How to view the certificate's hexadecimal der code and the DER format of each domain of the certificate

Certificates are generally X.509 certificates, which are then encoded by Der. Der is TLV encoded and stored by base64.

 

When we open ca. CRT, we will find that it is a base64 encoding. If base64 decoding is directly performed online, the decoded code will be copied to a file,

Then convert it to hexadecimal format for viewing.

It won't work, because it will get the line feed of the carriage return, and 0a will become 0d 0a. In addition, some hexadecimal digits are incorrect at this time.

 

The correct method should be to transfer the Certificate file to Linux in binary mode, and then decode the file using base64 in Linux.

 

Command: base64-d-I ca. CRT> CRT. HEX

 

-D command is decryption, and-I is -- ignore-garbage when decoding, ignore non-alphabet characters.

Decoding require compliant input by default, use -- ignore-garbage
Attempt to recover from non-alphabet characters (such as newlines) in
The encoded stream.

 

Then use Vim to open CRT. Hex. then convert it to the hexadecimal format, and you will be able to see the normal certificate's hexadecimal der code.

 

The certificate format is in rfc2459, that is, x.509.

Certificate ::= sequence {tbscertificate, sequence, signaturevalue bit string} tbscertificate ::= sequence {version [0] explicit version default V1, serialnumber limit, signature limit, issuer name, validity validity, Subject name, subjectpublickeyinfo, issueruniqueid [1] implicit uniqueidentifier op Tional, -- if present, version shall be V2 or V3 subjectuniqueid [2] implicit uniqueidentifier optional, -- if present, version shall be V2 or V3 extensions [3] explicit extensions optional -- if present, version shall be V3} version: = INTEGER {v1 (0), V2 (1 ), v3 (2)} certificateserialnumber: = integer algorithmidentifier: = SEQUENCE {algorithm object identifier, parameters any defined by ALG Orithm optional} validity: = SEQUENCE {notbefore time, notafter time} Time ::= CHOICE {utctime, generaltime generalizedtime} subjectpublickeyinfo: = SEQUENCE {algorithm finished, subjectpublickey bit string} uniqueidentifier: = Bit String extensions: = sequence size (1 .. max) of extension Extension: = SEQUENCE {extnid object identifier, critical Boolean default false, Extnvalue octet string} Name: = CHOICE {rdnsequence} rdnsequence ::= sequence of sequences :::= set of attributetypeandvalue ::= sequence {type attributetype, value attributevalue} attributetype: = object identifier attributevalue: = any defined by attributetype this is a simple description. For more information, see the RFC document. Description of each attribute type in name: E is the mailbox DC is the domain componentcn is the common nameou is the organization unito is the organizationl is the city name s is the province name c is the simple method of determining the national name (primitive, definite-length method. It requires that the length of the value be predetermined. Part of the BER encoding is defined as follows: 1. identifier octets has two forms: smaller tag values (between 0 and 30) and larger tag values (tag values greater than or equal to 31) Z low-tag-number form: one byte. Bit8 and bit7 indicate classes (such as table 2). If bit6 is 0, the encoding method is simplified. The label value is given below. Class bit 8 bit 7 universal 0 0 application 0 1 context-specific 1 0 private 1 1 High-tag-number form: Two or more octets. The first octet form, such as low-tag-number form, but the bit5-1 is 1. The second and later bytes provide the label value, based on 128, with the highest bit prior, so as to use as few numbers as possible, except for the last byte, the bit 8 of each byte is set to 1. The last byte is 0. The bit6 of the tag value of the structured fixed-length encoding is 1. The implicit tag type is defined by the keyword implicit. ASN.1 Notation: [[Class] Number] implicit type class = universal | application | private where type is a type, class is an optional class name, and number is a label value within the class, is a non-negative integer. If there is no class name, the label is context-specific class. Context-specific type labels can only appear in components of the structure type or choice type. If there is no class name, the label is context-specific class. If the tag value is smaller than 31, bit8 is 1. A0 A3 does not know for the time being. Therefore, a0 is 02 and bit8 is 1. Therefore, a0 is an explicit integer. Indicates the type of version. The emergence of A3 is due to the emergence of extensions. Its number value is 3, the tag is sequence is 0x10, and it is displayed again, without the class name, so bit8 must be 1. so it is 0xa3. By reading the RFC document examples, you can find some der-encoded tag values. Choice and any are 0x02 integer0x03 bit strings without tag values. The first content byte indicates the number of bits missing when the bit string is a multiple of 8 (useless bit, unused bit) 0x04 octet string any octet (8 bit) stream 0x05 null encoding value fixed to 05 00.0x06 object identifier = OID: object identifier, there is a column of integers used to determine the object, such as an algorithm or attribute type 0x10 sequence and sequence of an ordered set, of can be 0 0x11 set and set of unordered set, of any stream of 0x13 printablestring0x14 t61string t.61 (8 bit) characters 0x16 ia5string any of the ia5 (ASCII) characters 0x17 UTC time: "coordi Nated Universal Time "or Greenwich Mean Time (GMT) value. Because the tag of the sequence type is 16 (decimal) and is between 0 and 30, the identifier part is in the form of a small tag. Because sequence belongs to the universal class, the bits 8 and 7 values are 0. Because structured encoding is used, bit 6 uses a short part of the 1-byte length. The content byte is a series of Der butetype and attributevalue component DER encoding. Therefore, the DER encoding of sequence is 0x30, and the DER encoding of set is 0x31. also know the value of some oid 2a 86 48 ce 38 04 03 dsa-with-sha2a 86 48 86 F7 0d 01 01 01 05 sha1-with-rsa2a 86 48 86 F7 0d 01 01 01 rsa06 03 55 04 06 countryname 2.5.4.606 03 55 04 0a organizationname 2.5.4.1006 03 55 04 03 CommonName 2.5.4.3 oid is calculated as follows: integer of the component in the descriptor: 1. the first byte value is 40 × value1 + value2. (this is unique because the value1 value is limited to 0, 1, and 2; when value1 is 0 or 1, value2 must be between 0 and 39. According to x.208, n is always at least 2 .) 2. If there are subsequent bytes encoded as value3 ,......, Valuen. Each value is encoded Based on 128, and the highest bit comes first to ensure that as few digits as possible are used. Except for the last byte, the lowest Bit of each octet is set to 1. For example, the first byte of the object descriptor of RSA Data Security, Inc. Is 40 × 1 + 2 = 42 = 2a16. The encoding of 840 is 6*128 + 4816, that is, the encoding of 86 48,113 bytes is 6 bytes 1282 + 7716 bytes 128 + D16 is 86 F7 0d. The last BER encoding is 06 06 2a 86 48 86 F7 0d DER encoding. Simple encoding. The content bytes are the same as the simple BER encoding. The signature algorithm identifier at the end of the certificate must be exactly the same as that in the previous certificate. The final signature value is generated as follows: the input is the DER encoding of the signature, and the output is the DER encoding after the signature: The signaturevalue field contains a digital signature computed upon the ASN.1 DER encoded tbscertificate. the ASN.1 DER encoded tbscertificate is used as the input to the signature function. this signature value is then ASN.1 encoded as a bit string and encoded in the certificate's signature field. the details of this process are specified for each of the supp Orted algorithms in section 7.2rsa the DER code for the Public Key is as follows: 30: 81: 89: 02: 81: <Public Key (129 bytes) >:03: 02: 01: 00: 01 when the length exceeds 127 bytes, it adopts the long length format, the first byte bit 8 is 1, The bit7-1 represents how many bytes are used to indicate the actual length. Among them, the binary value of 30 is 110000, and the 1 of the 6th bits indicates that the constructed and definite-length methods are used, and the 1st to 5th bits are encoded as sequence symbols, the decimal value is 16. The binary value of 81 is 10000001, and 1 of the 8th bits indicates that the long encoding format is used. 1 of the first bits indicates that the encoding contains one byte, that is, the following 89, this value is the length of the entire numeric string. The following 02 is the integer encoding, 81 represents the long encoding format, and 81 represents the length of modulus, that is, 129 bytes. Then 02 indicates the integer encoding, 03 indicates that the short encoding format is used, and the publicexponent length is 3 bytes, followed by publicexponent. The Public Key is 129 bytes, because the length is 81 and the first byte is 00. It is not clear why it is 00. I am very grateful to have a clear message. Finally, I know why some of them start with 00, because the first bit of the first byte is 1, so I added a 00. if the first bit is not 0, no 00 is added.