ASN1培训

ASN.1inActionLJ2006-06-27内容提要►ASN.1背景►ASN.1基本概念和语法►ASN.1编码介绍►ASN.1示例ASN.1背景►ASN.1=AbstractSyntaxNotationOne►目标:传送语法►互联网上数据传输时的表现形式，通常用8位位组的流表示中立►作为标准的计算机对象描述规则，平台无关，实现无关抽象►以字节为基础单位，能够描述各种复杂的对象结构ASN.1背景►SyntaxASN.1--AbstractSyntaxNotationOne►RulesBER--ASN.1BasicEncodingRulesDER--ASN.1DistinguishedEncodingRulesASN.1背景►BER(ASN.1BasicEncodingRules)定义了一种或几种方法，使用ASN.1语法将数据对象转换成二进制字节码►DER(ASN.1DistinguishedEncodingRules)BER的子集，定义了唯一一种方法，使用ASN.1语法将数据对象转换成二进制字节码BERDERASN.1背景►特点标准性高效性扩展性比其他任何一种语言更为丰富的数据结构ASN.1基本概念和语法►基本类型简单类型“原子”的，无分量结构类型有分量标记类型从其他类型衍生而来其他类型CHOICE,ANY►赋值操作符::=::=用来对类型和值命名，并可用这些名字定义其他类型和值ASN.1基本概念和语法►基本描述语法DigestInfo::=SEQUENCE{digestAlgorithmDigestAlgorithm,digestDigest}DigestAlgorithm::=AlgorithmIdentifierDigest::=OCTETSTRINGAlgorithmIdentifier::=SEQUENCE{algorithmOBJECTIDENTIFIER,parametersANYDEFINEDBYalgorithmOPTIONAL}ASN.1基本概念和语法►ASN.1中绝大部分类型(除CHOICE和ANY)都有一个标记符►标记符=标记符类型+标记符ID►标记符类型Universal标准类型Application应用相关(同种ID在不同应用中可能意义不同)Private定义属于特定组织的类型Context-Specify上下文相关的类型，定义特定的结构ASN.1基本概念和语法►常用标准ASN.1标记符示例:Integer0x02BitString0x03OCTETString0x04Null0x05ObjectIdentifier0x06UTF8String0x12PrintableString0x13UTCTime0x17Sequence0x30Set0x31ASN.1基本概念和语法►长度表示(DER编码标准)长度小于127(包含)，1字节编码:►38表示为[00100110]长度大于127，多字节编码，第一字节为长度字节数，并且bit8为1:►201表示为[10000001][11001001]ASN.1基本概念和语法►TLV?TLVSchema=Tag,LengthandValueSchema►ILC?ILCSchema=Identifier,LengthandConentsSchemaTagLengthValueASN.1基本概念和语法►示例06072A864A86F70D0130820251308201BAA0030201...06072A864A86F70D0130820251308201BAA0030201...ASN.1基本概念和语法►OID=ObjectIdentifier表示一个诸如算法，属性类型或注册机构对象定义的一个整数序列OID的值由注册机构来赋予，每个注册机构负责定义一个特定的序列开头的所属序列pkcs-1OBJECTIDENTIFIER::={iso(1)member-body(2)US(840)rsadsi(113549)pkcs(1)1}OID含义1.2ISO成员体1.2.840美国1.2.840.113549RSA数据安全公司1.2.840.113549.1RSA数据安全公司，PKCSASN.1编码介绍►BouncyCastleorg.bouncycastle.asn1.*►PKIToolv2.0cn.com.jit.ida.util.pki.asn1.*ASN.1编码介绍►Integer编码示例SignedData::=SEQUENCE{versionVersion...}Version::=Integer提示...020102...►DERIntegerDERIntegerversion=newDERInteger(newBigInteger(2));ASN.1编码介绍►OID编码示例pkcs-1OBJECTIDENTIFIER::={iso(1)member-body(2)US(840)rsadsi(113549)pkcs(1)1}rsaEncryptionOBJECTIDENTIFIER::={pkcs-11}SHA1WithRSAEncryptionOBJECTIDENTIFIER::={pkcs-15}提示1.2.840.113549.1.1.5提示...06092A864886F70D010105...►DERObjectIdentifierDERObjectIdentifiersha1_rsa=newDERObjectIdentifier(“1.2.840.113549.1.1.5”);ASN.1编码介绍►PrintableString编码示例CountryName::=PRINTABLESTRING提示...1302434E...►DERPrintableStringDERPrintableStringcn=newDERPrintableString(“CN”);ASN.1编码介绍►Sequence编码示例SEQUENCE一个或多个给定类型的有序集合SEQUENCEOF0个或多个给定类型的有序集合RSAPublicKey::=SEQUENCE{modulusINTEGER,--npublicExponentINTEGER--e}►DERSequenceDERIntegermodulus=...;DERIntegerpublicExponent=...;DEREncodableVectorderVector=newDEREncodableVector();derVector.add(modulus);derVector.add(publicExponent);DERSequencesequence=newDERSequence(derVector);ASN.1编码介绍►Set编码示例SET一个或多个给定类型的无序集合SETOF0个或多个给定类型的无序集合SignerInfos::=SETOFSignerInfoSignerInfo::=SEQUENCE{...}►DERSetDERSequencesignerInfo1=...;DERSequencesignerInfo2=...;DEREncodableVectorderVector=newDEREncodableVector();derVector.add(signerInfo1);derVector.add(signerInfo2);DERSetset=newDERSet(derVector);ASN.1编码介绍►BitString任意的01比特流，长度可以为任意值(包括0)DERBitStringbyte[]data=...;DERBitStringderBitString=newDERBitString(data);►OctetString任意的字节流，长度可以为任意值(包括0)DEROctetStringbyte[]data=...;DEROctetStringderOctetString=newDEROctetString(data);ASN.1编码介绍►TaggedObjectContext-specifyIMPLICIT--改变下层类型标签EXPLICIT--在外层增加类型标签extendedCertificate[0]IMPLICITExtendedCertificate►DERTaggedObject//定义DERTaggedObject(booleanexplicit,inttagNo,DEREncodablederObj);DERObjectextCert=…;DERTaggedObjectextendCertificate=newDERTaggedObject(false,0,extCert);ASN.1编码介绍►Choice编码示例Context-SpecifyImplicit改变下层类型标签Explicit在外层增加类型标签一个或多个备选项的联合体CHOICE{[identifier1]type1,[identifier2]type2,[identifier3]type3,...}ASN.1编码介绍►Choice编码示例ExtendedCertificateOrCertificate::=CHOICE{certificateCertificate,--X.509extendedCertificate[0]IMPLICITExtendedCertificate}提示如果选择certificate项，则Identifieroctet项为30提示如果选择extendedCertificate项，则identifieroctet项是A0ASN.1编码介绍►其他常用对象DERObjectimplementsDEREncodableDERInputStream/ASN1InputStreamDEROutputStream/ASN1OutputStreamDERInputStreamdis=newDERInputStream(newFileInputStream(“xxx”));DERObjectderObj=dis.readObject();DEROutputStreamdos=newDEROputStream(newFileOutputStream(“xxx”));dos.writeObject(derObject);►编解码规则深入浅出,编码用DER对象，解码用ASN1对象ASN.1示例►工具ASN1ViewerGUIdumpASN...ASN.1示例IntegerLengthValueASN.1示例SignedData::=SEQUENCE{versionVersion,digestAlgorithmsDigestAlgorithmIdentifiers,contentInfoContentInfo,certificates[0]IMPLICITExtendedCertificatesAndCertificatesOPTIONAL,crls[1]IMPLICITCertificateRevocationListsOPTIONAL,signerInfosSignerInfos}DigestAlgorithmIdentifiers::=SETOFDigestAlgorithmIdentifierSignerInfos::=SETOFSignerInfoSignerInfo::=SEQUENCE{versionVersion,issuerAndSerialNumberIssuerAndSerialNumber,digestAlgorithmDigestAlgorithmIdentifier,authenticatedAttributes[0]IMPLICITAttributesOPTIONAL,digestEncryptionAlgorithmDigest