我们在可执行文件中搜索DER编码的SEQUENCE。在对这些看起来像有效的DER编码数据进行cherrpicking之后,我们想分析它们是如何使用的。
X.509证书和CMS对象很容易识别(因为我们知道它们),但我们也发现了有效的编码,从中我们无法判断它们的用途。
例如,查看openssl asn1parse (...)的以下输出:
0:d=0 hl=4 l=1804 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :03
7:d=1 hl=4 l=1797 cons: SEQUENCE
11:d=2 hl=2 l= 20 cons: SEQUENCE
13:d=3 hl=2 l= 8 prim: OBJECT :des-ede3-cbc
23:d=3 hl=2 l= 8 prim: OCTET STRING [HEX DUMP]:0000000000000000
33:d=2 hl=2 l= 3 prim: PRINTABLESTRING :<OMITTED>
38:d=2 hl=2 l= 13 prim: UTCTIME :<OMITTED>
53:d=2 hl=2 l= 1 prim: INTEGER :01
56:d=2 hl=4 l=1748 cons: SET
60:d=3 hl=4 l= 830 cons: SEQUENCE
64:d=4 hl=2 l= 6 prim: PRINTABLESTRING :PKRoot
72:d=4 hl=2 l= 13 prim: UTCTIME :<OMITTED>
87:d=4 hl=2 l= 5 prim: OBJECT :1.3.36.2.5.1
94:d=4 hl=4 l= 796 cons: SEQUENCE
98:d=5 hl=2 l= 69 cons: SEQUENCE
100:d=6 hl=2 l= 11 cons: SET
102:d=7 hl=2 l= 9 cons: SEQUENCE
104:d=8 hl=2 l= 3 prim: OBJECT :countryName
109:d=8 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
113:d=6 hl=2 l= 31 cons: SET
115:d=7 hl=2 l= 29 cons: SEQUENCE
117:d=8 hl=2 l= 3 prim: OBJECT :organizationName
122:d=8 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
146:d=6 hl=2 l= 21 cons: SET
148:d=7 hl=2 l= 19 cons: SEQUENCE
150:d=8 hl=2 l= 3 prim: OBJECT :commonName
155:d=8 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
169:d=5 hl=4 l= 614 cons: SEQUENCE
173:d=6 hl=2 l= 3 cons: cont [ 0 ]
175:d=7 hl=2 l= 1 prim: INTEGER :02
178:d=6 hl=2 l= 1 prim: INTEGER :00
181:d=6 hl=4 l= 290 cons: SEQUENCE
185:d=7 hl=2 l= 13 cons: SEQUENCE
187:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
198:d=8 hl=2 l= 0 prim: NULL
200:d=7 hl=4 l= 271 prim: BIT STRING
475:d=6 hl=2 l= 32 cons: cont [ 1 ]
477:d=7 hl=2 l= 30 cons: SEQUENCE
479:d=8 hl=2 l= 13 prim: UTCTIME :<OMITTED>
494:d=8 hl=2 l= 13 prim: UTCTIME :<OMITTED>
509:d=6 hl=2 l= 15 cons: cont [ 2 ]
511:d=7 hl=2 l= 13 cons: SEQUENCE
513:d=8 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
524:d=8 hl=2 l= 0 prim: NULL
526:d=6 hl=4 l= 257 prim: BIT STRING
787:d=5 hl=2 l= 105 cons: cont [ 0 ]
789:d=6 hl=2 l= 103 cons: SEQUENCE
791:d=7 hl=2 l= 15 cons: SEQUENCE
793:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
798:d=8 hl=2 l= 1 prim: BOOLEAN :255
801:d=8 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:<OMITTED>
808:d=7 hl=2 l= 37 cons: SEQUENCE
810:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
815:d=8 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:<OMITTED>
847:d=7 hl=2 l= 14 cons: SEQUENCE
849:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
854:d=8 hl=2 l= 1 prim: BOOLEAN :255
857:d=8 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:<OMITTED>
863:d=7 hl=2 l= 29 cons: SEQUENCE
865:d=8 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
870:d=8 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:<OMITTED>
894:d=3 hl=4 l= 910 cons: SEQUENCE
898:d=4 hl=2 l= 4 prim: PRINTABLESTRING :Cert
904:d=4 hl=2 l= 13 prim: UTCTIME :<OMITTED>
919:d=4 hl=2 l= 5 prim: OBJECT :1.3.36.2.1.3
926:d=4 hl=4 l= 878 cons: SEQUENCE
930:d=5 hl=4 l= 598 cons: SEQUENCE
934:d=6 hl=2 l= 3 cons: cont [ 0 ]
936:d=7 hl=2 l= 1 prim: INTEGER :02
939:d=6 hl=2 l= 1 prim: INTEGER :00
942:d=6 hl=2 l= 13 cons: SEQUENCE
944:d=7 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
955:d=7 hl=2 l= 0 prim: NULL
957:d=6 hl=2 l= 69 cons: SEQUENCE
959:d=7 hl=2 l= 11 cons: SET
961:d=8 hl=2 l= 9 cons: SEQUENCE
963:d=9 hl=2 l= 3 prim: OBJECT :countryName
968:d=9 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
972:d=7 hl=2 l= 31 cons: SET
974:d=8 hl=2 l= 29 cons: SEQUENCE
976:d=9 hl=2 l= 3 prim: OBJECT :organizationName
981:d=9 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
1005:d=7 hl=2 l= 21 cons: SET
1007:d=8 hl=2 l= 19 cons: SEQUENCE
1009:d=9 hl=2 l= 3 prim: OBJECT :commonName
1014:d=9 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
1028:d=6 hl=2 l= 30 cons: SEQUENCE
1030:d=7 hl=2 l= 13 prim: UTCTIME :<OMITTED>
1045:d=7 hl=2 l= 13 prim: UTCTIME :<OMITTED>
1060:d=6 hl=2 l= 69 cons: SEQUENCE
1062:d=7 hl=2 l= 11 cons: SET
1064:d=8 hl=2 l= 9 cons: SEQUENCE
1066:d=9 hl=2 l= 3 prim: OBJECT :countryName
1071:d=9 hl=2 l= 2 prim: PRINTABLESTRING :<OMITTED>
1075:d=7 hl=2 l= 31 cons: SET
1077:d=8 hl=2 l= 29 cons: SEQUENCE
1079:d=9 hl=2 l= 3 prim: OBJECT :organizationName
1084:d=9 hl=2 l= 22 prim: PRINTABLESTRING :<OMITTED>
1108:d=7 hl=2 l= 21 cons: SET
1110:d=8 hl=2 l= 19 cons: SEQUENCE
1112:d=9 hl=2 l= 3 prim: OBJECT :commonName
1117:d=9 hl=2 l= 12 prim: PRINTABLESTRING :<OMITTED>
1131:d=6 hl=4 l= 290 cons: SEQUENCE
1135:d=7 hl=2 l= 13 cons: SEQUENCE
1137:d=8 hl=2 l= 9 prim: OBJECT :rsaEncryption
1148:d=8 hl=2 l= 0 prim: NULL
1150:d=7 hl=4 l= 271 prim: BIT STRING
1425:d=6 hl=2 l= 105 cons: cont [ 3 ]
1427:d=7 hl=2 l= 103 cons: SEQUENCE
1429:d=8 hl=2 l= 15 cons: SEQUENCE
1431:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1436:d=9 hl=2 l= 1 prim: BOOLEAN :255
1439:d=9 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1446:d=8 hl=2 l= 37 cons: SEQUENCE
1448:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Alternative Name
1453:d=9 hl=2 l= 30 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1485:d=8 hl=2 l= 14 cons: SEQUENCE
1487:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1492:d=9 hl=2 l= 1 prim: BOOLEAN :255
1495:d=9 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1501:d=8 hl=2 l= 29 cons: SEQUENCE
1503:d=9 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1508:d=9 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:<OMITTED>
1532:d=5 hl=2 l= 13 cons: SEQUENCE
1534:d=6 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1545:d=6 hl=2 l= 0 prim: NULL
1547:d=5 hl=4 l= 257 prim: BIT STRING
有人知道哪种ASN.1类型对应于此吗?
当然,有一些模式(例如偏移98或930处)很容易识别,但有什么"聪明"的方法可以识别未知的ASN.1结构吗?
特殊的谷歌搜索模式、网站、软件等。?
我们尝试了* ::= SEQUENCE { * INTEGER }等谷歌搜索,但没有成功。
看看这个:http://www.oid-info.com/get/1.3.36.2.1
oid-info.com目前有超过950.000个oid,但它有问题的oid高达1.3.36级。
因此,通过从1.3.36开始查询该服务,将向您提供该OID已由注册的信息
TeleTrusT - IT Security Association Germany
用1.3.36.2查询会告诉你这是
Security information object
1.3.36.2.1会告诉你这是
Certificate
然而,没有关于1.3.36.2.5.1或1.3.36.2.1.3的信息,这是因为它不必这样做,因为一旦1.3.36由TeleTrust注册,它们就拥有子节点的总体所有权。
我不知道注册办公室是否有服务可以让你在所有注册的OID中进行查询,但目前,odi-info有大约100万个OID可查询。
对我来说,这个转储看起来像一种PKCS#7消息(但它不是PKCS#7)。如果没有ASN模块,就没有将原始数据绑定到任意ASN对象的通用方法。您可能需要创建自己的表,将原始数据映射到这些表,然后查看哪个表成功。如果不了解每条消息的语义(在ASN模块中定义),就不那么容易。如果你在Windows上,你可以尝试以下命令:
certutil -dump pathfileWithUnknownAsn.ext
Certutil有几个内置的表来表示常见的X509对象,也许它会向您展示这是什么。