Openssl Asn1parse does not extract data correctly

Question

Issue in decoding openssl data using asn1parse. After using asn1parse command , out.pem contains does not match with expected output. Both the actual and expected output are shown below. Please help me in this issue.

openssl asn1parse -inform PEM -in base64.pem -out out.pem

cat base64.pem MIIDmQYLKoZIhvcNAQkQASugggOIBIIDhHsKICAgICJpZXRmLXN6dHAtY29udmV5ZWQtaW5mbzpvbmJvYXJkaW5nLWluZm9ybWF0aW9uIjogewogICAgICAgICJib290LWltYWdlIjogewogICAgICAgICAgICAiZG93bmxvYWQtdXJpIjogWwogICAgICAgICAgICAgICAgImh0dHBzOi8vZXhhbXBsZS5jb20vbXktYm9vdC1pbWFnZS5pbWciCiAgICAgICAgICAgIF0sCiAgICAgICAgICAgICJpbWFnZS12ZXJpZmljYXRpb24iOiBbCiAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgImhhc2gtYWxnb3JpdGhtIjogImlldGYtc3p0cC1jb252ZXllZC1pbmZvOnNoYS0yNTYiLAogICAgICAgICAgICAgICAgICAgICJoYXNoLXZhbHVlIjogImYwOmY3OjVlOjM0OjUzOmMwOjExOjcyOmUzOmNmOmUxOmQ5OjNhOmRjOmM3OmJmOmI1OmM2OjdmOjE3OjZmOjdlOjMwOjc1OjBhOjEzOjQyOjE2OjM0OjI0OjljOjJkIgogICAgICAgICAgICAgICAgfQogICAgICAgICAgICBdCiAgICAgICAgfSwKICAgICAgICAicHJlLWNvbmZpZ3VyYXRpb24tc2NyaXB0IjogIkl5OWlhVzR2WW1GemFBcGxZMmh2SUNKcGJuTnBaR1VnZEdobElIQnlaUzFqYjI1bWFXZDFjbUYwYVc5dUxYTmpjbWx3ZEM0dUxpSUsiLAogICAgICAgICJjb25maWd1cmF0aW9uLWhhbmRsaW5nIjogIm1lcmdlIiwKICAgICAgICAiY29uZmlndXJhdGlvbiI6ICJQSFJ2Y0NCNGJXeHVjejBpYUhSMGNITTZMMlY0WVcxd2JHVXVZMjl0TDJOdmJtWnBaeUkrQ2lBZ1BHRnVlUzE0Yld3dFkyOXVkR1Z1ZEMxdmEyRjVMejRLUEM5MGIzQStDZz09IiwKICAgICAgICAicG9zdC1jb25maWd1cmF0aW9uLXNjcmlwdCI6ICJJeTlpYVc0dlltRnphQXBsWTJodklDSnBibk5wWkdVZ2RHaGxJSEJ2YzNRdFkyOXVabWxuZFhKaGRHbHZiaTF6WTNKcGNIUXVMaTRpQ2c9PSIKICAgIH0KfQ==

0:d=0  hl=2 l=  86 prim: appl [ 7 ]

88:d=0 hl=2 l= 67 prim: appl [ 9 ]

cat out.pem GVudC1va2F5Lz4KPC90b3A+Cg==", "post-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHBvc3QtY29uZmlndXJhdGlvbi1zY3JpcHQuLi4iCg==" } }

Expected out.pem b'0\x82\x03\x99\x06\x0b*\x86H\x86\xf7\r\x01\t\x10\x01+\xa0\x82\x03\x88\x04\x82\x03\x84{\n "ietf-sztp-conveyed-info:onboarding-information": {\n "boot-image": {\n "download-uri": [\n "https://example.com/my-boot-image.img"\n ],\n "image-verification": [\n {\n "hash-algorithm": "ietf-sztp-conveyed-info:sha-256",\n "hash-value": "d8:56:8d:d2:10:5e:dc:75:4c:c7:87:ae:f1:27:97:65:e0:65:17:6c:04:61:22:fa:3e:82:cf:9d:0f:ae:1a:3d"\n }\n ]\n },\n "pre-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHByZS1jb25maWd1cmF0aW9uLXNjcmlwdC4uLiIK",\n "configuration-handling": "merge",\n "configuration": "PHRvcCB4bWxucz0iaHR0cHM6L2V4YW1wbGUuY29tL2NvbmZpZyI+CiAgPGFueS14bWwtY29udGVudC1va2F5Lz4KPC90b3A+Cg==",\n "post-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHBvc3QtY29uZmlndXJhdGlvbi1zY3JpcHQuLi4iCg=="\n }\n}'

score 2 · Accepted Answer · answered Oct 17 '20 at 04:39

2

Your input file contains a single, long base64 line. OpenSSL expects base64-formatted input to have its lines wrapped at 64 characters.

If you are in a *nix environment, you have the fold tool at your disposal to do the line wrapping. You can either create a different version of your input file with the lines wrapped, or you can do it in a single pass using Process Substitution, like this:

$ openssl asn1parse -in <(fold -w 64 base64.pem)
    0:d=0  hl=4 l= 921 cons: SEQUENCE          
    4:d=1  hl=2 l=  11 prim: OBJECT            :1.2.840.113549.1.9.16.1.43
   17:d=1  hl=4 l= 904 cons: cont [ 0 ]        
   21:d=2  hl=4 l= 900 prim: OCTET STRING      :{
    "ietf-sztp-conveyed-info:onboarding-information": {
        "boot-image": {
            "download-uri": [
                "https://example.com/my-boot-image.img"
            ],
            "image-verification": [
                {
                    "hash-algorithm": "ietf-sztp-conveyed-info:sha-256",
                    "hash-value": "f0:f7:5e:34:53:c0:11:72:e3:cf:e1:d9:3a:dc:c7:bf:b5:c6:7f:17:6f:7e:30:75:0a:13:42:16:34:24:9c:2d"
                }
            ]
        },
        "pre-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHByZS1jb25maWd1cmF0aW9uLXNjcmlwdC4uLiIK",
        "configuration-handling": "merge",
        "configuration": "PHRvcCB4bWxucz0iaHR0cHM6L2V4YW1wbGUuY29tL2NvbmZpZyI+CiAgPGFueS14bWwtY29udGVudC1va2F5Lz4KPC90b3A+Cg==",
        "post-configuration-script": "Iy9iaW4vYmFzaAplY2hvICJpbnNpZGUgdGhlIHBvc3QtY29uZmlndXJhdGlvbi1zY3JpcHQuLi4iCg=="
    }
}

answered Oct 17 '20 at 04:39

Reinier Torenbeek

16,669
7
46
69

0:d=0 hl=4 l= 921 cons: SEQUENCE 4:d=1 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.1.43 17:d=1 hl=4 l= 904 cons: cont [ 0 ] 21:d=2 hl=4 l= 900 prim: OCTET STRING :{ Above output shows OBJECT :1.2.840.113549.1.9.16.1.43 , what is the significance of OBJECT and how to retrieve "1.2.840.113549.1.9.16.1.43 " – user3820915 Oct 18 '20 at 08:38
0:d=0 hl=4 l= 921 cons: SEQUENCE 4:d=1 hl=2 l= 11 prim: OBJECT :1.2.840.113549.1.9.16.1.43 17:d=1 hl=4 l= 904 cons: cont [ 0 ] 21:d=2 hl=4 l= 900 prim: OCTET STRING :{ Above output shows OBJECT :1.2.840.113549.1.9.16.1.43 , what is the significance of OBJECT and how to retrieve "1.2.840.113549.1.9.16.1.43 " – user3820915 Oct 18 '20 at 08:38
The ASN.1 contents in your file are self-describing and the dotted decimal number identifies the type of contents, in this case `id-ct-sztpConveyedInfoJSON`. You can query its meaning from an id registry, via a website like this: http://oid-info.com/get/1.2.840.113549.1.9.16.1.43 – Reinier Torenbeek Oct 18 '20 at 15:07
I need to implement above asn1parse logic in C language using openssl. Can you point me to the Openssl C API which extracts/decode as done in "openssl asn1parse -in <(fold -w 64 base64.pem)" – user3820915 Oct 19 '20 at 02:16
You can take a look at the how the `asn1parse` tool does it, in [`apps/asn1pars.c`](https://github.com/openssl/openssl/blob/OpenSSL_1_1_1h/apps/asn1pars.c), or ask a new question because an answer to that would not fit in a comment. – Reinier Torenbeek Oct 19 '20 at 02:34
I have posted another question for implementing the same command using openssl C language API . Can you help me how it can be done ? https://stackoverflow.com/questions/64420669/openssl-c-api-to-implement-openssl-asn1parse-logic – user3820915 Oct 19 '20 at 03:15
OpenSSL _writes_ base64 folded at 64 per RFC 1421 (and 7468) for PEM, but older versions could _read_ any multiple of 4 up to 76 per RFC 1341 et seq for MIME, and 1.0.1 in 2012 increased the read limit to 1020. OP's value is 1236. But you don't need process substitution; plain old piping `fold -w76 file | openssl asn1parse` works fine on lame shells, and (even?) Windows if you add `fold` or something that can do the same like `perl` or `awk` – dave_thompson_085 Dec 08 '20 at 21:49

Openssl Asn1parse does not extract data correctly

1 Answers1

Linked