[thirdparty/openssl.git] / doc / man1 / asn1parse.pod

=pod

=head1 NAME

openssl-asn1parse,
asn1parse - ASN.1 parsing tool

=head1 SYNOPSIS

B<openssl> B<asn1parse>
[B<-help>]
[B<-inform PEM|DER>]
[B<-in filename>]
[B<-out filename>]
[B<-noout>]
[B<-offset number>]
[B<-length number>]
[B<-i>]
[B<-oid filename>]
[B<-dump>]
[B<-dlimit num>]
[B<-strparse offset>]
[B<-genstr string>]
[B<-genconf file>]
[B<-strictpem>]
[B<-item name>]

=head1 DESCRIPTION

The B<asn1parse> command is a diagnostic utility that can parse ASN.1
structures. It can also be used to extract data from ASN.1 formatted data.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-inform> B<DER|PEM>

The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.

=item B<-in filename>

The input file, default is standard input.

=item B<-out filename>

Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the B<-strparse> option.

=item B<-noout>

Don't output the parsed version of the input file.

=item B<-offset number>

Starting offset to begin parsing, default is start of file.

=item B<-length number>

Number of bytes to parse, default is until end of file.

=item B<-i>

Indents the output according to the "depth" of the structures.

=item B<-oid filename>

A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.

=item B<-dump>

Dump unknown data in hex format.

=item B<-dlimit num>

Like B<-dump>, but only the first B<num> bytes are output.

=item B<-strparse offset>

Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.

=item B<-genstr string>, B<-genconf file>

Generate encoded data based on B<string>, B<file> or both using
L<ASN1_generate_nconf(3)> format. If B<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
file using the B<out> option.

=item B<-strictpem>

If this option is used then B<-inform> will be ignored. Without this option any
data in a PEM format input file will be treated as being base64 encoded and
processed whether it has the normal PEM BEGIN and END markers or not. This
option will ignore any data prior to the start of the BEGIN marker, or after an
END marker in a PEM file.

=item B<-item name>

Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
print out the fields of any supported ASN.1 structure if the type is known.

=back

=head2 Output

The output will typically contain lines like this:

  0:d=0  hl=4 l= 681 cons: SEQUENCE

.....

  229:d=3  hl=3 l= 141 prim: BIT STRING
  373:d=2  hl=3 l= 162 cons: cont [ 3 ]
  376:d=3  hl=3 l= 159 cons: SEQUENCE
  379:d=4  hl=2 l=  29 cons: SEQUENCE
  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  386:d=5  hl=2 l=  22 prim: OCTET STRING
  410:d=4  hl=2 l= 112 cons: SEQUENCE
  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  417:d=5  hl=2 l= 105 prim: OCTET STRING
  524:d=4  hl=2 l=  12 cons: SEQUENCE

.....

This example is part of a self-signed certificate. Each line starts with the
offset in decimal. B<d=XX> specifies the current depth. The depth is increased
within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length
(tag and length octets) of the current type. B<l=XX> gives the length of
the contents octets.

The B<-i> option can be used to make the output more readable.

Some knowledge of the ASN.1 structure is needed to interpret the output.

In this example the BIT STRING at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
be examined using the option B<-strparse 229> to yield:

    0:d=0  hl=3 l= 137 cons: SEQUENCE
    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
  135:d=1  hl=2 l=   3 prim: INTEGER           :010001

=head1 NOTES

If an OID is not part of OpenSSL's internal table it will be represented in
numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the OID in numerical format and should be followed by white
space. The second column is the "short name" which is a single word followed
by white space. The final column is the rest of the line and is the
"long name". B<asn1parse> displays the long name. Example:

C<1.2.3.4       shortName       A long name>

=head1 EXAMPLES

Parse a file:

 openssl asn1parse -in file.pem

Parse a DER file:

 openssl asn1parse -inform DER -in file.der

Generate a simple UTF8String:

 openssl asn1parse -genstr 'UTF8:Hello World'

Generate and write out a UTF8String, don't print parsed output:

 openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der

Generate using a config file:

 openssl asn1parse -genconf asn1.cnf -noout -out asn1.der

Example config file:

 asn1=SEQUENCE:seq_sect

 [seq_sect]

 field1=BOOL:TRUE
 field2=EXP:0, UTF8:some random string


=head1 BUGS

There should be options to change the format of output lines. The output of some
ASN.1 types is not well handled (if at all).

=head1 SEE ALSO

L<ASN1_generate_nconf(3)>

=head1 COPYRIGHT

Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
aba3e65f DSH	1	=pod
	2
	3	=head1 NAME
	4
3f2181e6	5	openssl-asn1parse,
aba3e65f DSH	6	asn1parse - ASN.1 parsing tool
	7
	8	=head1 SYNOPSIS
	9
af29811e	10	B<openssl> B<asn1parse>
0ae9e292	11	[B<-help>]
aba3e65f DSH	12	[B<-inform PEM\|DER>]
	13	[B<-in filename>]
	14	[B<-out filename>]
	15	[B<-noout>]
	16	[B<-offset number>]
	17	[B<-length number>]
	18	[B<-i>]
	19	[B<-oid filename>]
fc1d88f0 RS	20	[B<-dump>]
fc1d88f0 RS	21	[B<-dlimit num>]
aba3e65f	22	[B<-strparse offset>]
04f0a6ba DSH	23	[B<-genstr string>]
04f0a6ba DSH	24	[B<-genconf file>]
6b5c1d94	25	[B<-strictpem>]
5fb10059	26	[B<-item name>]
aba3e65f DSH	27
	28	=head1 DESCRIPTION
	29
	30	The B<asn1parse> command is a diagnostic utility that can parse ASN.1
	31	structures. It can also be used to extract data from ASN.1 formatted data.
	32
	33	=head1 OPTIONS
	34
	35	=over 4
	36
0ae9e292 RS	37	=item B<-help>
	38
	39	Print out a usage message.
	40
aba3e65f DSH	41	=item B<-inform> B<DER\|PEM>
aba3e65f DSH	42
c4de074e	43	The input format. B<DER> is binary format and B<PEM> (the default) is base64
aba3e65f DSH	44	encoded.
	45
	46	=item B<-in filename>
	47
c4de074e	48	The input file, default is standard input.
aba3e65f DSH	49
	50	=item B<-out filename>
	51
c4de074e	52	Output file to place the DER encoded data into. If this
aba3e65f DSH	53	option is not present then no data will be output. This is most useful when
	54	combined with the B<-strparse> option.
	55
	56	=item B<-noout>
	57
c4de074e	58	Don't output the parsed version of the input file.
aba3e65f DSH	59
	60	=item B<-offset number>
	61
c4de074e	62	Starting offset to begin parsing, default is start of file.
aba3e65f DSH	63
	64	=item B<-length number>
	65
c4de074e	66	Number of bytes to parse, default is until end of file.
aba3e65f DSH	67
	68	=item B<-i>
	69
c4de074e	70	Indents the output according to the "depth" of the structures.
aba3e65f DSH	71
	72	=item B<-oid filename>
	73
c4de074e	74	A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
aba3e65f DSH	75	file is described in the NOTES section below.
aba3e65f DSH	76
fc1d88f0 RS	77	=item B<-dump>
fc1d88f0 RS	78
c4de074e	79	Dump unknown data in hex format.
fc1d88f0 RS	80
	81	=item B<-dlimit num>
	82
c4de074e	83	Like B<-dump>, but only the first B<num> bytes are output.
fc1d88f0	84
aba3e65f DSH	85	=item B<-strparse offset>
aba3e65f DSH	86
c4de074e	87	Parse the contents octets of the ASN.1 object starting at B<offset>. This
aba3e65f DSH	88	option can be used multiple times to "drill down" into a nested structure.
aba3e65f DSH	89
04f0a6ba DSH	90	=item B<-genstr string>, B<-genconf file>
04f0a6ba DSH	91
c4de074e	92	Generate encoded data based on B<string>, B<file> or both using
9b86974e	93	L<ASN1_generate_nconf(3)> format. If B<file> only is
51cc37b6 DSH	94	present then the string is obtained from the default section using the name
	95	B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
	96	though it came from a file, the contents can thus be examined and written to a
1bc74519	97	file using the B<out> option.
aba3e65f	98
6b5c1d94 MC	99	=item B<-strictpem>
	100
	101	If this option is used then B<-inform> will be ignored. Without this option any
3d9243f1 MC	102	data in a PEM format input file will be treated as being base64 encoded and
	103	processed whether it has the normal PEM BEGIN and END markers or not. This
	104	option will ignore any data prior to the start of the BEGIN marker, or after an
	105	END marker in a PEM file.
6b5c1d94	106
5fb10059 DSH	107	=item B<-item name>
5fb10059 DSH	108
c4de074e	109	Attempt to decode and print the data as B<ASN1_ITEM name>. This can be used to
5fb10059 DSH	110	print out the fields of any supported ASN.1 structure if the type is known.
5fb10059 DSH	111
aba3e65f DSH	112	=back
aba3e65f DSH	113
05ea606a	114	=head2 Output
aba3e65f DSH	115
	116	The output will typically contain lines like this:
	117
1bc74519	118	0:d=0 hl=4 l= 681 cons: SEQUENCE
aba3e65f DSH	119
	120	.....
	121
6b5c1d94	122	229:d=3 hl=3 l= 141 prim: BIT STRING
1bc74519 RS	123	373:d=2 hl=3 l= 162 cons: cont [ 3 ]
	124	376:d=3 hl=3 l= 159 cons: SEQUENCE
	125	379:d=4 hl=2 l= 29 cons: SEQUENCE
aba3e65f	126	381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1bc74519 RS	127	386:d=5 hl=2 l= 22 prim: OCTET STRING
1bc74519 RS	128	410:d=4 hl=2 l= 112 cons: SEQUENCE
aba3e65f	129	412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1bc74519 RS	130	417:d=5 hl=2 l= 105 prim: OCTET STRING
1bc74519 RS	131	524:d=4 hl=2 l= 12 cons: SEQUENCE
aba3e65f DSH	132
	133	.....
	134
77a795e4	135	This example is part of a self-signed certificate. Each line starts with the
aba3e65f DSH	136	offset in decimal. B<d=XX> specifies the current depth. The depth is increased
	137	within the scope of any SET or SEQUENCE. B<hl=XX> gives the header length
	138	(tag and length octets) of the current type. B<l=XX> gives the length of
	139	the contents octets.
	140
	141	The B<-i> option can be used to make the output more readable.
	142
1bc74519	143	Some knowledge of the ASN.1 structure is needed to interpret the output.
aba3e65f DSH	144
	145	In this example the BIT STRING at offset 229 is the certificate public key.
	146	The contents octets of this will contain the public key information. This can
	147	be examined using the option B<-strparse 229> to yield:
	148
1bc74519	149	0:d=0 hl=3 l= 137 cons: SEQUENCE
aba3e65f DSH	150	3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
	151	135:d=1 hl=2 l= 3 prim: INTEGER :010001
	152
	153	=head1 NOTES
	154
	155	If an OID is not part of OpenSSL's internal table it will be represented in
1bc74519	156	numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
aba3e65f DSH	157	allows additional OIDs to be included. Each line consists of three columns,
	158	the first column is the OID in numerical format and should be followed by white
	159	space. The second column is the "short name" which is a single word followed
	160	by white space. The final column is the rest of the line and is the
	161	"long name". B<asn1parse> displays the long name. Example:
	162
1bc74519	163	C<1.2.3.4 shortName A long name>
aba3e65f	164
04f0a6ba DSH	165	=head1 EXAMPLES
	166
	167	Parse a file:
	168
	169	openssl asn1parse -in file.pem
	170
	171	Parse a DER file:
	172
	173	openssl asn1parse -inform DER -in file.der
	174
	175	Generate a simple UTF8String:
	176
	177	openssl asn1parse -genstr 'UTF8:Hello World'
	178
	179	Generate and write out a UTF8String, don't print parsed output:
	180
	181	openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
	182
	183	Generate using a config file:
	184
	185	openssl asn1parse -genconf asn1.cnf -noout -out asn1.der
	186
	187	Example config file:
	188
	189	asn1=SEQUENCE:seq_sect
	190
	191	[seq_sect]
	192
	193	field1=BOOL:TRUE
	194	field2=EXP:0, UTF8:some random string
	195
	196
aba3e65f DSH	197	=head1 BUGS
aba3e65f DSH	198
59c70298	199	There should be options to change the format of output lines. The output of some
aba3e65f DSH	200	ASN.1 types is not well handled (if at all).
aba3e65f DSH	201
51cc37b6 DSH	202	=head1 SEE ALSO
51cc37b6 DSH	203
9b86974e	204	L<ASN1_generate_nconf(3)>
51cc37b6	205
e2f92610 RS	206	=head1 COPYRIGHT
e2f92610 RS	207
c4de074e	208	Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	209
449040b4	210	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	211	this file except in compliance with the License. You can obtain a copy
	212	in the file LICENSE in the source distribution or at
	213	L<https://www.openssl.org/source/license.html>.
	214
	215	=cut