DER encoding

1. DER encoding analysis

DER (Distinguished Encoding Rules) encoding is a format specification for binary encoding of ASN.1 data structures packaged under the ASN.1 DER standard. It is one of the most widely used ASN.1 encodings. ASN.1 is a data representation and encoding method with a wide range of applications. ASN.1 is the abbreviation of Abstract Syntax Notation One (Abstract Syntax Markup Language, first version). ASN.1 is a classic representative in the DSL field, and is known as the "XML of data" in the industry. ASN.1 can be used only to standardize data structures, while DER encoding standardizes the way the data is actually stored and transmitted.

The encoding method of the ASN.1 specification is very flexible and can describe almost any data type. DER encoding is a constraint when encoding ASN.1. It stipulates how the ASN.1 data structure is serialized into binary data, so that the data can be interoperable between different computers and different languages.

2. DER encoded digital certificate extension

A digital certificate is a digital form of identity document used to verify the authenticity and ownership of a document. The extensions of digital certificates include .crt, .cer, .p7c, etc. The extension of a DER-encoded digital certificate is usually .cer

The digital certificate decoder related to DER encoding can automatically recognize the DER encoding format. In order to convert the certificate to other types, using DER encoding is a good choice.

3. DER encoding certificate

Digital certificates are usually stored in X.509 certificates. X.509 certificates use the ASN.1 DER encoding format and can be parsed and generated by a variety of languages ​​and tools. Before encoding the certificate, we usually generate a pair of keys using the private key, one of which is added to the certificate as the public key.

// 生成证书
openssl req -new -x509 -out my_cert.crt -keyout my_key.key -days 365

// 查看证书内容
openssl x509 -text -noout -in my_cert.crt

4. DER encoding format

The encoding rules of the DER encoding format are concise and clear, and it is based on the ASN.1 encoding specification. ASN.1 defines standard types and formats for representing structured data, encoding, decoding and transmission. Since DER is a fixed format, it is not necessary to store ASN.1 structure information when transmitting or storing data, which will save transmission space.

4.1 Composition of DER

No matter what type, its DER encoding consists of four parts:

Field	illustrate
tag	type field
length	length field
value	value field
end	end indicating field

That is the T L V triplet.

4.2 [Tag] type field

consists of one byte (ie eight binary bits).
bit8 bit7 is used to represent the tag type, universal is 00 application is 01 context-specific is 10 private is 11
bit6 represents the structured bit, 0 represents the simple type , 1 represents the structure type
bit5-bit1 represents the tag value, and the tag value can be obtained by looking up the table.

4.3 [Length] length field (unit: bytes)

The length field is divided into two types: less than or equal to 127 and greater than 127
Less than or equal to 127: represented by one byte. bit8=0, bit7-bit1 indicates the length value.
Example: 38 is represented as 00100110

greater than 127: consists of multiple bytes
The first byte: bit8=1, bit7-bit1 indicates the number of bytes occupied by the storage length (in popular terms, it means the following There are still a few bytes)
The remaining bytes: store the length value
For example: 201 is represented as 10000001 11001001

The length value is variable: represented by 0x80.

4.4 [Value] value field

Different types have different values, but in the final analysis the types are binary, decimal, hexadecimal, or ASCLL characters. Just convert them to hexadecimal and represent them.

End identification field (not in TLV):
Two bytes, only appears when the length value is variable. Represented as 0x000x00

5. DER encoding PEM encoding

The PEM (PKCS#1, PKCS#8) format defines how to encode DER-encoded ASN.1 type data and other miscellaneous items, such as encryption algorithms, signature algorithms, etc. The PEM format is essentially a representation of ASN.1 type data in text form, so it usually converts DER-encoded ASN.1 type data into a BASE64-encoded text file.

// 将 DER 编码的证书转换为 PEM 格式
openssl x509 -inform der -in my_cert.crt -out my_cert.pem

6. DER encoded certificate extension

DER-encoded digital certificates usually have a .cer extension. This type of certificate uses DER encoding specifications and usually contains the corresponding public key. In addition to this, DER encoding can also be used for certificates in other formats, such as X.509 SSL certificates and PGP certificates.

7. DER encoded digital certificate extension

The extension of a digital certificate depends on the certificate format. In addition to .cer, the extensions of some digital certificates also include .pem, .crt, .pfx, .p12, etc.

8. How to implement the DER encoding format

In Java, DER encoding is commonly used to interact with digital certificates and key stores, such as Keystore, Truststore, PKCS12, etc.

To implement the DER-encoded format, you need to use some classes in the Java Security API, such as X.509 certificates and ASN.1 DER-encoded SubjectPublicKeyInfo structures.

// 获取DER编码的公钥
public static byte[] getDEREncodedPublicKey(PublicKey publicKey) throws IOException
{
    X509EncodedKeySpec x509EncodedKeySpec = new X509EncodedKeySpec(publicKey.getEncoded());
    ASN1Object asn1Object = ASN1Sequence.getInstance(x509EncodedKeySpec.getEncoded());
    SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(asn1Object);
    return subjectPublicKeyInfo.getEncoded();
}

9. DER certificate

The DER encoded form can be used to store and transmit many types of certificates, including TLS certificates, digital signature certificates, code signing certificates, etc. DER certificates can be used to implement secure communication, authentication, and code signing, and have been widely used in a variety of Internet applications.

Here is an example of DER certificate parsing using Java code:

// Load DER certificate
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream certificateIs = new FileInputStream("my_cert.cer");
X509Certificate cert = (X509Certificate) cf.generateCertificate(certificateIs);

// Extract information
System.out.println("Subject: " + cert.getSubjectDN());
System.out.println("Issuer: " + cert.getIssuerDN());
System.out.println("Serial number: " + cert.getSerialNumber());
System.out.println("Public key: " + cert.getPublicKey());
System.out.println("Validity period: " + cert.getNotBefore() + " - " + cert.getNotAfter());
System.out.println("Signature algorithm: " + cert.getSigAlgName());

10. Summary

The above is a detailed explanation of DER encoding. Through this article, we learned that Der encoding is a format specification for binary encoding of ASN.1 data structures packaged under the ASN.1DER standard. The encoding method of the ASN.1 specification is very flexible and can describe almost any data type. In practical applications, DER-encoded formats are used in various digital certificates and key managers.