[thirdparty/openssl.git] / doc / man1 / openssl-asn1parse.pod

=pod

=head1 NAME

openssl-asn1parse - ASN.1 parsing tool

=head1 SYNOPSIS

B<openssl> B<asn1parse>
[B<-help>]
[B<-inform> B<DER>|B<PEM>]
[B<-in> I<filename>]
[B<-out> I<filename>]
[B<-noout>]
[B<-offset> I<number>]
[B<-length> I<number>]
[B<-i>]
[B<-oid> I<filename>]
[B<-dump>]
[B<-dlimit> I<num>]
[B<-strparse> I<offset>]
[B<-genstr> I<string>]
[B<-genconf> I<file>]
[B<-strictpem>]
[B<-item> I<name>]

=head1 DESCRIPTION

This command is a diagnostic utility that can parse ASN.1 structures.
It can also be used to extract data from ASN.1 formatted data.

=head1 OPTIONS

=over 4

=item B<-help>

Print out a usage message.

=item B<-inform> B<DER>|B<PEM>

The input format. B<DER> is binary format and B<PEM> (the default) is base64
encoded.

=item B<-in> I<filename>

The input file, default is standard input.

=item B<-out> I<filename>

Output file to place the DER encoded data into. If this
option is not present then no data will be output. This is most useful when
combined with the B<-strparse> option.

=item B<-noout>

Don't output the parsed version of the input file.

=item B<-offset> I<number>

Starting offset to begin parsing, default is start of file.

=item B<-length> I<number>

Number of bytes to parse, default is until end of file.

=item B<-i>

Indents the output according to the "depth" of the structures.

=item B<-oid> I<filename>

A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
file is described in the NOTES section below.

=item B<-dump>

Dump unknown data in hex format.

=item B<-dlimit> I<num>

Like B<-dump>, but only the first B<num> bytes are output.

=item B<-strparse> I<offset>

Parse the contents octets of the ASN.1 object starting at B<offset>. This
option can be used multiple times to "drill down" into a nested structure.

=item B<-genstr> I<string>, B<-genconf> I<file>

Generate encoded data based on I<string>, I<file> or both using
L<ASN1_generate_nconf(3)> format. If I<file> only is
present then the string is obtained from the default section using the name
B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
though it came from a file, the contents can thus be examined and written to a
file using the B<-out> option.

=item B<-strictpem>

If this option is used then B<-inform> will be ignored. Without this option any
data in a PEM format input file will be treated as being base64 encoded and
processed whether it has the normal PEM BEGIN and END markers or not. This
option will ignore any data prior to the start of the BEGIN marker, or after an
END marker in a PEM file.

=item B<-item> I<name>

Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
to print out the fields of any supported ASN.1 structure if the type is known.

=back

=head2 Output

The output will typically contain lines like this:

  0:d=0  hl=4 l= 681 cons: SEQUENCE

.....

  229:d=3  hl=3 l= 141 prim: BIT STRING
  373:d=2  hl=3 l= 162 cons: cont [ 3 ]
  376:d=3  hl=3 l= 159 cons: SEQUENCE
  379:d=4  hl=2 l=  29 cons: SEQUENCE
  381:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  386:d=5  hl=2 l=  22 prim: OCTET STRING
  410:d=4  hl=2 l= 112 cons: SEQUENCE
  412:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  417:d=5  hl=2 l= 105 prim: OCTET STRING
  524:d=4  hl=2 l=  12 cons: SEQUENCE

.....

This example is part of a self-signed certificate. Each line starts with the
offset in decimal. C<d=XX> specifies the current depth. The depth is increased
within the scope of any SET or SEQUENCE. C<hl=XX> gives the header length
(tag and length octets) of the current type. C<l=XX> gives the length of
the contents octets.

The B<-i> option can be used to make the output more readable.

Some knowledge of the ASN.1 structure is needed to interpret the output.

In this example the BIT STRING at offset 229 is the certificate public key.
The contents octets of this will contain the public key information. This can
be examined using the option C<-strparse 229> to yield:

    0:d=0  hl=3 l= 137 cons: SEQUENCE
    3:d=1  hl=3 l= 129 prim: INTEGER           :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
  135:d=1  hl=2 l=   3 prim: INTEGER           :010001

=head1 NOTES

If an OID is not part of OpenSSL's internal table it will be represented in
numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
allows additional OIDs to be included. Each line consists of three columns,
the first column is the OID in numerical format and should be followed by white
space. The second column is the "short name" which is a single word followed
by white space. The final column is the rest of the line and is the
"long name". Example:

C<1.2.3.4       shortName       A long name>

=head1 EXAMPLES

Parse a file:

 openssl asn1parse -in file.pem

Parse a DER file:

 openssl asn1parse -inform DER -in file.der

Generate a simple UTF8String:

 openssl asn1parse -genstr 'UTF8:Hello World'

Generate and write out a UTF8String, don't print parsed output:

 openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der

Generate using a config file:

 openssl asn1parse -genconf asn1.cnf -noout -out asn1.der

Example config file:

 asn1=SEQUENCE:seq_sect

 [seq_sect]

 field1=BOOL:TRUE
 field2=EXP:0, UTF8:some random string


=head1 BUGS

There should be options to change the format of output lines. The output of some
ASN.1 types is not well handled (if at all).

=head1 SEE ALSO

L<openssl(1)>,
L<ASN1_generate_nconf(3)>

=head1 COPYRIGHT

Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License").  You may not use
this file except in compliance with the License.  You can obtain a copy
in the file LICENSE in the source distribution or at
L<https://www.openssl.org/source/license.html>.

=cut
Commit	Line	Data
aba3e65f DSH	1	=pod
	2
	3	=head1 NAME
	4
b6b66573	5	openssl-asn1parse - ASN.1 parsing tool
aba3e65f DSH	6
	7	=head1 SYNOPSIS
	8
af29811e	9	B<openssl> B<asn1parse>
0ae9e292	10	[B<-help>]
e8769719 RS	11	[B<-inform> B<DER>\|B<PEM>]
	12	[B<-in> I<filename>]
	13	[B<-out> I<filename>]
aba3e65f	14	[B<-noout>]
e8769719 RS	15	[B<-offset> I<number>]
e8769719 RS	16	[B<-length> I<number>]
aba3e65f	17	[B<-i>]
e8769719	18	[B<-oid> I<filename>]
fc1d88f0	19	[B<-dump>]
e8769719 RS	20	[B<-dlimit> I<num>]
	21	[B<-strparse> I<offset>]
	22	[B<-genstr> I<string>]
	23	[B<-genconf> I<file>]
6b5c1d94	24	[B<-strictpem>]
e8769719	25	[B<-item> I<name>]
aba3e65f DSH	26
	27	=head1 DESCRIPTION
	28
35a810bb RL	29	This command is a diagnostic utility that can parse ASN.1 structures.
35a810bb RL	30	It can also be used to extract data from ASN.1 formatted data.
aba3e65f DSH	31
	32	=head1 OPTIONS
	33
	34	=over 4
	35
0ae9e292 RS	36	=item B<-help>
	37
	38	Print out a usage message.
	39
e8769719	40	=item B<-inform> B<DER>\|B<PEM>
aba3e65f	41
2f0ea936	42	The input format. B<DER> is binary format and B<PEM> (the default) is base64
aba3e65f DSH	43	encoded.
aba3e65f DSH	44
e8769719	45	=item B<-in> I<filename>
aba3e65f	46
c4de074e	47	The input file, default is standard input.
aba3e65f	48
e8769719	49	=item B<-out> I<filename>
aba3e65f	50
c4de074e	51	Output file to place the DER encoded data into. If this
aba3e65f DSH	52	option is not present then no data will be output. This is most useful when
	53	combined with the B<-strparse> option.
	54
	55	=item B<-noout>
	56
c4de074e	57	Don't output the parsed version of the input file.
aba3e65f	58
e8769719	59	=item B<-offset> I<number>
aba3e65f	60
c4de074e	61	Starting offset to begin parsing, default is start of file.
aba3e65f	62
e8769719	63	=item B<-length> I<number>
aba3e65f	64
c4de074e	65	Number of bytes to parse, default is until end of file.
aba3e65f DSH	66
	67	=item B<-i>
	68
c4de074e	69	Indents the output according to the "depth" of the structures.
aba3e65f	70
e8769719	71	=item B<-oid> I<filename>
aba3e65f	72
c4de074e	73	A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this
aba3e65f DSH	74	file is described in the NOTES section below.
aba3e65f DSH	75
fc1d88f0 RS	76	=item B<-dump>
fc1d88f0 RS	77
c4de074e	78	Dump unknown data in hex format.
fc1d88f0	79
e8769719	80	=item B<-dlimit> I<num>
fc1d88f0	81
c4de074e	82	Like B<-dump>, but only the first B<num> bytes are output.
fc1d88f0	83
e8769719	84	=item B<-strparse> I<offset>
aba3e65f	85
c4de074e	86	Parse the contents octets of the ASN.1 object starting at B<offset>. This
aba3e65f DSH	87	option can be used multiple times to "drill down" into a nested structure.
aba3e65f DSH	88
e8769719	89	=item B<-genstr> I<string>, B<-genconf> I<file>
04f0a6ba	90
2f0ea936 RL	91	Generate encoded data based on I<string>, I<file> or both using
2f0ea936 RL	92	L<ASN1_generate_nconf(3)> format. If I<file> only is
51cc37b6 DSH	93	present then the string is obtained from the default section using the name
	94	B<asn1>. The encoded data is passed through the ASN1 parser and printed out as
	95	though it came from a file, the contents can thus be examined and written to a
2f0ea936	96	file using the B<-out> option.
aba3e65f	97
6b5c1d94 MC	98	=item B<-strictpem>
	99
	100	If this option is used then B<-inform> will be ignored. Without this option any
3d9243f1 MC	101	data in a PEM format input file will be treated as being base64 encoded and
	102	processed whether it has the normal PEM BEGIN and END markers or not. This
	103	option will ignore any data prior to the start of the BEGIN marker, or after an
	104	END marker in a PEM file.
6b5c1d94	105
e8769719	106	=item B<-item> I<name>
5fb10059	107
2f0ea936 RL	108	Attempt to decode and print the data as B<ASN1_ITEM> I<name>. This can be used
2f0ea936 RL	109	to print out the fields of any supported ASN.1 structure if the type is known.
5fb10059	110
aba3e65f DSH	111	=back
aba3e65f DSH	112
05ea606a	113	=head2 Output
aba3e65f DSH	114
	115	The output will typically contain lines like this:
	116
1bc74519	117	0:d=0 hl=4 l= 681 cons: SEQUENCE
aba3e65f DSH	118
	119	.....
	120
6b5c1d94	121	229:d=3 hl=3 l= 141 prim: BIT STRING
1bc74519 RS	122	373:d=2 hl=3 l= 162 cons: cont [ 3 ]
	123	376:d=3 hl=3 l= 159 cons: SEQUENCE
	124	379:d=4 hl=2 l= 29 cons: SEQUENCE
aba3e65f	125	381:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1bc74519 RS	126	386:d=5 hl=2 l= 22 prim: OCTET STRING
1bc74519 RS	127	410:d=4 hl=2 l= 112 cons: SEQUENCE
aba3e65f	128	412:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1bc74519 RS	129	417:d=5 hl=2 l= 105 prim: OCTET STRING
1bc74519 RS	130	524:d=4 hl=2 l= 12 cons: SEQUENCE
aba3e65f DSH	131
	132	.....
	133
77a795e4	134	This example is part of a self-signed certificate. Each line starts with the
a43384fd RL	135	offset in decimal. C<d=XX> specifies the current depth. The depth is increased
	136	within the scope of any SET or SEQUENCE. C<hl=XX> gives the header length
	137	(tag and length octets) of the current type. C<l=XX> gives the length of
aba3e65f DSH	138	the contents octets.
	139
	140	The B<-i> option can be used to make the output more readable.
	141
1bc74519	142	Some knowledge of the ASN.1 structure is needed to interpret the output.
aba3e65f DSH	143
	144	In this example the BIT STRING at offset 229 is the certificate public key.
	145	The contents octets of this will contain the public key information. This can
e8769719	146	be examined using the option C<-strparse 229> to yield:
aba3e65f	147
1bc74519	148	0:d=0 hl=3 l= 137 cons: SEQUENCE
aba3e65f DSH	149	3:d=1 hl=3 l= 129 prim: INTEGER :E5D21E1F5C8D208EA7A2166C7FAF9F6BDF2059669C60876DDB70840F1A5AAFA59699FE471F379F1DD6A487E7D5409AB6A88D4A9746E24B91D8CF55DB3521015460C8EDE44EE8A4189F7A7BE77D6CD3A9AF2696F486855CF58BF0EDF2B4068058C7A947F52548DDF7E15E96B385F86422BEA9064A3EE9E1158A56E4A6F47E5897
	150	135:d=1 hl=2 l= 3 prim: INTEGER :010001
	151
	152	=head1 NOTES
	153
	154	If an OID is not part of OpenSSL's internal table it will be represented in
1bc74519	155	numerical form (for example 1.2.3.4). The file passed to the B<-oid> option
aba3e65f DSH	156	allows additional OIDs to be included. Each line consists of three columns,
	157	the first column is the OID in numerical format and should be followed by white
	158	space. The second column is the "short name" which is a single word followed
	159	by white space. The final column is the rest of the line and is the
35a810bb	160	"long name". Example:
aba3e65f	161
1bc74519	162	C<1.2.3.4 shortName A long name>
aba3e65f	163
04f0a6ba DSH	164	=head1 EXAMPLES
	165
	166	Parse a file:
	167
	168	openssl asn1parse -in file.pem
	169
	170	Parse a DER file:
	171
	172	openssl asn1parse -inform DER -in file.der
	173
	174	Generate a simple UTF8String:
	175
	176	openssl asn1parse -genstr 'UTF8:Hello World'
	177
	178	Generate and write out a UTF8String, don't print parsed output:
	179
	180	openssl asn1parse -genstr 'UTF8:Hello World' -noout -out utf8.der
	181
	182	Generate using a config file:
	183
	184	openssl asn1parse -genconf asn1.cnf -noout -out asn1.der
	185
	186	Example config file:
	187
	188	asn1=SEQUENCE:seq_sect
	189
	190	[seq_sect]
	191
	192	field1=BOOL:TRUE
	193	field2=EXP:0, UTF8:some random string
	194
	195
aba3e65f DSH	196	=head1 BUGS
aba3e65f DSH	197
59c70298	198	There should be options to change the format of output lines. The output of some
aba3e65f DSH	199	ASN.1 types is not well handled (if at all).
aba3e65f DSH	200
51cc37b6 DSH	201	=head1 SEE ALSO
51cc37b6 DSH	202
b6b66573	203	L<openssl(1)>,
9b86974e	204	L<ASN1_generate_nconf(3)>
51cc37b6	205
e2f92610 RS	206	=head1 COPYRIGHT
e2f92610 RS	207
b6b66573	208	Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
e2f92610	209
449040b4	210	Licensed under the Apache License 2.0 (the "License"). You may not use
e2f92610 RS	211	this file except in compliance with the License. You can obtain a copy
	212	in the file LICENSE in the source distribution or at
	213	L<https://www.openssl.org/source/license.html>.
	214
	215	=cut