>>> crt, tail = Certificate().decode(raw)
>>> crt
- Certificate SEQUENCE[TBSCertificate SEQUENCE[[0] EXPLICIT Version
- INTEGER v3 OPTIONAL, CertificateSerialNumber INTEGER 61595,
- AlgorithmIdentifier SEQUENCE[OBJECT IDENTIFIER 1.2.840.113549.1.1.5...
-
-Pretty printing
----------------
-
-There is huge output. Let's pretty print it::
-
- >>> print(pprint(crt))
- 0 [1,3,1604] Certificate SEQUENCE
- 4 [1,3,1453] . tbsCertificate: TBSCertificate SEQUENCE
- 10-2 [1,1, 1] . . version: [0] EXPLICIT Version INTEGER v3 OPTIONAL
- 13 [1,1, 3] . . serialNumber: CertificateSerialNumber INTEGER 61595
- 18 [1,1, 13] . . signature: AlgorithmIdentifier SEQUENCE
- 20 [1,1, 9] . . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
- 31 [0,0, 2] . . . parameters: [UNIV 5] ANY OPTIONAL
- . . . . 05:00
- 33 [0,0, 278] . . issuer: Name CHOICE rdnSequence
- 33 [1,3, 274] . . . rdnSequence: RDNSequence SEQUENCE OF
- 37 [1,1, 11] . . . . 0: RelativeDistinguishedName SET OF
- 39 [1,1, 9] . . . . . 0: AttributeTypeAndValue SEQUENCE
- 41 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER 2.5.4.6
- 46 [0,0, 4] . . . . . . value: [UNIV 19] AttributeValue ANY
- . . . . . . . 13:02:45:53
- [...]
- 1461 [1,1, 13] . signatureAlgorithm: AlgorithmIdentifier SEQUENCE
- 1463 [1,1, 9] . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
- 1474 [0,0, 2] . . parameters: [UNIV 5] ANY OPTIONAL
- . . . 05:00
- 1476 [1,2, 129] . signatureValue: BIT STRING 1024 bits
- . . 68:EE:79:97:97:DD:3B:EF:16:6A:06:F2:14:9A:6E:CD
- . . 9E:12:F7:AA:83:10:BD:D1:7C:98:FA:C7:AE:D4:0E:2C
- [...]
-
- Trailing data: 0a
+ Certificate SEQUENCE[tbsCertificate: TBSCertificate SEQUENCE[
+ version: [0] EXPLICIT Version INTEGER v3 OPTIONAL;
+ serialNumber: CertificateSerialNumber INTEGER 61595;
+ signature: AlgorithmIdentifier SEQUENCE[OBJECT IDENTIFIER 1.2.840.113549.1.1.5...
-Let's parse that output, human::
+:ref:`Look here <pprint_example>` for better pretty printing.
- 10-2 [1,1, 1] . . version: [0] EXPLICIT Version INTEGER v3 OPTIONAL
- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
- 0 1 2 3 4 5 6 7 8 9 10 11
-
-::
-
- 20 [1,1, 9] . . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
- ^ ^ ^ ^ ^ ^ ^ ^
- 0 2 3 4 5 6 9 10
-
-::
-
- 33 [0,0, 278] . . issuer: Name CHOICE rdnSequence
- ^ ^ ^ ^ ^ ^ ^ ^ ^
- 0 2 3 4 5 6 8 9 10
-
-::
-
- 52-2 [1,1,1054]-4 . . . . eContent: [0] EXPLICIT BER OCTET STRING 1046 bytes
- ^ ^ ^ ^
- 12 13 9 10
-
-:0:
- Offset of the object, where its DER/BER encoding begins.
- Pay attention that it does **not** include explicit tag.
-:1:
- If explicit tag exists, then this is its length (tag + encoded length).
-:2:
- Length of object's tag. For example CHOICE does not have its own tag,
- so it is zero.
-:3:
- Length of encoded length.
-:4:
- Length of encoded value.
-:5:
- Visual indentation to show the depth of object in the hierarchy.
-:6:
- Object's name inside SEQUENCE/CHOICE.
-:7:
- If either IMPLICIT or EXPLICIT tag is set, then it will be shown
- here. "IMPLICIT" is omitted.
-:8:
- Object's class name, if set. Omitted if it is just an ordinary simple
- value (like with ``algorithm`` in example above).
-:9:
- Object's ASN.1 type.
-:10:
- Object's value, if set. Can consist of multiple words (like OCTET/BIT
- STRINGs above). We see ``v3`` value in Version, because it is named.
- ``rdnSequence`` is the choice of CHOICE type.
-:11:
- Possible other flags like OPTIONAL and DEFAULT, if value equals to the
- default one, specified in the schema.
-:12:
- Only applicable to BER encoded data. If object has indefinite length
- encoding, then subtract 2 bytes EOC from its length. If object has
- explicit tag with indefinite length, then subtract another EOC bytes.
- In example above, ``eContent`` field has both indefinite field encoding
- and indefinite length explicit tag. ``BIT STRING``, ``OCTET STRING``
- (and its derivatives), ``SEQUENCE``, ``SET``, ``SEQUENCE OF``, ``SET
- OF``, ``ANY`` could have indefinite length coding.
-:13:
- Only applicable to BER encoded data. If object has BER-specific
- encoding, then ``BER`` will be shown. It does not depend on indefinite
- length encoding. ``BOOLEAN``, ``BIT STRING``, ``OCTET STRING`` (and its
- derivatives) could be BERed.
+.. _cmdline:
As command line utility
-----------------------
. . . 9E:12:F7:AA:83:10:BD:D1:7C:98:FA:C7:AE:D4:0E:2C
[...]
+Human readable OIDs
+___________________
+
If you have got dictionaries with ObjectIdentifiers, like example one
from ``tests/test_crts.py``::
79 [1,1, 9] . . . . . . . . . . >: PrintableString PrintableString Barcelona
[...]
+Decode paths
+____________
+
+Each decoded element has so-called decode path: sequence of structure
+names it is passing during the decode process. Each element has its own
+unique path inside the whole ASN.1 tree. You can print it out with
+``--print-decode-path`` option::
+
+ % python -m pyderasn --schema path.to:Certificate --print-decode-path path/to/file
+ 0 [1,3,1604] Certificate SEQUENCE []
+ 4 [1,3,1453] . tbsCertificate: TBSCertificate SEQUENCE [tbsCertificate]
+ 10-2 [1,1, 1] . . version: [0] EXPLICIT Version INTEGER v3 OPTIONAL [tbsCertificate:version]
+ 13 [1,1, 3] . . serialNumber: CertificateSerialNumber INTEGER 61595 [tbsCertificate:serialNumber]
+ 18 [1,1, 13] . . signature: AlgorithmIdentifier SEQUENCE [tbsCertificate:signature]
+ 20 [1,1, 9] . . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5 [tbsCertificate:signature:algorithm]
+ 31 [0,0, 2] . . . parameters: [UNIV 5] ANY OPTIONAL [tbsCertificate:signature:parameters]
+ . . . . 05:00
+ 33 [0,0, 278] . . issuer: Name CHOICE rdnSequence [tbsCertificate:issuer]
+ 33 [1,3, 274] . . . rdnSequence: RDNSequence SEQUENCE OF [tbsCertificate:issuer:rdnSequence]
+ 37 [1,1, 11] . . . . 0: RelativeDistinguishedName SET OF [tbsCertificate:issuer:rdnSequence:0]
+ 39 [1,1, 9] . . . . . 0: AttributeTypeAndValue SEQUENCE [tbsCertificate:issuer:rdnSequence:0:0]
+ 41 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER 2.5.4.6 [tbsCertificate:issuer:rdnSequence:0:0:type]
+ 46 [0,0, 4] . . . . . . value: [UNIV 19] AttributeValue ANY [tbsCertificate:issuer:rdnSequence:0:0:value]
+ . . . . . . . 13:02:45:53
+ 46 [1,1, 2] . . . . . . . DEFINED BY 2.5.4.6: CountryName PrintableString ES [tbsCertificate:issuer:rdnSequence:0:0:value:DEFINED BY 2.5.4.6]
+ [...]
+
+Now you can print only the specified tree, for example signature algorithm::
+
+ % python -m pyderasn --schema path.to:Certificate --decode-path-only tbsCertificate:signature path/to/file
+ 18 [1,1, 13] AlgorithmIdentifier SEQUENCE
+ 20 [1,1, 9] . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
+ 31 [0,0, 2] . parameters: [UNIV 5] ANY OPTIONAL
+ . . 05:00
+
Descriptive errors
------------------
% python -m pyderasn --schema tests.test_crts:Certificate path/to/bad/file
Traceback (most recent call last):
[...]
- pyderasn.DecodeError: UTCTime (tbsCertificate.validity.notAfter.utcTime) (at 328) invalid UTCTime format
+ pyderasn.DecodeError: UTCTime (tbsCertificate:validity:notAfter:utcTime) (at 328) invalid UTCTime format
::
% python -m pyderasn path/to/bad/file
[...]
- pyderasn.DecodeError: UTCTime (0.SequenceOf.4.SequenceOf.1.UTCTime) (at 328) invalid UTCTime format
+ pyderasn.DecodeError: UTCTime (0:SequenceOf:4:SequenceOf:1:UTCTime) (at 328) invalid UTCTime format
You can see, so called, decode path inside the structures:
``tbsCertificate`` -> ``validity`` -> ``notAfter`` -> ``utcTime`` and
class AttributeTypeAndValue(Sequence):
schema = (
- ((("type",), AttributeType(defines=("value", {
+ ((("type",), AttributeType(defines=((("value",), {
id_at_countryName: PrintableString(),
id_at_stateOrProvinceName: PrintableString(),
id_at_localityName: PrintableString(),
id_at_organizationName: PrintableString(),
id_at_commonName: PrintableString(),
- }))),),
+ }),)))),
("value", AttributeValue()),
)