Let's parse that output, human::
- 10-2 [1,1, 1] . . version: [0] EXPLICIT Version INTEGER v3 OPTIONAL
- ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
- 0 1 2 3 4 5 6 7 8 9 10 11
+ 10-2 [1,1, 1] . . version: [0] EXPLICIT Version INTEGER v3 OPTIONAL
+ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^ ^
+ 0 1 2 3 4 5 6 7 8 9 10 11
::
- 20 [1,1, 9] . . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
- ^ ^ ^ ^ ^ ^ ^ ^
- 0 2 3 4 5 6 9 10
+ 20 [1,1, 9] . . . algorithm: OBJECT IDENTIFIER 1.2.840.113549.1.1.5
+ ^ ^ ^ ^ ^ ^ ^ ^
+ 0 2 3 4 5 6 9 10
::
- 33 [0,0, 278] . . issuer: Name CHOICE rdnSequence
- ^ ^ ^ ^ ^ ^ ^ ^ ^
- 0 2 3 4 5 6 8 9 10
+ 33 [0,0, 278] . . issuer: Name CHOICE rdnSequence
+ ^ ^ ^ ^ ^ ^ ^ ^ ^
+ 0 2 3 4 5 6 8 9 10
+
+::
+
+ 52-2 [1,1,1054]-4 . . . . eContent: [0] EXPLICIT BER OCTET STRING 1046 bytes
+ ^ ^ ^ ^
+ 12 13 9 10
:0:
- Offset of the object, where its DER encoding begins.
+ Offset of the object, where its DER/BER encoding begins.
Pay attention that it does **not** include explicit tag.
:1:
If explicit tag exists, then this is its length (tag + encoded length).
:11:
Possible other flags like OPTIONAL and DEFAULT, if value equals to the
default one, specified in the schema.
+:12:
+ Only applicable to BER encoded data. If object has indefinite length
+ encoding, then subtract 2 bytes EOC from its length. If object has
+ explicit tag with indefinite length, then subtract another EOC bytes.
+ In example above, ``eContent`` field has both indefinite field encoding
+ and indefinite length explicit tag. ``BIT STRING``, ``OCTET STRING``
+ (and its derivatives), ``SEQUENCE``, ``SET``, ``SEQUENCE OF``, ``SET
+ OF``, ``ANY`` could have indefinite length coding.
+:13:
+ Only applicable to BER encoded data. If object has BER-specific
+ encoding, then ``BER`` will be shown. It does not depend on indefinite
+ length encoding. ``BOOLEAN``, ``BIT STRING``, ``OCTET STRING`` (and its
+ derivatives) could be BERed.
As command line utility
-----------------------
-You can decode DER files using command line abilities and get the same
-picture as above by executing::
+You can decode DER/BER files using command line abilities and get the
+same picture as above by executing::
- % pyderasn.py --schema tests.test_crts:Certificate path/to/file
+ % python -m pyderasn --schema tests.test_crts:Certificate path/to/file
If there is no schema for you file, then you can try parsing it without,
but of course IMPLICIT tags will often make it impossible. But result is
good enough for the certificate above::
- % pyderasn.py path/to/file
+ % python -m pyderasn path/to/file
0 [1,3,1604] . >: SEQUENCE OF
4 [1,3,1453] . . >: SEQUENCE OF
8 [0,0, 5] . . . . >: [0] ANY
then you can pass it to pretty printer to see human readable OIDs::
- % pyderasn.py --oids tests.test_crts:some_oids path/to/file
+ % python -m pyderasn --oids tests.test_crts:some_oids path/to/file
[...]
37 [1,1, 11] . . . . . . >: SET OF
39 [1,1, 9] . . . . . . . . >: SEQUENCE OF
Descriptive errors
------------------
-If you have bad DER, then errors will show you where error occurred::
+If you have bad DER/BER, then errors will show you where error occurred::
- % pyderasn.py --schema tests.test_crts:Certificate path/to/bad/file
+ % python -m pyderasn --schema tests.test_crts:Certificate path/to/bad/file
Traceback (most recent call last):
[...]
pyderasn.DecodeError: UTCTime (tbsCertificate.validity.notAfter.utcTime) (at 328) invalid UTCTime format
::
- % pyderasn.py path/to/bad/file
+ % python -m pyderasn path/to/bad/file
[...]
pyderasn.DecodeError: UTCTime (0.SequenceOf.4.SequenceOf.1.UTCTime) (at 328) invalid UTCTime format
tbs = TBSCertificate()
tbs["serialNumber"] = CertificateSerialNumber(10143011886257155224)
- sign_algo_id = AlgorithmIdentifier()
- sign_algo_id["algorithm"] = ObjectIdentifier("1.2.840.113549.1.1.5")
- sign_algo_id["parameters"] = Any(Null())
+ sign_algo_id = AlgorithmIdentifier((
+ ("algorithm", ObjectIdentifier("1.2.840.113549.1.1.5")),
+ ("parameters", Any(Null())),
+ ))
tbs["signature"] = sign_algo_id
rdnSeq = RDNSequence()
("2.5.4.3", PrintableString, "false.example.com"),
("1.2.840.113549.1.9.1", IA5String, "false@example.com"),
):
- attr = AttributeTypeAndValue()
- attr["type"] = AttributeType(oid)
- attr["value"] = AttributeValue(klass(text))
- rdn = RelativeDistinguishedName()
- rdn.append(attr)
- rdnSeq.append(rdn)
- issuer = Name()
- issuer["rdnSequence"] = rdnSeq
+ rdnSeq.append(
+ RelativeDistinguishedName((
+ AttributeTypeAndValue((
+ ("type", AttributeType(oid)),
+ ("value", AttributeValue(klass(text))),
+ )),
+ ))
+ )
+ issuer = Name(("rdnSequence", rdnSeq))
tbs["issuer"] = issuer
tbs["subject"] = issuer
- validity = Validity()
- validity["notBefore"] = Time(("utcTime", UTCTime(datetime(2009, 10, 8, 0, 25, 53))))
- validity["notAfter"] = Time(("utcTime", UTCTime(datetime(2010, 10, 8, 0, 25, 53))))
+ validity = Validity((
+ ("notBefore", Time(
+ ("utcTime", UTCTime(datetime(2009, 10, 8, 0, 25, 53))),
+ )),
+ ("notAfter", Time(
+ ("utcTime", UTCTime(datetime(2010, 10, 8, 0, 25, 53))),
+ )),
+ ))
tbs["validity"] = validity
spki = SubjectPublicKeyInfo()
crt.encode()
And we will get the same certificate used in Go's library tests.
+
+DEFINED BY fields
+-----------------
+
+Here is only very simple example how you can define Any/OctetString
+fields automatic decoding::
+
+ class AttributeTypeAndValue(Sequence):
+ schema = (
+ ((("type",), AttributeType(defines=("value", {
+ id_at_countryName: PrintableString(),
+ id_at_stateOrProvinceName: PrintableString(),
+ id_at_localityName: PrintableString(),
+ id_at_organizationName: PrintableString(),
+ id_at_commonName: PrintableString(),
+ }))),),
+ ("value", AttributeValue()),
+ )
+
+And when you will try to decode X.509 certificate with it, your pretty
+printer will show::
+
+ 34 [0,0, 149] . . issuer: Name CHOICE rdnSequence
+ 34 [1,2, 146] . . . rdnSequence: RDNSequence SEQUENCE OF
+ 37 [1,1, 11] . . . . 0: RelativeDistinguishedName SET OF
+ 39 [1,1, 9] . . . . . 0: AttributeTypeAndValue SEQUENCE
+ 41 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER id-at-countryName (2.5.4.6)
+ 46 [0,0, 4] . . . . . . value: [UNIV 19] AttributeValue ANY
+ . . . . . . . 13:02:58:58
+ 46 [1,1, 2] . . . . . . . DEFINED BY (2.5.4.6): PrintableString PrintableString XX
+ 50 [1,1, 19] . . . . 1: RelativeDistinguishedName SET OF
+ 52 [1,1, 17] . . . . . 0: AttributeTypeAndValue SEQUENCE
+ 54 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER id-at-stateOrProvinceName (2.5.4.8)
+ 59 [0,0, 12] . . . . . . value: [UNIV 19] AttributeValue ANY
+ . . . . . . . 13:0A:53:6F:6D:65:2D:53:74:61:74:65
+ 59 [1,1, 10] . . . . . . . DEFINED BY (2.5.4.8): PrintableString PrintableString Some-State
+ 71 [1,1, 13] . . . . 2: RelativeDistinguishedName SET OF
+ 73 [1,1, 11] . . . . . 0: AttributeTypeAndValue SEQUENCE
+ 75 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER id-at-localityName (2.5.4.7)
+ 80 [0,0, 6] . . . . . . value: [UNIV 19] AttributeValue ANY
+ . . . . . . . 13:04:43:69:74:79
+ 80 [1,1, 4] . . . . . . . DEFINED BY (2.5.4.7): PrintableString PrintableString City
+ 86 [1,1, 33] . . . . 3: RelativeDistinguishedName SET OF
+ 88 [1,1, 31] . . . . . 0: AttributeTypeAndValue SEQUENCE
+ 90 [1,1, 3] . . . . . . type: AttributeType OBJECT IDENTIFIER id-at-organizationName (2.5.4.10)
+ 95 [0,0, 26] . . . . . . value: [UNIV 19] AttributeValue ANY
+ . . . . . . . 13:18:49:6E:74:65:72:6E:65:74:20:57:69:64:67:69
+ . . . . . . . 74:73:20:50:74:79:20:4C:74:64
+ 95 [1,1, 24] . . . . . . . DEFINED BY (2.5.4.10): PrintableString PrintableString Internet Widgits Pty Ltd
+
+:ref:`Read more <definedby>` about that feature.