#!/usr/local/bin/perl # # der_chop ... this is one total hack that Eric is really not proud of # so don't look at it and don't ask for support # # The "documentation" for this (i.e. all the comments) are my fault --tjh # # This program takes the "raw" output of derparse/asn1parse and # converts it into tokens and then runs regular expression matches # to try to figure out what to grab to get the things that are needed # and it is possible that this will do the wrong thing as it is a *hack* # # SSLeay 0.5.2+ should have direct read support for x509 (via -inform NET) # [I know ... promises promises :-)] # # To convert a Netscape Certificate: # der_chop < ServerCert.der > cert.pem # To convert a Netscape Key (and encrypt it again to protect it) # rsa -inform NET -in ServerKey.der -des > key.pem # # 23-Apr-96 eay Added the extra ASN.1 string types, I still think this # is an evil hack. If nothing else the parsing should # be relative, not absolute. # 19-Apr-96 tjh hacked (with eay) into 0.5.x format # # Tim Hudson # tjh@cryptsoft.com # require 'getopts.pl'; $debug=0; # this was the 0.4.x way of doing things ... $cmd="derparse"; $x509_cmd="x509"; $crl_cmd="crl"; $rc4_cmd="rc4"; $md2_cmd="md2"; $md4_cmd="md4"; $rsa_cmd="rsa -des -inform der "; # this was the 0.5.x way of doing things ... $cmd="openssl asn1parse"; $x509_cmd="openssl x509"; $crl_cmd="openssl crl"; $rc4_cmd="openssl rc4"; $md2_cmd="openssl md2"; $md4_cmd="openssl md4"; $rsa_cmd="openssl rsa -des -inform der "; &Getopts('vd:') || die "usage:$0 [-v] [-d num] file"; $depth=($opt_d =~ /^\d+$/)?$opt_d:0; &init_der(); if ($#ARGV != -1) { foreach $file (@ARGV) { print STDERR "doing $file\n"; &dofile($file); } } else { $file="/tmp/a$$.DER"; open(OUT,">$file") || die "unable to open $file:$!\n"; for (;;) { $i=sysread(STDIN,$b,1024*10); last if ($i <= 0); $i=syswrite(OUT,$b,$i); } &dofile($file); unlink($file); } sub dofile { local($file)=@_; local(@p); $b=&load_file($file); @p=&load_file_parse($file); foreach $_ (@p) { ($off,$d,$hl,$len)=&parse_line($_); $d-=$depth; next if ($d != 0); next if ($len == 0); $o=substr($b,$off,$len+$hl); ($str,@data)=&der_str($o); print "$str\n" if ($opt_v); if ($str =~ /^$crl/) { open(OUT,"|$crl_cmd -inform d -hash -issuer") || die "unable to run $crl_cmd:$!\n"; print OUT $o; close(OUT); } elsif ($str =~ /^$x509/) { open(OUT,"|$x509_cmd -inform d -hash -subject -issuer") || die "unable to run $x509_cmd:$!\n"; print OUT $o; close(OUT); } elsif ($str =~ /^$rsa/) { ($type)=($data[3] =~ /OBJECT_IDENTIFIER :(.*)\s*$/); next unless ($type eq "rsaEncryption"); ($off,$d,$hl,$len)=&parse_line($data[5]); $os=substr($o,$off+$hl,$len); open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n"; print OUT $os; close(OUT); } elsif ($str =~ /^0G-1D-1G/) { ($off,$d,$hl,$len)=&parse_line($data[1]); $os=substr($o,$off+$hl,$len); print STDERR "<$os>\n" if $opt_v; &do_certificate($o,@data) if (($os eq "certificate") && ($str =! /^0G-1D-1G-2G-3F-3E-2D/)); &do_private_key($o,@data) if (($os eq "private-key") && ($str =! /^0G-1D-1G-2G-3F-3E-2D/)); } } } sub der_str { local($str)=@_; local(*OUT,*IN,@a,$t,$d,$ret); local($file)="/tmp/b$$.DER"; local(@ret); open(OUT,">$file"); print OUT $str; close(OUT); open(IN,"$cmd -inform 'd' -in $file |") || die "unable to run $cmd:$!\n"; $ret=""; while (<IN>) { chop; push(@ret,$_); print STDERR "$_\n" if ($debug); @a=split(/\s*:\s*/); ($d)=($a[1] =~ /d=\s*(\d+)/); $a[2] =~ s/\s+$//; $t=$DER_s2i{$a[2]}; $ret.="$d$t-"; } close(IN); unlink($file); chop $ret; $ret =~ s/(-3H(-4G-5F-5[IJKMQRS])+)+/-NAME/g; $ret =~ s/(-3G-4B-4L)+/-RCERT/g; return($ret,@ret); } sub init_der { $crl= "0G-1G-2G-3F-3E-2G-NAME-2L-2L-2G-RCERT-1G-2F-2E-1C"; $x509="0G-1G-2B-2G-3F-3E-2G-NAME-2G-3L-3L-2G-NAME-2G-3G-4F-4E-3C-1G-2F-2E-1C"; $rsa= "0G-1B-1G-2F-2E-1D"; %DER_i2s=( # SSLeay 0.4.x has this list "A","EOC", "B","INTEGER", "C","BIT STRING", "D","OCTET STRING", "E","NULL", "F","OBJECT", "G","SEQUENCE", "H","SET", "I","PRINTABLESTRING", "J","T61STRING", "K","IA5STRING", "L","UTCTIME", "M","NUMERICSTRING", "N","VIDEOTEXSTRING", "O","GENERALIZEDTIME", "P","GRAPHICSTRING", "Q","ISO64STRING", "R","GENERALSTRING", "S","UNIVERSALSTRING", # SSLeay 0.5.x changed some things ... and I'm # leaving in the old stuff but adding in these # to handle the new as well --tjh # - Well I've just taken them out and added the extra new # ones :-) - eay ); foreach (keys %DER_i2s) { $DER_s2i{$DER_i2s{$_}}=$_; } } sub parse_line { local($_)=@_; return(/\s*(\d+):d=\s*(\d+)\s+hl=\s*(\d+)\s+l=\s*(\d+|inf)\s/); } # 0:d=0 hl=4 l=377 cons: univ: SEQUENCE # 4:d=1 hl=2 l= 11 prim: univ: OCTET_STRING # 17:d=1 hl=4 l=360 cons: univ: SEQUENCE # 21:d=2 hl=2 l= 12 cons: univ: SEQUENCE # 23:d=3 hl=2 l= 8 prim: univ: OBJECT_IDENTIFIER :rc4 # 33:d=3 hl=2 l= 0 prim: univ: NULL # 35:d=2 hl=4 l=342 prim: univ: OCTET_STRING sub do_private_key { local($data,@struct)=@_; local($file)="/tmp/b$$.DER"; local($off,$d,$hl,$len,$_,$b,@p,$s); ($type)=($struct[4] =~ /OBJECT_IDENTIFIER :(.*)\s*$/); if ($type eq "rc4") { ($off,$d,$hl,$len)=&parse_line($struct[6]); open(OUT,"|$rc4_cmd >$file") || die "unable to run $rc4_cmd:$!\n"; print OUT substr($data,$off+$hl,$len); close(OUT); $b=&load_file($file); unlink($file); ($s,@p)=&der_str($b); die "unknown rsa key type\n$s\n" if ($s ne '0G-1B-1G-2F-2E-1D'); local($off,$d,$hl,$len)=&parse_line($p[5]); $b=substr($b,$off+$hl,$len); ($s,@p)=&der_str($b); open(OUT,"|$rsa_cmd") || die "unable to run $rsa_cmd:$!\n"; print OUT $b; close(OUT); } else { print "'$type' is unknown\n"; exit(1); } } sub do_certificate { local($data,@struct)=@_; local($file)="/tmp/b$$.DER"; local($off,$d,$hl,$len,$_,$b,@p,$s); ($off,$d,$hl,$len)=&parse_line($struct[2]); $b=substr($data,$off,$len+$hl); open(OUT,"|$x509_cmd -inform d") || die "unable to run $x509_cmd:$!\n"; print OUT $b; close(OUT); } sub load_file { local($file)=@_; local(*IN,$r,$b,$i); $r=""; open(IN,"<$file") || die "unable to open $file:$!\n"; for (;;) { $i=sysread(IN,$b,10240); last if ($i <= 0); $r.=$b; } close(IN); return($r); } sub load_file_parse { local($file)=@_; local(*IN,$r,@ret,$_,$i,$n,$b); open(IN,"$cmd -inform d -in $file|") || die "unable to run der_parse\n"; while (<IN>) { chop; push(@ret,$_); } return($r,@ret); }