[Introduction]
ASN.1 called the Abstract Syntax NotationOne, describes a method and a standard digital object. openssl encoding method is based on this standard, at present, a lot of other software coding method is also based on this standard. For direct use openssl's API or application, it may not require knowledge of the ASN.1 very clear, but in order to make everyone have a more profound knowledge base encoding each subsequent introduction of the API, so the ASN.1 and a corresponding API handler openssl introductory provided.
[Overview] ASN.1
ASN.1 standard as described in a digital object, comprising two parts, namely data description language (ISO8824), and data encoding rules (ISO8825). ASN.1 standard data description language allows the user to customize the basic data types, and may be composed of more complex data types through simple data types. For example, a complex data objects, such as X509 certificates, is defined in a number of other types of data, and other data types is built on more basic data types, the most basic type of data to back up definitions.
Such as X509 certificates ASN.1 definition of a subdomain Validity (certificate validity period) is defined as follows:
Validity :: = the SEQUENCE
{
the notBefore UTCTime,
the notAfter UTCTime
}
whose meaning is defined as an ordered sequence Validity, two by two types UTCTime data notBefore and notAfter composition. Then, you need to find out how UTCTIME is defined, of course, it is a fact UTCTIME ASN.1 definition of basic data type.
Based on the above definitions of the data, the ASN.1 definition of a set of encoding rules, how to convert an object to a predetermined described above as an application capable of processing and transmission of binary coded form. ASN.1 definition a variety of coding methods, including the BER, DER, PER, XER and the like, however, although the basic method is most commonly used encoding BER (Basic EncodingRules), but since the coding method may be one and the same object to there are several different legal binary encoding, the use of which is in the BER openssl subset DER (Distinguished encoding Rules), using the DER encoding method for each ASN.1 object corresponding unique binary code.
ASN.1 defined in each basic object has a corresponding digital identification tag, binary coding is performed when the required flag.
[ASN.1 definition of basic data types]
Significance following ASN.1 basic data types listed in the definition section, the fields are as follows:
[data type] - [Description Data] - [Tag (16 hex)]
[BOOLEAN ] - [there are two values: false or to true] - [01]
[iNTEGER] - [integer] - [02]
[BIT STRING] - [0 or more bits] - [03]
[OCTET STRING] - [0 byte or bytes] - [04]
[NULL] - [NULL value] - [05]
[the oBJECT iDENTIFIER] - [object corresponding to a unique identification number] - [06]
[the oBJECT DESCRIPTOR] - [ Acronym an object] - [07]
[the EXTERNAL] - [the ASN.1 data type is not defined] - [08]
[rEAL] - [real value] - [09]
[ENUMERATED] - [a list of values, each data has a unique identifier, as part of ASN.1-defined data type] - [0A]
[SEQUENCE and SEQUENCE OF] - [ordered sequence, each inside SEQUENCE values can be of different types, in the SEQUENCE oF is 0 or a plurality of the same data type] - [10]
[SET and SET oF] - [random number of columns, inside each value SET may be a different type , and SET oF is 0 or in the same data a plurality of types] - [. 11]
[NumericString] - [0-9 blanks] - [12 is]
[PrintableString] - [AZ, AZ, 0-9, space and the symbol () +, - /:. =] - [13]?
[UTCTime] - [unified global time format] - [17]
In addition to these basic types, the ASN.1 also defines some special data type, not going to describe here.
openssl The ASN.1 series 2 --- ASN.1 encoding method Introduction
References: "Computer Network", "A Layman s Guide to a Subset of ASN.1, BER, and DER"
encoded ASN.1 ASN.1 object is an important part of the standard, currently, is generally used in the BER, and DER is a subset of it. This article will give a brief introduction to the coding method.
A standard ASN.1 encoded object has four fields: object identification field, a data length field, and the end flag data field (optional, required in the case of unknown length, not the flag OpenSSL).
[Object] identification field
target identification field in two forms, a digital low-Tag (Tag values 0 to 30) and a digital high Tag (Tag value greater than 30) form.
Tag only a low byte digital form, consists of three parts, numbered from the lower bit is 1, 7 and 8 are Tag type, there are four, are universal (00), application (0 1), context-specific (1 0) and private (11); bit 6 is 0, to indicate the encoding type is primitive, the Tag bit value of 5-1.
Tag high digital form may have two or more bytes, the first byte with the same low-Tag digital form, but the value of the lower five bits are all 1, and subsequent to the second and subsequent bytes the Tag values using only those bytes of lower 7 bits of data, the highest level are set to 0, the most significant bit of the last byte is set to 1, the use of high priority, the number may be less principle.
[] Data length field
data length field, there are two forms, a long form and a short form.
Short form of the data length field is only one byte, bit 8 is 0, the lower 7 bits of other data given length.
The long form has a data length field 2-127 bytes. 8th bit of the first byte is 1, the other seven of the low number of bytes given later used by the domain, starting from a given length of the data field of the second byte, based on 256 high priority.
[Data Domain]
Data field gives the specific data value. Encoding the domain is not the same for different data types, eleven not here in details, reference may be interested reference.
[A] coding example
The following is an example of an object with a DER encoded SSLDocument given more examples can be found in the references given herein.
Examples of objects using the object type BIT STRING ASN.1 definitions, the step of encoding is as follows:
1. The use of a bit string "0" padded so that the length is an integer multiple of 8 (if already an integral multiple, then does not require padding);
2. calculate padding bits and write them down, becomes the first byte of the content data;
3. write bit string is padded, high byte first. The data of one byte with the previous bytes of the entire data contents;
4. In front of these data plus a header byte, the byte is defined as follows (the numbers are from the low to the start 1):
The first bit 8,7: 00 (universal type)
bit 6: 0 (indicating a basic type, length limited code)
of 5-1 bits: 0x03 (indicating a bIT STRING)
this byte defines an object identifier field;
5. then the object identification field a definition of the calculated and the following byte data bytes between byte:
calculating how many bytes of data content (except for object identification data field), if less than 127 bytes, a byte is defined as follows:
8 bit: 0
7-1 bits: the number of bytes of the data content
if the content is greater than the number of bytes of data 127, it is necessary to define two or more bytes, the first byte are defined as follows:
bit 8 : 1
7-1 bits: how many bytes of the field behind
the subsequent byte of data is the number of bytes of content, each based on 256 byte, endian
The following is an example of actual data:
bit string: 01000100111011
1 0 filled two behind, an integral multiple of 8, obtained 0100010011101100;
2.02 as the first byte of the data content;
3. as the EC 44 is to rest contents of data bytes;
4.03 as the foregoing object identification byte;
5. because the tag value bIT sTRING 3 <= 127, so that only a 03-byte length field;
then DER encoding of this bit string is obtained It is 03 03 02 44 ec, wherein the first byte is the object ID field, the second byte is the data field length, the other data fields.
ASN.1 series of 3 openssl --- ASN.1 structure and function Overview
[Overview] ASN.1 library
because X509 related protocols are based on ASN.1 and DER encoded, so openssl provides a set of functions that can be read DER-encoded object, and converts them to be able to handle openssl internal format; these functions can also convert the format of the object structure C as defined in openssl DER-encoded object. In addition, the series also provides some of these objects are compared, and read setting functions specified value. The series also includes a number of function signature function, because before signing, some objects need to be DER encoded.
What follows is a brief introduction to ASN.1 library of important data structures.
[ASN1_CTX]
This structure is used to maintain the ASN1 track various process related variables, which are defined as follows:
typedef struct asn1_ctx_st
{
int eos;
int error;
int inf;
int tag;
int xclass;
long slen;
unsigned char *max;
unsigned char *q;
unsigned char **pp;
int line;
} ASN1_CTX;
- Parameter p is a character pointer work, the maximum length specified by the argument max;
- eos flag end flag is indefinite coding mode;
- error is the error code;
- Representative constructd mode inf value 0x20, 0x21 is representative of indefinite mode;
- tag is a tag value of the object last achieved;
- xclass is the last type of object made;
- slen final length of the object is obtained;
- line variables used when error handling.
] [ASN1_OBJECT
the ASN1 structure for holding an object defined as follows:
typedef struct asn1_object_st
{
char * Sn, LN *;
int NID;
int length;
unsigned char * Data;
int the flags;
} ASN1_OBJECT;
- nid unique identifier for each digital object openssl internally defined;
- sn are referred object;
- ln a long name or lowercase name of the object;
- data is the data corresponding to the object,
- length is the length of the data field,
- flags is a sign the release.
[ASN1_STRING]
The structure is in a very basic openssl ASN.1 object structure, Openssl Many types of objects are defined in this structure, they include ASN1_INTEGER, ASN1_BIT_STRING, ASN1_OCTET_STRING, ASN1_PRINTABLESTRING, ASN1_T61STRING, ASN1_IA5STRING, ASN1_UTCTIME, ASN1_GENERALIZEDTIME , ASN1_GENERALSTRING, ASN1_UNIVERSALSTRING and ASN1_BMPSTRING. This structure is defined as follows:
typedef struct asn1_string_st
{
int length;
int type;
unsigned char * Data;
} ASN1_STRING;
- type parameter indicates the type of object;
- The data parameter is a data object,
- the length specifies the length thereof;
- flags value with the type, in general, in BIT_STRING object.
[ASN1_TYPE]
The structure may be any type of ASN.1 object is stored, which is defined as follows:
typedef struct asn1_type_st
{
int type;
Union
{
char * PTR;
ASN1_BOOLEAN Boolean;
ASN1_STRING * asn1_string;
ASN1_OBJECT * Object;
ASN1_INTEGER * Integer;
ASN1_ENUMERATED enumerated * ;
ASN1_BIT_STRING * bit_string;
ASN1_OCTET_STRING * octet_string;
ASN1_PRINTABLESTRING * PrintableString;
ASN1_T61STRING * T61String;
ASN1_IA5STRING * IA5String;
ASN1_GENERALSTRING * GeneralString;
ASN1_BMPSTRING * BMPString;
ASN1_UNIVERSALSTRING * UniversalString;
ASN1_UTCTIME * UTCTime;
ASN1_GENERALIZEDTIME * GeneralizedTime;
ASN1_VISIBLESTRING * VisibleString;
ASN1_UTF8STRING * UTF8String;
ASN1_STRING * SET;
ASN1_STRING * Sequence;
} value;
} ASN1_TYPE;
wherein the type parameter specifies the object Types of.
[ASN1_METHOD]
The structure contains a pointer pointing to a set of functions, these functions defines the function of performing format conversion between the internal structure and openssl DER encoding target, it defines a functional structure of the allocation and deallocation. Which is defined as follows:
typedef struct asn1_method_st
{
int (* I2D) ();
char *(*d2i)();
char *(*create)();
void (*destroy)();
} ASN1_METHOD;
- I2d convert function pointed to the internal format to a DER encoded form;
- D2i convert function pointed DER encoded objects into the internal structure;
- Function to create a new object pointed to allocate memory;
- destroy the function pointed to the release of object memory.
For example, in the document where x_x509.c, METHOD X509 initialize the object structure is as follows:
static ASN1_METHOD Meth =
{
(int (*) ()) i2d_X509,
(char * (*) ()) d2i_X509,
(char * (*) ( )) X509_new,
(void (*) ()) X509_free
};
ASN1_METHOD X509_asn1_meth * ()
{
return (& Meth);
}
[ASN1_HEADER]
this configuration uses only (refer to apps / x509.c file format Netscape's certificate) , which is defined as follows:
typedef struct asn1_header_st
{
ASN1_OCTET_STRING * header;
char * Data;
ASN1_METHOD Meth *;
} ASN1_HEADER;
in addition to the basic structure described above, there are several structurally related to the ASN.1, but because these are not particularly versatile, here no longer be introduced, are interested you can see the file x509.h.
Configuration and release 4 --- ASN.1 object openssl series of ASN.1
Because each object has a corresponding ASN.1 data structure, so openssl also provides a set of functions to create and release these objects. In fact, not many basic functions, many functions are macro definitions provided in the basic functions, mainly for the convenience of users.
The basic configuration and release of the object function is defined as follows (Crypto \ ASN1 \ asn1.h):
ASN1_OBJECT ASN1_OBJECT_new * (void);
void ASN1_OBJECT_free (ASN1_OBJECT * A);
ASN1_OBJECT * ASN1_OBJECT_create (NID int, unsigned char * Data, int len, const char * Sn, const char * LN);
ASN1_STRING * ASN1_STRING_new (void);
void ASN1_STRING_free (ASN1_STRING * A);
ASN1_STRING * ASN1_STRING_type_new (int type);
ASN1_HEADER * ASN1_HEADER_new (void);
void ASN1_HEADER_free (ASN1_HEADER * A);
ASN1_VALUE * ASN1_item_new (const ASN1_ITEM IT *);
void ASN1_item_free (ASN1_VALUE Val *, const ASN1_ITEM IT *);
[] ASN1_OBJECT
The series of new and free functions are done creating and releasing ASN1_OBJECT objects. ASN1_OBJECT when creating an object, the function assigned to the object memory, all variables and the value of the pointer type structure are set to NULL, nid and length are initialized to 0, and the flags is set to ASN1_OBJECT_FLAG_DYNAMIC, returns the created object of pointer, if it fails, returns NULL. When the target released, free to push all the object members of the memory and its memory is released and lenght is set to 0.
In addition to creating objects using ASN1_OBJECT ASN1_OBJECT_new, you may also be used to create objects ASN1_OBJECT_create function, which creates a ASN1_OBJECT object given parameters. Which, nid NID is the unique identification of the object; data for the data object, len specifies the length of data valid data; sn are referred to the object; ln is the full name of the object or lowercase name; the function will falgs flag ASN1_OBJECT_FLAG_DYNAMIC | ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA. This function returns a structure of the object, rather than a pointer.
[ASN1_STRING]
ASN1_STRING_type_new function type creates and returns an object pointer ASN1_STRING according to the given parameters. In fact, this function no matter what the type is, is to create a ASN1_STRING object, and then the members of the data is initialized to NULL, flags and length initialized to zero. The only difference is that the value of a member variable type so that the value of the parameter type, type currently supported values are as follows:
V_ASN1_BIT_STRING
V_ASN1_INTEGER
V_ASN1_ENUMERATED
V_ASN1_OCTET_STRING
V_ASN1_T61STRING
V_ASN1_PRINTABLESTRING
V_ASN1_VISIBLESTRING
V_ASN1_IA5STRING
V_ASN1_UTCTIME
V_ASN1_GENERALIZEDTIME
V_ASN1_GENERALSTRING
V_ASN1_UNIVERSALSTRING
V_ASN1_BMPSTRING
V_ASN1_UTF8STRING
ASN1_STRING_new function call is returned, its type parameters ASN1_STRING_type_new function implementation is V_ASN1_OCTET_STRING. The successful implementation of these two functions return a ASN1_STRING pointer, otherwise returns NULL. ASN1_STRING_free function releases the ASN1_STRING create objects with the above two functions, there is no return value.
[ASN1_HEADER]
These two functions for handling certificate and private key objects Netscape format. In fact, new function creates a ASN1_HEADER object and call the ASN1_STRING_type_new function, use the type parameter header member variable V_ASN1_OCTET_STRING the object is initialized, and meth and the data set to NULL, the return pointer ASN1_HEADER object. free function to release the type of object, no return value.
[ASN1_VALUE]
These two functions are generally no longer in use, only for compatibility with previous versions retained. Here no longer be introduced.
[Macro functions defined based on the basic function]
Based on the above basis functions, especially ASN1_STRING_type_new function, for convenience OpenSSL offers many macro definitions used by the user, the form of these macros are defined such as the following form:
Constructors: object name of M_ _new ()
release function: Object of M_ name _free (a)
As more functions, specifically refer to asn1.h file, it will not list them.
Original link: https: //blog.csdn.net/jasenwan88/article/details/7718851