#!/usr/bin/perl

# $Id: x509decode,v 1.1 2002/02/10 16:41:28 gbarr Exp $

# (c) 2001-2002 Norbert Klasen, DAASI International GmbH. All rights reserved.

# This package is free software; you can redistribute it and/or

# modify it under the same terms as Perl itself.

#

# decode X.509 certificates

#

# varable naming

# Convert::ASN1 objects are prefixed with asn_

# variables holding binary DER content are prefixed with der_

use strict;

use Data::Dumper;

$Data::Dumper::Indent=1;

$Data::Dumper::Quotekeys=1;

$Data::Dumper::Useqq=1;

use Convert::ASN1 qw(:io :debug);

# parse ASN.1 desciptions

my $asn = Convert::ASN1->new;

$asn->prepare(<<ASN1) or die "prepare: ", $asn->error;

-- ASN.1 from RFC2459 and X.509(2001)

-- Adapted for use with Convert::ASN1

-- attribute data types --

Attribute ::= SEQUENCE {

	type			AttributeType,

	values			SET OF AttributeValue

		-- at least one value is required -- 

	}

AttributeType ::= OBJECT IDENTIFIER

AttributeValue ::= DirectoryString  --ANY 

AttributeTypeAndValue ::= SEQUENCE {

	type			AttributeType,

	value			AttributeValue

	}

-- naming data types --

Name ::= CHOICE { -- only one possibility for now 

	rdnSequence		RDNSequence 			

	}

RDNSequence ::= SEQUENCE OF RelativeDistinguishedName

DistinguishedName ::= RDNSequence

RelativeDistinguishedName ::= 

	SET OF AttributeTypeAndValue  --SET SIZE (1 .. MAX) OF

-- Directory string type --

DirectoryString ::= CHOICE {

	teletexString		TeletexString,  --(SIZE (1..MAX)),

	printableString		PrintableString,  --(SIZE (1..MAX)),

	bmpString		BMPString,  --(SIZE (1..MAX)),

	universalString		UniversalString,  --(SIZE (1..MAX)),

	utf8String		UTF8String,  --(SIZE (1..MAX)),

	ia5String		IA5String  --added for EmailAddress

	}

-- certificate and CRL specific structures begin here

Certificate ::= SEQUENCE  {

	tbsCertificate		TBSCertificate,

	signatureAlgorithm	AlgorithmIdentifier,

	signature		BIT STRING

	}

TBSCertificate  ::=  SEQUENCE  {

	version		    [0] EXPLICIT Version OPTIONAL,  --DEFAULT v1

	serialNumber		CertificateSerialNumber,

	signature		AlgorithmIdentifier,

	issuer			Name,

	validity		Validity,

	subject			Name,

	subjectPublicKeyInfo	SubjectPublicKeyInfo,

	issuerUniqueID	    [1] IMPLICIT UniqueIdentifier OPTIONAL,

		-- If present, version shall be v2 or v3

	subjectUniqueID	    [2] IMPLICIT UniqueIdentifier OPTIONAL,

		-- If present, version shall be v2 or v3

	extensions	    [3] EXPLICIT Extensions OPTIONAL

		-- If present, version shall be v3

	}

Version ::= INTEGER  --{  v1(0), v2(1), v3(2)  }

CertificateSerialNumber ::= INTEGER

Validity ::= SEQUENCE {

	notBefore		Time,

	notAfter		Time

	}

Time ::= CHOICE {

	utcTime			UTCTime,

	generalTime		GeneralizedTime

	}

UniqueIdentifier ::= BIT STRING

SubjectPublicKeyInfo ::= SEQUENCE {

	algorithm		AlgorithmIdentifier,

	subjectPublicKey	BIT STRING

	}

Extensions ::= SEQUENCE OF Extension  --SIZE (1..MAX) OF Extension

Extension ::= SEQUENCE {

	extnID			OBJECT IDENTIFIER,

	critical		BOOLEAN OPTIONAL,  --DEFAULT FALSE,

	extnValue		OCTET STRING

	}

AlgorithmIdentifier ::= SEQUENCE {

	algorithm		OBJECT IDENTIFIER,

	parameters		ANY

	}

--extensions

AuthorityKeyIdentifier ::= SEQUENCE {

      keyIdentifier             [0] KeyIdentifier            OPTIONAL,

      authorityCertIssuer       [1] GeneralNames             OPTIONAL,

      authorityCertSerialNumber [2] CertificateSerialNumber  OPTIONAL }

    -- authorityCertIssuer and authorityCertSerialNumber shall both

    -- be present or both be absent

KeyIdentifier ::= OCTET STRING

SubjectKeyIdentifier ::= KeyIdentifier

-- key usage extension OID and syntax

-- id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }

KeyUsage ::= BIT STRING --{

--      digitalSignature        (0),

--      nonRepudiation          (1),

--      keyEncipherment         (2),

--      dataEncipherment        (3),

--      keyAgreement            (4),

--      keyCertSign             (5),

--      cRLSign                 (6),

--      encipherOnly            (7),

--      decipherOnly            (8) }

-- private key usage period extension OID and syntax

-- id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::=  { id-ce 16 }

PrivateKeyUsagePeriod ::= SEQUENCE {

     notBefore       [0]     GeneralizedTime OPTIONAL,

     notAfter        [1]     GeneralizedTime OPTIONAL }

     -- either notBefore or notAfter shall be present

-- certificate policies extension OID and syntax

-- id-ce-certificatePolicies OBJECT IDENTIFIER ::=  { id-ce 32 }

CertificatePolicies ::= SEQUENCE OF PolicyInformation

PolicyInformation ::= SEQUENCE {

     policyIdentifier   CertPolicyId,

     policyQualifiers   SEQUENCE OF

             PolicyQualifierInfo } --OPTIONAL }

CertPolicyId ::= OBJECT IDENTIFIER

PolicyQualifierInfo ::= SEQUENCE {

       policyQualifierId  PolicyQualifierId,

       qualifier        ANY } --DEFINED BY policyQualifierId }

-- Implementations that recognize additional policy qualifiers shall

-- augment the following definition for PolicyQualifierId

PolicyQualifierId ::=

     OBJECT IDENTIFIER --( id-qt-cps | id-qt-unotice )

-- CPS pointer qualifier

CPSuri ::= IA5String

-- user notice qualifier

UserNotice ::= SEQUENCE {

     noticeRef        NoticeReference OPTIONAL,

     explicitText     DisplayText OPTIONAL}

NoticeReference ::= SEQUENCE {

     organization     DisplayText,

     noticeNumbers    SEQUENCE OF INTEGER }

DisplayText ::= CHOICE {

     visibleString    VisibleString  ,

     bmpString        BMPString      ,

     utf8String       UTF8String      }

-- policy mapping extension OID and syntax

-- id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

PolicyMappings ::= SEQUENCE OF SEQUENCE {

     issuerDomainPolicy      CertPolicyId,

     subjectDomainPolicy     CertPolicyId }

-- subject alternative name extension OID and syntax

-- id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE OF GeneralName

GeneralName ::= CHOICE {

     otherName                       [0]     AnotherName,

     rfc822Name                      [1]     IA5String,

     dNSName                         [2]     IA5String,

     x400Address                     [3]     ANY, --ORAddress,

     directoryName                   [4]     Name,

     ediPartyName                    [5]     EDIPartyName,

     uniformResourceIdentifier       [6]     IA5String,

     iPAddress                       [7]     OCTET STRING,

     registeredID                    [8]     OBJECT IDENTIFIER }

-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as

-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

AnotherName ::= SEQUENCE {

     type    OBJECT IDENTIFIER,

     value      [0] EXPLICIT ANY } --DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {

     nameAssigner            [0]     DirectoryString OPTIONAL,

     partyName               [1]     DirectoryString }

-- issuer alternative name extension OID and syntax

-- id-ce-issuerAltName OBJECT IDENTIFIER ::=  { id-ce 18 }

IssuerAltName ::= GeneralNames

-- id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::=  { id-ce 9 }

SubjectDirectoryAttributes ::= SEQUENCE OF Attribute

-- basic constraints extension OID and syntax

-- id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }

BasicConstraints ::= SEQUENCE {

     cA                      BOOLEAN OPTIONAL, --DEFAULT FALSE,

     pathLenConstraint       INTEGER OPTIONAL }

-- name constraints extension OID and syntax

-- id-ce-nameConstraints OBJECT IDENTIFIER ::=  { id-ce 30 }

NameConstraints ::= SEQUENCE {

     permittedSubtrees       [0]     GeneralSubtrees OPTIONAL,

     excludedSubtrees        [1]     GeneralSubtrees OPTIONAL }

GeneralSubtrees ::= SEQUENCE OF GeneralSubtree

GeneralSubtree ::= SEQUENCE {

     base                    GeneralName,

     minimum         [0]     BaseDistance OPTIONAL, --DEFAULT 0,

     maximum         [1]     BaseDistance OPTIONAL }

BaseDistance ::= INTEGER 

-- policy constraints extension OID and syntax

-- id-ce-policyConstraints OBJECT IDENTIFIER ::=  { id-ce 36 }

PolicyConstraints ::= SEQUENCE {

     requireExplicitPolicy           [0] SkipCerts OPTIONAL,

     inhibitPolicyMapping            [1] SkipCerts OPTIONAL }

SkipCerts ::= INTEGER 

-- CRL distribution points extension OID and syntax

-- id-ce-cRLDistributionPoints     OBJECT IDENTIFIER  ::=  {id-ce 31}

cRLDistributionPoints  ::= SEQUENCE OF DistributionPoint

DistributionPoint ::= SEQUENCE {

     distributionPoint       [0]     DistributionPointName OPTIONAL,

     reasons                 [1]     ReasonFlags OPTIONAL,

     cRLIssuer               [2]     GeneralNames OPTIONAL }

DistributionPointName ::= CHOICE {

     fullName                [0]     GeneralNames,

     nameRelativeToCRLIssuer [1]     RelativeDistinguishedName }

ReasonFlags ::= BIT STRING --{

--     unused                  (0),

--     keyCompromise           (1),

--     cACompromise            (2),

--     affiliationChanged      (3),

--     superseded              (4),

--     cessationOfOperation    (5),

--     certificateHold         (6),

--     privilegeWithdrawn      (7),

--     aACompromise            (8) }

-- extended key usage extension OID and syntax

-- id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37}

ExtKeyUsageSyntax ::= SEQUENCE OF KeyPurposeId

KeyPurposeId ::= OBJECT IDENTIFIER

-- extended key purpose OIDs

-- id-kp-serverAuth      OBJECT IDENTIFIER ::= { id-kp 1 }

-- id-kp-clientAuth      OBJECT IDENTIFIER ::= { id-kp 2 }

-- id-kp-codeSigning     OBJECT IDENTIFIER ::= { id-kp 3 }

-- id-kp-emailProtection OBJECT IDENTIFIER ::= { id-kp 4 }

-- id-kp-ipsecEndSystem  OBJECT IDENTIFIER ::= { id-kp 5 }

-- id-kp-ipsecTunnel     OBJECT IDENTIFIER ::= { id-kp 6 }

-- id-kp-ipsecUser       OBJECT IDENTIFIER ::= { id-kp 7 }

-- id-kp-timeStamping    OBJECT IDENTIFIER ::= { id-kp 8 }

ASN1

# decoders for basic types

my $asn_BitString = Convert::ASN1->new();

$asn_BitString->prepare("bitString BIT STRING");

my $asn_OctetString = Convert::ASN1->new();

$asn_OctetString->prepare("octetString OCTET STRING");

# decoders for extensions

my %extnoid2asn = (

	'2.5.29.9' => $asn->find('SubjectDirectoryAttributes'),

	'2.5.29.14' => $asn_OctetString, #'SubjectKeyIdentifier',

	'2.5.29.15' => $asn_BitString, #'keyUsage',

	'2.5.29.16' => $asn->find('PrivateKeyUsagePeriod'),

	'2.5.29.17' => $asn->find('SubjectAltName'),

	'2.5.29.18' => $asn->find('IssuerAltName'),

	'2.5.29.19' => $asn->find('BasicConstraints'),

#	'2.5.29.20' => 'cRLNumber',

#	'2.5.29.21' => 'cRLReasons',

#	'2.5.29.23' => 'holdInstructionCode',

#	'2.5.29.24' => 'invalidityDate',

#	'2.5.29.27' => 'deltaCRLIndicator',

#	'2.5.29.28' => 'issuingDistributionPoint',

#	'2.5.29.29' => 'certificateIssuer',

	'2.5.29.30' => $asn->find('NameConstraints'),

	'2.5.29.31' => $asn->find('cRLDistributionPoints'),

	'2.5.29.32' => $asn->find('CertificatePolicies'),

	'2.5.29.33' => $asn->find('PolicyMappings'),

	'2.5.29.35' => $asn->find('AuthorityKeyIdentifier'),

	'2.5.29.36' => $asn->find('PolicyConstraints'),

	'2.5.29.37' => $asn->find('ExtKeyUsageSyntax'),

#	'2.5.29.40' => 'cRLStreamIdentifier',

#	'2.5.29.44' => 'cRLScope',

#	'2.5.29.45' => 'statusReferrals',

#	'2.5.29.46' => 'freshestCRL',

#	'2.5.29.47' => 'orderedList',

#	'2.5.29.51' => 'baseUpdateTime',

#	'2.5.29.53' => 'deltaInfo',

#	'2.5.29.54' => 'inhibitAnyPolicy',

# netscape-cert-extensions

	'2.16.840.1.113730.1.1' => $asn_BitString, # netscape-cert-type 

	'2.16.840.1.113730.1.2' => $asn->find('DirectoryString'), # netscape-base-url 

	'2.16.840.1.113730.1.3' => $asn->find('DirectoryString'), # netscape-revocation-url 

	'2.16.840.1.113730.1.4' => $asn->find('DirectoryString'), # netscape-ca-revocation-url 

	'2.16.840.1.113730.1.7' => $asn->find('DirectoryString'), # netscape-cert-renewal-url

	'2.16.840.1.113730.1.8' => $asn->find('DirectoryString'), # netscape-ca-policy-url

	'2.16.840.1.113730.1.12' => $asn->find('DirectoryString'), # netscape-ssl-server-name

	'2.16.840.1.113730.1.13' => $asn->find('DirectoryString'), # netscape-comment

);

my $asn_cert = $asn->find('Certificate');

while ( my $filename = shift ) {

	my ($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size,

		$atime,$mtime,$ctime,$blksize,$blocks) = stat $filename;

	open FILE, "<$filename" or die "no such file";

	binmode FILE;

	my $der_cert;

	read FILE, $der_cert, $size;

	close FILE;

	decodeCert( $der_cert );

}

sub decodeCert() {

	my $der_cert = shift;

	#asn_dump( $der_cert );

	my $cert = $asn_cert->decode($der_cert) or die $asn_cert->error;

	#extensions

	foreach my $extension ( @{$cert->{'tbsCertificate'}->{'extensions'}} ) {

		#print "extension: ", $oid2extension{$extension->{'extnID'}}, "\n";

		if ( exists $extnoid2asn{$extension->{'extnID'}} ) {

			$extension->{'extnValue'} = ($extnoid2asn{$extension->{'extnID'}})->decode( $extension->{'extnValue'} );

		} else {

			print STDERR "unknown ", $extension->{'critical'} ? "critical " : "", "extension: ", $extension->{'extnID'}, "\n";

			asn_dump( $extension->{'extnValue'} );

		}

	}

	print Dumper( $cert );

}