我们在可执行文件中搜索了DER编码的SEQUENCE。在对那些看似有效的DER编码数据的那些内容进行讨论之后,我们想分析它们的使用方式。
X.509证书和CMS对象很容易识别(因为我们知道它们),但我们也发现了有效的编码,我们无法从中知道它们的用途。
E.g。看一下openssl asn1parse (...)的以下输出:
0:d=0 hl=4 l=1804 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :03
7:d=1 hl=4 l=1797 cons: SEQUENCE
11:d=2 hl=2 l= 20 cons: SEQUENCE
13:d=3 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
23:d=3 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:0000000000000000
33:d=2 hl=2 l= 3 prim: PRINTABLESTRING :<OMITTED>
38:d=2 hl=2 l= 13 prim: UTCTIME :<OMITTED>
53:d=2 hl=2 l= 1 prim: INTEGER :01
56:d=2 hl=4 l=1748 cons: SET
60:d=3 hl=4 l= 830 cons: SEQUENCE
64:d=4 hl=2 l= 6 prim: PRINTABLESTRING :PKRoot
72:d=4 hl=2 l= 13 prim: UTCTIME :<OMITTED>
87:d=4 hl=2 l= 5 prim: OBJECT :1.3.36.2.5.1
94:d=4 hl=4 l= 796 cons: SEQUENCE
98:d=5 hl=2 l= 69 cons: SEQUENCE
100:d=6 hl=2 l= 11 cons: SET
102:d=7 hl=2 l= 9 cons: SEQUENCE
104:d=8 hl=2 l= 3 prim: OBJECT :countryName
109:d=8 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
113:d=6 hl=2 l= 31 cons: SET
115:d=7 hl=2 l= 29 cons: SEQUENCE
117:d=8 hl=2 l= 3 prim: OBJECT :organizationName
122:d=8 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
146:d=6 hl=2 l= 21 cons: SET
148:d=7 hl=2 l= 19 cons: SEQUENCE
150:d=8 hl=2 l= 3 prim: OBJECT :commonName
155:d=8 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
169:d=5 hl=4 l= 614 cons: SEQUENCE
173:d=6 hl=2 l= 3 cons: cont [ 0 ]
175:d=7 hl=2 l= 1 prim: INTEGER :02
178:d=6 hl=2 l= 1 prim: INTEGER :00
181:d=6 hl=4 l= 290 cons: SEQUENCE
185:d=7 hl=2 l= 13 cons: SEQUENCE
187:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
198:d=8 hl=2 l= 0 prim: NULL
200:d=7 hl=4 l= 271 prim: BIT STRING
475:d=6 hl=2 l= 32 cons: cont [ 1 ]
477:d=7 hl=2 l= 30 cons: SEQUENCE
479:d=8 hl=2 l= 13 prim: UTCTIME :<OMITTED>
494:d=8 hl=2 l= 13 prim: UTCTIME :<OMITTED>
509:d=6 hl=2 l= 15 cons: cont [ 2 ]
511:d=7 hl=2 l= 13 cons: SEQUENCE
513:d=8 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
524:d=8 hl=2 l= 0 prim: NULL
526:d=6 hl=4 l= 257 prim: BIT STRING
787:d=5 hl=2 l= 105 cons: cont [ 0 ]
789:d=6 hl=2 l= 103 cons: SEQUENCE
791:d=7 hl=2 l= 15 cons: SEQUENCE
793:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
798:d=8 hl=2 l= 1 prim: BOOLEAN :255
801:d=8 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:<OMITTED>
808:d=7 hl=2 l= 37 cons: SEQUENCE
810:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
815:d=8 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:<OMITTED>
847:d=7 hl=2 l= 14 cons: SEQUENCE
849:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
854:d=8 hl=2 l= 1 prim: BOOLEAN :255
857:d=8 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:<OMITTED>
863:d=7 hl=2 l= 29 cons: SEQUENCE
865:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
870:d=8 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:<OMITTED>
894:d=3 hl=4 l= 910 cons: SEQUENCE
898:d=4 hl=2 l= 4 prim: PRINTABLESTRING :Cert
904:d=4 hl=2 l= 13 prim: UTCTIME :<OMITTED>
919:d=4 hl=2 l= 5 prim: OBJECT :1.3.36.2.1.3
926:d=4 hl=4 l= 878 cons: SEQUENCE
930:d=5 hl=4 l= 598 cons: SEQUENCE
934:d=6 hl=2 l= 3 cons: cont [ 0 ]
936:d=7 hl=2 l= 1 prim: INTEGER :02
939:d=6 hl=2 l= 1 prim: INTEGER :00
942:d=6 hl=2 l= 13 cons: SEQUENCE
944:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
955:d=7 hl=2 l= 0 prim: NULL
957:d=6 hl=2 l= 69 cons: SEQUENCE
959:d=7 hl=2 l= 11 cons: SET
961:d=8 hl=2 l= 9 cons: SEQUENCE
963:d=9 hl=2 l= 3 prim: OBJECT :countryName
968:d=9 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
972:d=7 hl=2 l= 31 cons: SET
974:d=8 hl=2 l= 29 cons: SEQUENCE
976:d=9 hl=2 l= 3 prim: OBJECT :organizationName
981:d=9 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
1005:d=7 hl=2 l= 21 cons: SET
1007:d=8 hl=2 l= 19 cons: SEQUENCE
1009:d=9 hl=2 l= 3 prim: OBJECT :commonName
1014:d=9 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
1028:d=6 hl=2 l= 30 cons: SEQUENCE
1030:d=7 hl=2 l= 13 prim: UTCTIME :<OMITTED>
1045:d=7 hl=2 l= 13 prim: UTCTIME :<OMITTED>
1060:d=6 hl=2 l= 69 cons: SEQUENCE
1062:d=7 hl=2 l= 11 cons: SET
1064:d=8 hl=2 l= 9 cons: SEQUENCE
1066:d=9 hl=2 l= 3 prim: OBJECT :countryName
1071:d=9 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
1075:d=7 hl=2 l= 31 cons: SET
1077:d=8 hl=2 l= 29 cons: SEQUENCE
1079:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1084:d=9 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
1108:d=7 hl=2 l= 21 cons: SET
1110:d=8 hl=2 l= 19 cons: SEQUENCE
1112:d=9 hl=2 l= 3 prim: OBJECT :commonName
1117:d=9 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
1131:d=6 hl=4 l= 290 cons: SEQUENCE
1135:d=7 hl=2 l= 13 cons: SEQUENCE
1137:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
1148:d=8 hl=2 l= 0 prim: NULL
1150:d=7 hl=4 l= 271 prim: BIT STRING
1425:d=6 hl=2 l= 105 cons: cont [ 3 ]
1427:d=7 hl=2 l= 103 cons: SEQUENCE
1429:d=8 hl=2 l= 15 cons: SEQUENCE
1431:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1436:d=9 hl=2 l= 1 prim: BOOLEAN :255
1439:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1446:d=8 hl=2 l= 37 cons: SEQUENCE
1448:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
1453:d=9 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1485:d=8 hl=2 l= 14 cons: SEQUENCE
1487:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1492:d=9 hl=2 l= 1 prim: BOOLEAN :255
1495:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1501:d=8 hl=2 l= 29 cons: SEQUENCE
1503:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1508:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1532:d=5 hl=2 l= 13 cons: SEQUENCE
1534:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1545:d=6 hl=2 l= 0 prim: NULL
1547:d=5 hl=4 l= 257 prim: BIT STRING
有人认识到,哪种ASN.1类型映射到此?
当然,有一些模式(例如在偏移98或930)很容易识别,但有没有&#34;聪明的&#34;识别未知ASN.1结构的方法?
特殊的Google搜索模式,网站,软件等?
我们尝试了* ::= SEQUENCE { * INTEGER }等Google搜索,但没有成功。
答案 0 :(得分:1)
看看这个:http://www.oid-info.com/get/1.3.36.2.1
oid-info.com目前有超过950.000的OID,但它的OID有问题,最高可达1.3.36。
因此,通过从1.3.36开始查询此服务将为您提供此OID已注册
TeleTrusT - IT Security Association Germany
并使用1.3.36.2查询将告诉您它是
Security information object
和1.3.36.2.1会告诉你这是
Certificate
但是,没有关于1.3.36.2.5.1或1.3.36.2.1.3的信息,这是因为它不必,因为一旦1.3.36被TeleTrust注册,它们对子节点拥有全部所有权
我不知道注册办公室是否有服务让您在所有已注册的OID中查询,但目前,odi-info有100万OID可查询。
答案 1 :(得分:0)
对我来说,这个转储看起来像是一种PKCS#7消息(但它不是PKCS#7)。没有ASN模块,没有通用的方法将原始数据绑定到任意ASN对象。您可能需要创建自己的表,将原始数据映射到它们并查看哪个表成功。如果不了解每个消息语义(在ASN模块中定义),就不那么容易了。如果您使用的是Windows,则可以尝试以下命令:
certutil -dump path\fileWithUnknownAsn.ext
Certutil有几个内置表来表示常见的X509对象,也许它会告诉你这是什么。