Re: [pyasn1-users] Decoding X509 Extensions

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

*** Paul King <pa...@gr...> [2017-04-06 14:11]:
>I am nearly there decoding all Extensions in a X509 cert but I am stuck on some final decoding. I have confused myself I am sure so can someone sort me out?
>    sal_raw = extension.getComponentByPosition(2)
>2 [Any(hexValue='04183016801459a4660652a07b95923ca394072796745bf93dd0’)]

Now you have got Any X.509 extension value. It is by definition is
OctetString. So X.509 Extension's extnValue is:

    akid_raw, tail = decode(sal_raw.asOctets(), OctetString())

then, decode this AuthorityKeyIdentifier:

    class AuthorityKeyIdentifier(Sequence):
        componentType = NamedTypes(
            OptionalNamedType('keyIdentifier', KeyIdentifier().subtype(
                implicitTag=Tag(tagClassContext, tagFormatSimple, 0)
            )),
            OptionalNamedType('authorityCertIssuer', GeneralNames().subtype(
                implicitTag=Tag(tagClassContext, tagFormatSimple, 1)
            )),
            OptionalNamedType(
                'authorityCertSerialNumber', CertificateSerialNumber().subtype(
                    implicitTag=Tag(tagClassContext, tagFormatSimple, 2)
                )
            )
        )

    akid, tail = decode(akid_raw, AuthorityKeyIdentifier())

    akid == AuthorityKeyIdentifier().setComponents(KeyIdentifier(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=0)), hexValue='59a4660652a07b95923ca394072796745bf93dd0'))

Now you have AuthorityKeyIdentifier object. You can be sure that
authorityCertIssuer and authorityCertSerialNumber are set to None:

    akid['authorityCertIssuer'] is None == True
    akid['authorityCertSerialNumber'] is None == True

to get KeyIdentifier value itself just do:

    akid['keyIdentifier'].asOctets()
    '59a4660652a07b95923ca394072796745bf93dd0'

But pay attention that X.509 Extension's extnValue has various ASN.1
structure for various corresponding Extension's extnID's. This
structure is only for AuthorityKeyIdentifier. You have to specify
another ones to decode other extensions properly.

-- 
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: CF60 E89A 5923 1E76 E263  6422 AE1A 8109 E498 57EF