Search code examples
certificatex509asn.1

How can I decode tbsCertificate content?

I was trying to see what's the content of a tbsCerticate.

This is what I have done:

  1. Download a certificate from website (baidu.com) in der binary format.
  2. Use openssl x509 -in bd.cer -inform cer -text -noout >> bd.cer.noout.txt to translate into text. Now I can see what's in the certificateenter image description here
  3. openssl asn1parse -inform der -in bd.cer > bd.cer.asn1 parse the certificate. According to rfc5280, second line is tbsCertificate content, which is 4:d=1 hl=4 l=2326 cons: SEQUENCE.
  4. dd if=bd.cer of=bd.cer.tbsCertificate skip=4 bs=1 count=2330 to dump the bytes.
  5. openssl x509 -in bd.cer.tbsCertificate -inform der -text -noout >> bd.cer.tbs.txt Now I want to parse it bd.cer.tbsCertificate to x509 format to see it, but it failed.
unable to load certificate
140421447947392:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149:
140421447947392:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:309:Type=X509_CINF
140421447947392:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509

I want to know why I can't translate the bd.cer.tbsCertificate into x509 just like bd.cer. Do I miss something? From the error, it seems that the structure is not right.

What should I do if I want to see tbsCertificate in txt to know what exactly are encrypted. Thank you for your help!

Solution

  • From the error, it seems that the structure is not right.

    Correct. The x509 command can only read a Certificate.

    Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                         -- If present, version MUST be v3
    }

    Since you've provided a TBSCertificate, not a Certificate, when it expected to see SEQUENCE, SEQUENCE, but got SEQUENCE, [0], it errored out.

    Nothing in ASN.1 DER encoding says "this structure is a TBSCertificate", the structure is just a definition of the order data should be written or read. So the openssl x509 command doesn't have any inkling that you've stripped off the outer SEQUENCE (the Certificate structure). openssl asn1parse shows what the data contains. "I'm a sequence, my content is this long. I'm a sequence, my content is this long. I'm a context-specific-0, my content is this long and it is 0x02. ..."

    What should I do if I want to see tbsCertificate in txt to know what exactly are encrypted.

    Nothing in the certificate is encrypted.

    "TBSCertificate" is "to be signed certificate". The outer structure is { "all the contents", "how did it get signed", "the signature" }. The openssl x509 command on the certificate already showed you what was in the TBSCertificate value... the version number, subject, validity, issuer, etc.