Difference between revisions of "ASN.1"
(→Context) |
m (→Solution) |
||
(41 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
==Context== | ==Context== | ||
− | In the time before internet there was the 7 layer ISO model and a bunch of PTOs (mostly government postal | + | In the time before internet there was the 7 layer ISO model and a bunch of PTOs (mostly government postal and telegraphy organizations) worried by this new technology that wanted to dominate the identity layer of the internet. The result was a series of CCITT (now ITU-T) committees establish to translate the telephone industry white pages into the identity of every entity on the internet. This expanded to include X.400 series standards on electronic mail which went beyond that to create a security system base on [[ASN.1]] X.500 series standards. The only legacy of that is the use of [[Distinguished Name]]s in email directories, like Microsoft Outlook. |
− | == | + | Abstract Syntax Notation One (ASN.1), which is defined in CCITT Recommendation X.208, is a way to specify abstract objects that will be serially transmitted. The set of ASN.1 rules for representing such objects as strings of ones and zeros is called the Distinguished Encoding Rules (DER), and is defined in CCITT Recommendation X.509, Section 8.7. These encoding methods are currently used to create the TLS certificates that are used to establish secure interchanges using HTTPS. |
+ | |||
+ | ==Problems== | ||
# Bureaucracy | # Bureaucracy | ||
# Complexity | # Complexity | ||
+ | # Extensions were added in the PKI certificate version 3 that were beyond the ability of the schema. | ||
+ | |||
+ | Some formats do not seem to be defined anywhere but used anyway. For example the double brackets in this | ||
+ | <pre> | ||
+ | ECPrivateKey ::= SEQUENCE { -- RFC 5915 https://crypto.stackexchange.com/questions/48707/ecdsa-private-key-format | ||
+ | version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), | ||
+ | privateKey OCTET STRING, | ||
+ | parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, | ||
+ | publicKey [1] BIT STRING OPTIONAL | ||
+ | } | ||
+ | </pre> | ||
+ | |||
==Solution== | ==Solution== | ||
− | Convert it all to json format so we don't need to spend so much effort understanding an syntax that was unnecessarily complex. | + | * Convert it all to json format so we don't need to spend so much effort understanding an syntax that was unnecessarily complex. |
+ | * [https://asn1.io/asn1vsx/ Visual studio editing tool] | ||
+ | Tags are the bottom 5 bits of the byte. The top two bits reference the class and the next the constructed state | ||
+ | <pre> | ||
+ | 00 00 Universal | ||
+ | 01 40 Application | ||
+ | 10 80 Context Specific - heavily used in the V3 X.509 certificate | ||
+ | 11 C0 Private | ||
+ | |||
+ | 0 00 Primitive | ||
+ | 1 20 Constructed. (and so A0 is context specific, Constructed). | ||
+ | |||
+ | Data Types | ||
+ | Tag Tag | ||
+ | (dec) (hex) Type | ||
+ | 1 01 BOOLEAN | ||
+ | 2 02 INTEGER | ||
+ | 3 03 BIT STRING | ||
+ | 4 04 OCTET STRING | ||
+ | 5 05 NULL | ||
+ | 6 06 OBJECT IDENTIFIER | ||
+ | 7 07 OBJECT DESCRIPTOR (Brief text description of an object) = string | ||
+ | 8 08 EXTERNAL, meaning not described in ASN1 | ||
+ | 9 09 REAL | ||
+ | 10 0A ENUMERATED | ||
+ | 12 0C UTF8String | ||
+ | 16,48 10 & 30 * SEQUENCE and SEQUENCE OF | ||
+ | 17,49 11 & 31 * SET and SET OF | ||
+ | 18 12 NumericString (0-9 and space) | ||
+ | 19 13 PrintableString (A-Za-z0-9 space '()+,-./:=?) | ||
+ | 20 14 Telex String (T61 - obsolete) | ||
+ | 21 15 VideotexString | ||
+ | 22 16 IA5String (internation ASCII) | ||
+ | 23 17 UTCTime | ||
+ | 24 18 GeneralizedTime | ||
+ | 25 19 GraphicString | ||
+ | 26 1A VisibleString, ISO64String (printable ASCII + space) | ||
+ | 27 1B GeneralString | ||
+ | 28 1C UniversalString | ||
+ | 29 1D CHARACTER STRING | ||
+ | 30 1E BMPString | ||
+ | ss 8x This is a Primitive class of type used to determine which optional element is used | ||
+ | ss Ax This is a Constructed class of type used for extensions in certificates (ie a hack) | ||
+ | </pre> | ||
+ | * [https://www.obj-sys.com/asn1tutorial/asn1only.html ASN.1 Tutorial] | ||
+ | Type BOOLEAN takes values TRUE and FALSE. Usually, the type reference for BOOLEAN describes the true state. For example: Female ::= BOOLEAN is preferable to Gender ::= BOOLEAN. | ||
+ | |||
+ | Type INTEGER takes any of the infinite set of integer values. Its syntax is similar to programming languages such as C or Pascal. It has an additional notation that names some of the possible values of the integer. For example, | ||
+ | |||
+ | ColorType ::= INTEGER | ||
+ | { | ||
+ | red (0) | ||
+ | white (1) | ||
+ | blue (2) | ||
+ | } | ||
+ | indicates that the ``ColorType" is an INTEGER and its values 0, 1, and 2 are named ``red", ``white", and ``blue", respectively. The ColorType could also have any of the other valid integer values, such as 4 or -62. | ||
+ | |||
+ | Type BIT STRING takes values that are an ordered sequence of zero or more bits. The bit sequence is either a binary or hexadecimal string delimited by single quotes followed by B or H, respectively. For example, `11010001'B or `82DA6'H are valid values of BIT STRING. The length of the string of bits must be a multiple of four when hexadecimal is used. BIT STRING also has a form similar to INTEGER, but the numbers in parentheses indicate location in the string of bits. For example, the type notation | ||
+ | |||
+ | Occupation ::= BIT STRING | ||
+ | { | ||
+ | clerk (0) | ||
+ | editor (1) | ||
+ | artist (2) | ||
+ | publisher (3) | ||
+ | } | ||
+ | names the first bit ``clerk", the second bit ``editor", and so on. Strings of bits can then be written by listing the named bits that are set to 1. For example, (editor, artist) and '0110'B are two representations for the same value of ``Occupation". | ||
+ | |||
+ | Type OCTET STRING takes values that are an ordered sequence of zero or more eight-bit octets. The sequence is written in the same form as a BIT STRING sequence. Thus, `1101000100011010'B and `82DA'H are valid values of OCTET STRING. | ||
+ | |||
+ | Type NULL takes only one value, NULL. It can be used as a place marker, but other alternatives are more common. | ||
+ | ===Subject Name=== | ||
+ | |||
+ | The subject field of a PKCS #10 certificate request contains the distinguished name of the entity requesting the certificate. | ||
+ | |||
+ | CertificationRequestInfo ::= SEQUENCE | ||
+ | { | ||
+ | version CertificationRequestInfoVersion, | ||
+ | subject Name, | ||
+ | subjectPublicKeyInfo SubjectPublicKeyInfo, | ||
+ | attributes [0] IMPLICIT Attributes | ||
+ | } | ||
+ | The distinguished name consists of a sequence of relative distinguished names (RDNs). Each RDN consists of a set of attributes, and each attribute consists of an object identifier and a value. The data type of the value is identified by the DirectoryString structure. | ||
+ | |||
+ | Name ::= SEQUENCE OF RelativeDistinguishedName | ||
+ | RelativeDistinguishedName ::= SET OF AttributeTypeValue | ||
+ | AttributeTypeValue ::= SEQUENCE | ||
+ | { | ||
+ | type EncodedObjectID, | ||
+ | value ANY | ||
+ | } | ||
+ | DirectoryString ::= CHOICE | ||
+ | { | ||
+ | teletexString TeletexString (SIZE (1..MAX)), | ||
+ | printableString PrintableString (SIZE (1..MAX)), | ||
+ | universalString UniversalString (SIZE (1..MAX)), | ||
+ | utf8String UTF8String (SIZE (1..MAX)), | ||
+ | bmpString BMPString (SIZE (1..MAX)) | ||
+ | } | ||
+ | For more information, see https://docs.microsoft.com/en-us/windows/win32/seccertenroll/subject-names | ||
==References== | ==References== | ||
− | + | * See the wiki page on [[Distinguished Encoding Rules]] for the most common encoding of ASN.1. | |
+ | * [https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/ Let's Encrypt web site description of ASN.1 and DER.] | ||
[[Category:Glossary]] | [[Category:Glossary]] | ||
[[Category:Standard]] | [[Category:Standard]] |
Latest revision as of 14:49, 26 August 2021
Full Title
Abstract Syntax Notation version 1 = ASN.1. Since there is no version 2, ASN is the typical abbreviation here.
Context
In the time before internet there was the 7 layer ISO model and a bunch of PTOs (mostly government postal and telegraphy organizations) worried by this new technology that wanted to dominate the identity layer of the internet. The result was a series of CCITT (now ITU-T) committees establish to translate the telephone industry white pages into the identity of every entity on the internet. This expanded to include X.400 series standards on electronic mail which went beyond that to create a security system base on ASN.1 X.500 series standards. The only legacy of that is the use of Distinguished Names in email directories, like Microsoft Outlook.
Abstract Syntax Notation One (ASN.1), which is defined in CCITT Recommendation X.208, is a way to specify abstract objects that will be serially transmitted. The set of ASN.1 rules for representing such objects as strings of ones and zeros is called the Distinguished Encoding Rules (DER), and is defined in CCITT Recommendation X.509, Section 8.7. These encoding methods are currently used to create the TLS certificates that are used to establish secure interchanges using HTTPS.
Problems
- Bureaucracy
- Complexity
- Extensions were added in the PKI certificate version 3 that were beyond the ability of the schema.
Some formats do not seem to be defined anywhere but used anyway. For example the double brackets in this
ECPrivateKey ::= SEQUENCE { -- RFC 5915 https://crypto.stackexchange.com/questions/48707/ecdsa-private-key-format version INTEGER { ecPrivkeyVer1(1) } (ecPrivkeyVer1), privateKey OCTET STRING, parameters [0] ECParameters {{ NamedCurve }} OPTIONAL, publicKey [1] BIT STRING OPTIONAL }
Solution
- Convert it all to json format so we don't need to spend so much effort understanding an syntax that was unnecessarily complex.
- Visual studio editing tool
Tags are the bottom 5 bits of the byte. The top two bits reference the class and the next the constructed state
00 00 Universal 01 40 Application 10 80 Context Specific - heavily used in the V3 X.509 certificate 11 C0 Private 0 00 Primitive 1 20 Constructed. (and so A0 is context specific, Constructed). Data Types Tag Tag (dec) (hex) Type 1 01 BOOLEAN 2 02 INTEGER 3 03 BIT STRING 4 04 OCTET STRING 5 05 NULL 6 06 OBJECT IDENTIFIER 7 07 OBJECT DESCRIPTOR (Brief text description of an object) = string 8 08 EXTERNAL, meaning not described in ASN1 9 09 REAL 10 0A ENUMERATED 12 0C UTF8String 16,48 10 & 30 * SEQUENCE and SEQUENCE OF 17,49 11 & 31 * SET and SET OF 18 12 NumericString (0-9 and space) 19 13 PrintableString (A-Za-z0-9 space '()+,-./:=?) 20 14 Telex String (T61 - obsolete) 21 15 VideotexString 22 16 IA5String (internation ASCII) 23 17 UTCTime 24 18 GeneralizedTime 25 19 GraphicString 26 1A VisibleString, ISO64String (printable ASCII + space) 27 1B GeneralString 28 1C UniversalString 29 1D CHARACTER STRING 30 1E BMPString ss 8x This is a Primitive class of type used to determine which optional element is used ss Ax This is a Constructed class of type used for extensions in certificates (ie a hack)
Type BOOLEAN takes values TRUE and FALSE. Usually, the type reference for BOOLEAN describes the true state. For example: Female ::= BOOLEAN is preferable to Gender ::= BOOLEAN.
Type INTEGER takes any of the infinite set of integer values. Its syntax is similar to programming languages such as C or Pascal. It has an additional notation that names some of the possible values of the integer. For example,
ColorType ::= INTEGER { red (0) white (1) blue (2) }
indicates that the ``ColorType" is an INTEGER and its values 0, 1, and 2 are named ``red", ``white", and ``blue", respectively. The ColorType could also have any of the other valid integer values, such as 4 or -62.
Type BIT STRING takes values that are an ordered sequence of zero or more bits. The bit sequence is either a binary or hexadecimal string delimited by single quotes followed by B or H, respectively. For example, `11010001'B or `82DA6'H are valid values of BIT STRING. The length of the string of bits must be a multiple of four when hexadecimal is used. BIT STRING also has a form similar to INTEGER, but the numbers in parentheses indicate location in the string of bits. For example, the type notation
Occupation ::= BIT STRING { clerk (0) editor (1) artist (2) publisher (3) }
names the first bit ``clerk", the second bit ``editor", and so on. Strings of bits can then be written by listing the named bits that are set to 1. For example, (editor, artist) and '0110'B are two representations for the same value of ``Occupation".
Type OCTET STRING takes values that are an ordered sequence of zero or more eight-bit octets. The sequence is written in the same form as a BIT STRING sequence. Thus, `1101000100011010'B and `82DA'H are valid values of OCTET STRING.
Type NULL takes only one value, NULL. It can be used as a place marker, but other alternatives are more common.
Subject Name
The subject field of a PKCS #10 certificate request contains the distinguished name of the entity requesting the certificate.
CertificationRequestInfo ::= SEQUENCE { version CertificationRequestInfoVersion, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, attributes [0] IMPLICIT Attributes }
The distinguished name consists of a sequence of relative distinguished names (RDNs). Each RDN consists of a set of attributes, and each attribute consists of an object identifier and a value. The data type of the value is identified by the DirectoryString structure.
Name ::= SEQUENCE OF RelativeDistinguishedName RelativeDistinguishedName ::= SET OF AttributeTypeValue AttributeTypeValue ::= SEQUENCE { type EncodedObjectID, value ANY } DirectoryString ::= CHOICE { teletexString TeletexString (SIZE (1..MAX)), printableString PrintableString (SIZE (1..MAX)), universalString UniversalString (SIZE (1..MAX)), utf8String UTF8String (SIZE (1..MAX)), bmpString BMPString (SIZE (1..MAX)) }
For more information, see https://docs.microsoft.com/en-us/windows/win32/seccertenroll/subject-names
References
- See the wiki page on Distinguished Encoding Rules for the most common encoding of ASN.1.
- Let's Encrypt web site description of ASN.1 and DER.