Asn1parse: diagnostic utility that can parse ASN.1 structures -in: input file -strparse: parse the contents octets of the ASN.1 object starting at specified offset -out: output file to place the DER encoded data into. openssl asn1parse -in rsakey If I use a non-empty passphrase. This doesn't work. How can I parse an RSA private key with a passphrase. What format is that? Also I can't parse the public key at all. This doesn't work with or without a passphrase: openssl asn1parse -in Error: offset too large How can I parse the RSA public key? To use ASN.1 OBJECT IDENTIFIER field in OpenSSL 'asn1parse' command, you need to remember the following rules: ASN.1 OBJECT IDENTIFIER type tag is 0x06. ASN.1 OBJECT IDENTIFIER type code for 'asn1parse' command is OBJECT or OID. ASN.1 OBJECT IDENTIFIER value literal can be short name, long name or numerical format.


This command line utility reads a X509.v3 certificate (in DER or PEM encoding),decodes it and outputs a textual representation. It more or less mimicsopenssl asn1parse:

The main function is pretty_print:

Asn1parse Offset Too Large

This code:

  • line 3: Loops until its reaches the end of the input stream (with Decoder.eof()).
  • line 4: Looks (with Decoder.peek()) at the current tag.
  • line 5: If the tag is primitive (TypePrimitive) …
  • line 6: … the code reads (with the current tag.
  • line 8: Then it displays its number and value (after some mapping to be more user-fiendly).
  • line 10: If the tag is constructed (TypeConstructed) …
  • line 12: … the code displays its class and number.
  • line 14: Then it enters inside the tag and …
  • line 15: … calls itself recursively to decode the ASN.1 tags inside.
  • line 16: Leaves the current constructed tag (with Decoder.leave()) to continue the decoding of its siblings.

openssl-asn1parse, asn1parse - ASN.1 parsing tool
opensslasn1parse [-help] [-inform PEM DER] [-in filename] [-out filename] [-noout] [-offset number] [-length number] [-i] [-oid filename] [-dump] [-dlimit num] [-strparse offset] [-genstr string] [-genconf file] [-strictpem] [-item name]
The asn1parse command is a diagnostic utility that can parse ASN.1 structures. It can also be used to extract data from ASN.1 formatted data.
Print out a usage message.
-informDER PEM
The input format. DER is binary format and PEM (the default) is base64 encoded.
-in filename
The input file, default is standard input.
-out filename
Output file to place the DER encoded data into. If this option is not present then no data will be output. This is most useful when combined with the -strparse option.
Don't output the parsed version of the input file.
-offset number
Starting offset to begin parsing, default is start of file.
-length number
Number of bytes to parse, default is until end of file.
Indents the output according to the 'depth' of the structures.
-oid filename
A file containing additional OBJECT IDENTIFIERs (OIDs). The format of this file is described in the NOTES section below.
Dump unknown data in hex format.
-dlimit num
Like -dump, but only the first num bytes are output.
-strparse offset
Parse the contents octets of the ASN.1 object starting at offset. This option can be used multiple times to 'drill down' into a nested structure.
-genstr string, -genconf file
Generate encoded data based on string, file or both using ASN1_generate_nconf(3) format. If file only is present then the string is obtained from the default section using the name asn1. The encoded data is passed through the ASN1 parser and printed out as though it came from a file, the contents can thus be examined and written to a file using the out option.
If this option is used then -inform will be ignored. Without this option any data in a PEM format input file will be treated as being base64 encoded and processed whether it has the normal PEM BEGIN and END markers or not. This option will ignore any data prior to the start of the BEGIN marker, or after an END marker in a PEM file.
-item name
Attempt to decode and print the data as ASN1_ITEM name. This can be used to print out the fields of any supported ASN.1 structure if the type is known.


The output will typically contain lines like this:



This example is part of a self-signed certificate. Each line starts with the offset in decimal. d=XX specifies the current depth. The depth is increased within the scope of any SET or SEQUENCE. hl=XX gives the header length (tag and length octets) of the current type. l=XX gives the length of the contents octets.

The -i option can be used to make the output more readable.

Some knowledge of the ASN.1 structure is needed to interpret the output.

In this example the BIT STRING at offset 229 is the certificate public key. The contents octets of this will contain the public key information. This can be examined using the option -strparse 229 to yield:

If an OID is not part of OpenSSL's internal table it will be represented in numerical form (for example The file passed to the -oid option allows additional OIDs to be included. Each line consists of three columns, the first column is the OID in numerical format and should be followed by white space. The second column is the 'short name' which is a single word followed by white space. The final column is the rest of the line and is the 'long name'. asn1parse displays the long name. Example:Asn1parse

' shortName A long name'

Parse a file:

Parse a DER file:

Generate a simple UTF8String:

Generate and write out a UTF8String, don't print parsed output:

Generate using a config file:


Example config file:

Asn1parse Python

There should be options to change the format of output lines. The output of some ASN.1 types is not well handled (if at all).

Asn1 Parser Library

Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the OpenSSL license (the 'License'). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at