Using Convert::ASN1 to decode an LDAP control

Latro has asked for the wisdom of the Perl Monks concerning the following question:

Hi monks.

I'm trying to debug some problems with an LDAP server around here, and as they are related to the password policy controls, I want to be able to read them. I capture the traffic with wireshack and see that in the answer to the bid request the control has, say, this value:

308400000006a004800200e3

And, according to some documentation, this is the ASN.1 structure that is supposed to fill:

PasswordPolicyResponseValue ::= SEQUENCE {
  warning [0] CHOICE OPTIONAL {
    timeBeforeExpiration [0] INTEGER (0 .. maxInt),
    graceLoginsRemaining [1] INTEGER (0 .. maxInt) 
  }
  error [1] ENUMERATED OPTIONAL {
    passwordExpired       (0),
    accountLocked         (1),
    changeAfterReset      (2),
    passwordModNotAllowed (3),
    mustSupplyOldPassword (4),
    invalidPasswordSyntax (5),
    passwordTooShort      (6),
    passwordTooYoung      (7),
    passwordInHistory     (8) 
  }
}
[download]

So, with zero knowledge as usual :-P I went and did this small program:

#!/usr/bin/perl 

use Convert::ASN1;
use Data::Dumper;

$asn = Convert::ASN1->new;
$asn->prepare(q<
PasswordPolicyResponseValue ::= SEQUENCE {
  warning [0] CHOICE  {
    timeBeforeExpiration [0] INTEGER,
    graceLoginsRemaining [1] INTEGER
  }
  error [1] ENUMERATED  {
    passwordExpired       (0),
    accountLocked         (1),
    changeAfterReset      (2),
    passwordModNotAllowed (3),
    mustSupplyOldPassword (4),
    invalidPasswordSyntax (5),
    passwordTooShort      (6),
    passwordTooYoung      (7),
    passwordInHistory     (8)
  }
}
>) or die($asn->error);

$data="308400000006a004800200e3";
$data=pack("h*",$data);
$structure=$asn->decode($data) or print $asn->error();
print Dumper($structure);
[download]

And guess what, it didnt work :-P Ok, the first problem is that if I use the original definition, it dies with errors saying there are plenty of syntax mistakes in that ASN.1 thingy, so first question, what is the format Convert::ASN1 expects? Is documented? Is that definition bad?

So after taking out some things out till it compiles, I got the one that is in the code above. That gets out of prepare, but dies in the decoding with a completly unhelpful:

"decode error at /usr/lib/perl5/site_perl/5.10/Convert/ASN1/_decode.pm line 57."

So, ok, what would be the quick & easy way to get to see if the values in the control definition are being set, and to what values, using Convert::ASN1 or any other module you think its best?

Best regards

Comment on Using Convert::ASN1 to decode an LDAP control Select or Download Code

Replies are listed 'Best First'.
Re: Using Convert::ASN1 to decode an LDAP control by VinsWorldcom (Prior) on Mar 30, 2010 at 19:08 UTC
Putting in a print "$data" statement after your $data assignment quickly shows that you may have the pack statement incorrect. I would expect to see "0" - the hex equivalent of '30' after it's 'pack'd. 30 is an ASN.1 SEQUENCE data type, which would be the start of your ASN.1 prepare method. `$data = pack("H",$data); print "$data\n";` [download] That 'works' better for me in that the data is now as I'd expect the hex translation to be. Of course, the ASN.1 prepare statement you're using doesn't look correct to me. Your data: 3084 ... starts with 30 (which would be 'PasswordPolicyResponseValue ::= SEQUENCE') but the 84 isn't an ASN.1 type that I know. UPDATE:* Been a while since I worked with this for SNMP decodes - 84 is the length of the SEQUENCE and your $data certainly isn't 0x84 (132) octets long. Have a look at http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One which explains ASN.1 coding. The example they give translates to your app with the following: `... $asn->prepare(" FooQuestion ::= SEQUENCE { trackingNumber INTEGER, question IA5String } ") or die($asn->error); $data = "3013020105160e416e79626f64792074686572653f"; $data = pack("H*",$data); print "$data\n" ...` [download] That should run successfully as an example for you. `{C} > test 0‼Į☺♣♦♫Anybody there? $VAR1 = \{ 'question' => 'Anybody there?', 'trackingNumber' => 5 };` [download]	[reply] [d/l] [select]
Re^2: Using Convert::ASN1 to decode an LDAP control by Latro (Novice) on Mar 30, 2010 at 21:16 UTC
Doh, ok, it should be "H", not "h". About the data, its supposed to be BER encoded, while you seem to be using DER?	[reply]
Re: Using Convert::ASN1 to decode an LDAP control by ProfP (Initiate) on Jul 22, 2010 at 18:15 UTC
Although not perl utilities, I found the following: dumpasn1 (http://www.cs.auckland.ac.nz/~pgut001/dumpasn1.c ) - a ( relatively ) simple BER decoder. asn1c ( http://lionet.info/asn1c/ ) - a set of libraries and utilities for compiling your own ASN.1 decoders. Comes with useful utilities like 'unber', which is similar to dumpasn1. to be very useful for ASN.1 decoding work. They both require c compilation chops to get the most out of them but they've saved my skin more than a few times when testing perl decoders. Hope this helps.	[reply]