0

I'd like to print all x509 information from a certificate. Here's what have been done:

  • Following the official python doc for ssl, I created a socket client for IPv4/6 dual stack. And added the certificate bundle from www.python.org. The certchain is downloaded and saved to separate files using instructions from another SO about local issuer error message This client works. I added the code "context.load_verify_locations('path/to/cabundle.pem')" to the sample. Thus the certificates are correct and valid.

  • Based on the answer from the SO for printing x509, the code snippet is: "import asn1tools; foo = asn1tools.compile_files("x509.asn"); output = foo.decode("Certificate", cert)". This needs an asn file.

  • The another SO about ASN.1 for X.509 suggested to download an asn from rfc, or from the ITU page for "ITU-T X.509 (08/1997) Recommendations". I've downloaded the zip and extracted three files: AlgorithmObjectIdentifiers.asn, AuthenticationFramework.asn, CertificateExtensions.asn. Since the first file imports elements in other files, I guess it is the top-level file, so I give it to the code.

     foo = asn1tools.compile_files("AlgorithmObjectIdentifiers.asn")
 output = foo.decode("Certificate", cert)
 print("Cert output: ", output)

It's spiting out an error:

    File ".../test-print-ssl.py", line 47, in cert_print_asn1
        output = foo.decode("Certificate", cert)
      File "...\lib\site-packages\asn1tools\compiler.py", line 161, in decode
        "Type '{}' not found in types dictionary.".format(name))
    asn1tools.errors.DecodeError: Type 'Certificate' not found in types dictionary.

A few questions:

  • Where can you find a valid asn file to be used in this code?
  • Is there another way to use the downloaded asn files? Since those are three files, do I need to combine them? How do you combine them?
  • How to debug this issue further?

Note that I've used command openssl x509 -in website.com.pem -text to print the same cert from file. That works. I guess I can invoke using os.system() to achieve the same. I'd like to have a solution to decode and print in python.

I've seen the question that failing compilation, but in my case it is failing decoding, that is different.

minghua
  • 5,981
  • 6
  • 45
  • 71

1 Answers1

1

You should share your files to allow more specific answers ....

You can just create one file concatenating the types from your files.

Instead of throwing everything in one go, you should only put the type(s) you need and add what is missing.

The content of your asn1 specification should be something like

X509 DEFINITIONS ::= 
BEGIN

Type1

Type2

END

You can validate your file on https://asn1.io/asn1playground/

YaFred
  • 9,698
  • 3
  • 28
  • 40
  • 1
    There is a better tool for certificates/PKI specifically https://asn1.io/PKI-inspector. It will help with troubleshooting your data with or without having a schema. – AKha Jun 02 '22 at 17:47
  • @Yafred, not sure what you were suggesting. the link to the files were given in the question. those are big files from the ITU standard suite. they simply could not be parsed. trimming them down as you suggested would lose the point. but thank you for your opinion, anyway. – minghua Feb 21 '23 at 23:14
  • What I mean is sharing your asn files. Here is one I created for my own purposes: https://github.com/yafred/asn1-tool/blob/master/testdata/test/resources/com/yafred/asn1/test/past/standard/x509.asn ... may be it can help – YaFred Feb 22 '23 at 03:01