2
  1. how to read encode asn file manually?
  2. what is the Tag-Length-Value, Is there a good tutorial ?

In the following examples i read each of them but does not clean for me, can anyone help to read each of them :

  1. 30 82 02 10 04 01 56 … (for many more bytes)

The first byte is 00110000 in binary. The first two bits are 00 so the class is again 0. The third bit is 1, so it is structured. The last five bits are 10000, so the tag is 16 decimal. The next byte is 82 hex, which is 130 decimal, which is 128 + 2, the the following 2 bytes give the length. They are 02 10, which is interpreted in “big-endian” format as 2*256 + 16 = 528. The next 528 bytes, starting with 04 01 56, contain the contents.

  1. df 82 02 05 12 34 56 78 90

The first byte is 11011111 in binary. The first two bits are 11, so this is class 3 – Private. The next bit is a 0, so this is primitive. The remaining five bits are all 1, so the actual tag starts in the second byte. The second byte has a leading one, and the third byte does not, so the tag is constructed by taking those two bytes (10000010 00000010 in binary), dropping their leading bits to get the fourteen bits 00000100000010, and interpreting this as a binary number. Thus, the tag is 258 decimal. The next byte is 05, which is less than 128, so that is the actual length of the contents. The next 5 bytes (12 34 56 78 90) are the contents.

  1. 30 80 04 03 56 78 90 00 00

The first byte, 30, is one we’ve seen before. It is universal class, structured, with tag 16. The next byte is 80, so the length is unknown at first. The contents are all the following bytes, up to (but not including) the first two sequential zero bytes. So the contents are 04 03 56 78 90, and we can figure out from the contents that the length is 5.

Examples Reference

Mohammad Alkhader
  • 53
  • 9

1 Answers1

2

Each value is represented as a tag - length - value triple in the encoding.

The tag is defined in the ASN.1 data definition of the value and is important to identify the kind of value in case there are several possibilites (e.g. CHOICE values or optional values).

The length encodes the length of the proper value part in bytes.

The value is the encoding of the transported value. The encoding used varies according to the type of value (e.g. a String uses a different encoding than an integer or an object identifier). In general you need the ASN.1 definition to make sense out of the value bytes. In case of compound values there are zero or more complete value encodings (each with tag-length-value) in the value part, for example the individual fields of a SEQUENCE value.

A google search for ASN.1 BER encoding shows up a lot of material, for example this one.

Btw: your third example is slightly misleading. The byte stream in a value with indefinite length needs to be split into the enclosed values (which may well contain the byte sequence 00 00). Only if you find 00 00 in a position where a tag is expected this is a signal for the end of the value. So the contents 04 03 56 78 90 needs to be analysed (tag 04, length 03, value 56 78 90) to be sure that the following 00 00 signals the end.

Edit:

Interpretation of the first example:
tag 30: bits 00 (UNIVERSAL)   1 (compound)    10000 (tag 16)
length 82 02 10: bits 1 (long length encoding) 0000010 (length uses 2 bytes)
        00000010 00010000 (length in binary, 528 decimal)

Interpretation of the second example:
tag df 82 02: bits 11 (PRIVATE) 0 (primitive) 11111 (long tag encoding)
        1 (there is a further tag byte) 0000010 (value 2)
        0 (this is the last tag byte) 0000010 (value 2)
        total tag value therefore 2*128 + 2 = 258
length 05: bits 0 (short length encoding) 0000101 (length in binary, decimal 5)

Interpretation of the third example:
tag 30: bits 00 (UNIVERSAL) 1 (compound) 10000 (tag value 16)
length 80: indefinite length, so we must look at the contained values
    tag 04: bits 00 (UNIVERSAL) 0 (primitive) 00100 (tag value 4)
    length 03: bits 0 (short length encoding) 0000011 (length value 3)
    value 56 78 90

    tag 00: signals end of indefinite length content as there is no
            UNIVERSAL tag 0
    length 00: dummy length byte of end marker
Henry
  • 42,982
  • 7
  • 68
  • 84
  • thank you @Henry , can you explain what the difference between first and second example – Mohammad Alkhader Jan 13 '16 at 13:15
  • It is just a different tag class in the first case the tag is [UNIVERSAL 16] as you say a SEQUENCE or SEQUENCE OF, in the second case it is [PRIVATE 258]. You need the ASN.1 definition for the value to know what the private tag value means. – Henry Jan 13 '16 at 13:25
  • In the first example TAG : 30 in binary 00110000 -the bits 8 and 7 mean --> Universal -the bit 6 mean --> Constructed -the bits 5..1 mean --> SEQUENCE or SEQUENCE OF LENGTH : 82 in binary =10000010 and in Decimal = 130 so 130-128 = 2 So 02 10 in Decimal = 528 so the VALUE = the next 528 byte . right ? – Mohammad Alkhader Jan 13 '16 at 13:26
  • But in the second example there is a difference, the length was just(05) but the lengh must be (02) and in the first example the length was (02 10), So Why ? – Mohammad Alkhader Jan 13 '16 at 13:29
  • The encoding in the second example is tag df 82 02 meaning PRIVATE, primitive, long form, tag value 2*128 + 2 = 258; length = 5, value = 12 34 56 78 90 – Henry Jan 13 '16 at 13:37
  • In the first example the tag encoding is just 30, then comes the length encoding 82 02 10. – Henry Jan 13 '16 at 13:44
  • mr.@Henry thank you very much,now I understand first and second example, but the third example is still mysterious. – Mohammad Alkhader Jan 13 '16 at 15:45
  • I have added the detailed breakdown of the third example as well. – Henry Jan 13 '16 at 16:04
  • Thank you Henry, things are much clearer now. However, what determines whether tag and length take more than a byte? When/how and what are the cases associated with this? – Mohammad Alkhader Jan 14 '16 at 07:03
  • More than one byte is signalled In case of the tag by the lower five bits in the first byte being 1, in case of the length by the highest bit in the first byte being 1. – Henry Jan 14 '16 at 07:07
  • For the length though, is that true in all cases? Because I have a file with: 63 82 01 F0 6E .. .. .. (for many more bytes). In this case, 82 starts with 1 which is OK. However, I don't understand how 01 leads to an offset to F0, and shouldn't F0 lead to the length taking more bytes? – Mohammad Alkhader Jan 14 '16 at 07:32
  • The 2 in 82 means, the length uses 2 more bytes. So the length is 01F0 or 496 decimal – Henry Jan 14 '16 at 09:20