and their associated values. They do not generate data field names.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
What Is ASN.1 (Abstract Syntax Notation One)
What Is BER (Basic Encoding Rules)
ASN.1 Type Modifier - Type Tagging
What Is DER (Distinguished Encoding Rules)
PKI Certificate Structure in ASN.1 Notations
PKI Certificate in Base64 Format
PKI Certificate File Viewer and Decoder
►PKI Certificate File ASN.1 Parser
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File