views:

46

answers:

1

Is there any way to tell the difference between data after flags and sub-flags after the flag? in a yahoo certificate i exported, there is a section with a0 2d a0 2b ..., where its all flags. on the other hand, the subject key ID is "a0 1e 6e 0c 9b 6e 6a eb d2 ae 5a 4a 18 ff 0e 93 46 1a d6 32". how would i tell the difference between which is what? other flags such as 03, 04, and 06 do this a lot

also, does anyone recognize the string 86 29? its neither a flag nor readable data (the 29 is ")", but that doesnt seem to contribute to anything)

A: 

You can export the certificate in a file and then use CertUtil.exe -dump to examine contain of the certificate.

UPDATED based on the comment: Because of you pasted a long string in the comment, comments can be bad read. So I repeat the text of my last comment here:

The simplest way to decode the X.509 Extensions is using of CryptDecodeObjectEx with X509_EXTENSIONS. As a result you will receive CERT_EXTENSIONS - an array of CERT_EXTENSION (see msdn.microsoft.com/en-us/library/aa377195.aspx). An extension consist of an OID which define the extension, an attribute whether the extension if critical (whether you really MUST understand it) and an optional additional encoded extension data, which are in the most cases BER encoded NULL. Of cause you can decode the information yourself corresponds to 4.2 of RFC 3280, X.509 PKI (see http://www.ietf.org/rfc/rfc3280.txt).

Oleg
i know what the data says. im trying to extract the info myself
calccrypto
What part of X.509 certificate do you name "x509 flags" and "sub-flags"? If you describes what do you mean I can explain you how decode the information. Some years ago to have more understanding of ASN.1, BER, DER and X.509 I wrote a utility which produce output which can be compared with `CertUtil.exe -dump`. Is that what you try to do?
Oleg
err... i think so. the part im having trouble with is: "3081ab300e0603551d0f0101ff0404030204f0301d0603551d0e04160414a01e6e0c9b6e6aebd2ae5a4a18ff0e93461ad632303a0603551d1f04333031302fa02da02b8629687474703a2f2f63726c2e67656f74727573742e636f6d2f63726c732f73656375726563612e63726c301f0603551d2304183016801448e668f92bd2b295d747d82320104f3398909fd4301d0603551d250416301406082b0601050507030106082b06010505070302" this is only the "extensions" section. i managed to get the rest of the certificate (up to "65537"), signature algorithm, and signatureValue. to me,sub flag is any group in the string im on
calccrypto
The simplest way to decode the X.509 Extensions is using of `CryptDecodeObjectEx` with `X509_EXTENSIONS`. As a result you will receive `CERT_EXTENSIONS` - an array of `CERT_EXTENSION` (see http://msdn.microsoft.com/en-us/library/aa377195.aspx). An extension consist of an OID which define the extension, an attribute whether the extension if critical (whether you really MUST understand it) and an optional additional encoded extension data, which are in the most cases BER encoded NULL. Of cause you can decode the information yourself corresponds to 4.2 of RFC 3280, X.509 PKI.
Oleg