LDAPviewer

View or Import Security File

The View or Import Security File is a general pupose utility to view and analyze a variety of security file types and provides a function to import X.509 Certificates into the standard Java (JSEE) Trusted filestore. It will load files with a suffix (extension) of .p12, .pfx, .pem, .p7, .der, .key, .cer, .crt and .p8 by default and by selecting All Files from the File Chooser window (triggered when Load is clicked) any file type may be loaded.

Depending on the type of file the window will provide up to 4 separate views. An Info View, a PEM View, a Hex View and an ASN.1 View.

When initially loaded the window only has limited functionality as shown.

Empty Security viewer window

All Buttons

Load Button

Always enabled. Clicking this button will present the user with a standard File Chooser window as shown:

Security viewer - Info

By default the Security Files look for suffixes (extensions) of .p12, .pfx, .pem, .der, .key, .cer, .crt and .p8. By selecting the All Files option from the drop down menu at the bottom of this window any file can be loaded. If one or more X.509 certificates exist in the selected file the View Cert and Import Cert buttons will be enabled. In all cases the Print button will be enabled.

When a file is loaded the window title bar is updated as shown below:

Security viewer - Title

This indicates the file name loaded and whether it is DER (binary) or PEM (base64) format and the file size as it appears on disk.

Certain files may be protected by one or more password. During file analysis the load command will attempt to read these with an empty password, if this fails the user will be prompted for a password with explanatory text as shown in the example below: (In this case the explanatory text indicates that a PKCS#12 bag structure from a .p12 file containing an X.509 certificate is secured with a non-empty password, but many other messages are possible depending on the file type.):

Security viewer - File structure password

Enter the password and click OK, or Cancel which will bypass analysis of those parts (which may be the whole file) covered by this password. Any entered password is discarded immediately after use which has the unfortunate side-effect that, if the password covers the embedded certificate (common), then the View Cert function will request the password again.

Multiple password protected items may be contained in certain file types (notably, but not exlusively .p12 or .pfx) in which case every occurrence will prompt for (potentially the same) password.

When use or inspection of the loaded file is complete the window may be dismissed using the OK button or Load clicked to load a new file.

View Cert Button

Disabled initially, only enabled if one or more X.509 certificates are contained within the loaded file. Clicking this button will display the X.509 Certificate details window as shown:

Security viewer - Certificate Details

The various fields and panel contents are described in Certificate Details.

If a loaded file contains two or more certificates (common in PEM certificate bundles) then the user is requested to select the certificate to view using this window:

Security viewer - Certificate Chooser

Selecting the required certificate followed by OK, or double clicking the selected certificate will display it. Cancel will dismiss the window and cancel the View Cert sequence.

The Cert View command will attempt to read the certificate with an empty password if this fails it will prompt for a user password:

Security viewer - Certificate password

Enter the required password (which will be discarded immediately it has been used) and click OK or Cancel to terminate the command.

All Certs Button

Always enabled. Clicking this button will display all the Trusted Certificates in the standard Java (JSEE) Trusted Keystore and in the case of Microsoft Windows those available in the Windows Trusted Keystore and the Windows Personal (MY) Keystore. (This feature is also available as View All Certs on the Certificate Menu where the functionality and laybout is fully described.)

Import Cert Button

Disabled initially, only enabled if one or more X.509 certificates are contained within the loaded file. This will import the selected X.509 certificate into the standard Java Trusted Keystore where it may be used in the validation of incoming X.509 server certificates. The following warning message is always output:

Security viewer - Import cert warning

For security reasons LDAPviewer runs with normal application privileges, however the Import Cert feature requies administrator privileges to be able to write to the Java Trusted Keystore. In the case of Microsoft Windows Administrtaor privileges are invoved by:

  1. Terminate the current program.
  2. Use File Explorer to navigate to C:\Program Files (x86)\LV.
  3. Select lv.exe
  4. Right click and select run as administrator.
  5. On startup Windows will prompt with a warning message to indicate that elevated privileges will be used (Click Yes).

Note: It is recommended that when running in Administration mode only necessary Import Cert operations are performed (the results may be verified with the All Certs button) and the program terminated immediately on completion and re-started normally to use standard application level privileges only.

If the default Java Trusted Keystore password has been modified the following prompt will request the required password:

Security viewer - Java Trusted Keystore password

Certificates are identified within the Keystore using an alias (a unique text string). If the user attempts to import a certificate with the same alias as an existing certificate (LDAPviewer creates a default alias using the cn value of the certificates subject attribute) the following prompt will appear:

Client Keystore - alias exists

Clicking OK will overwrite the existing certificate entry. Clicking Cancel will terminate the import operation and clicking Change will prompt the user to change alias value:

Client Keystore - change alias

On succesful completion of the operation the folllowing message will be output:

Security viewer - Java Trusted Keystore successful import

Print Button

Disabled, enabled only when any file is loaded. This will trigger a standard printer dialog for the system being used to enable local print options to be selected. It will print the contents of the currently selected panel (Info, PEM, Hex or ASN.1).

OK Button

Always enabled. Closes the window.

Help Button

Always enabled. Displays this page.

Security File Panels

Four Panels offering different views and data analysis of the security file are provided. The PEM panel will only have content if the file in PEM format. For all other formats it will contain the text Not PEM File. The purpose and content of each window is decribed under each panel type.

Info View

Info View attempts to interpret the security file and provide useful information based its structure type. Depending on the file type and its encoding this will vary enormously from extensive to none.

The primary method used to identify the structure is the file suffix (or extension). Specific types such as .p12, .pfx, .p8, .crt, .cer and .p7b are supported. Files with the generic suffix (extension) .pem contain information describing their content and are fully interpreted. Files with the generic suffix (extension) .der may, however, contain a variety of structures. LDAPviewer attempts to identify the structure based on its ASN.1 signature and content. For example, certain Object Identifiers (OIDs) can only appear in certain structure types. If the keyword Likely appears before a structure name this indicates the match was not definitive but is the most likely interpretation. Where the structure cannot be recognized it will be labelled as Unknown and no additional information will be provided.

Security viewer - Info

The example illustrates how the Viewer handles multiple structures in a file and the summary information for X.509 certificates (which may be further inspected using the View Cert button).

In the example case 3 structures are contained within the file the first one starting 1st = CERTIFICATE. The CERTIFICATE on this line indicates the label found in the PEM section header (on the -----BEGIN line), which in this case is the current standard terminology, however, PEM files produced under older software may use X509 CERTIFICATE and other alternative label forms in which case the current standard terminology (defined in RFC 7468) follows the actual label enclosed in paranthesis, for example, X509 CERTIFICATE (CERTIFICATE).

If the selected file has an invalid format (it is not valid DER encoding - after any PEM to DER translation) the following message is displayed:

Security viewer - Info - Invalid format

Depending on the file type and requirements the PEM View, the HEX View or ASN.1 View may be used to further inspect the structure.

PEM View

Security viewer - PEM

Only populated if the file is in PEM format and will contain the text Not PEM Format for all other files. This panel displays a raw view of the PEM file and is provided as a convenience to allow file inspection.

If the selected file has a valid PEM structure (even if the data are incorrectly DER encoded) this panel will always be populated and may provide diagnostic assistance.

Hex View

Security viewer - Hex

This represents a hexadecimal view of the stucture(s) in the file. Each structure starts with its size in the form [Size xxxx bytes]. The column on the extreme left (terminated with |) indicates the offset within the structure of the first byte of each line. For ease of reading the lines are separated into groups of 4 hexadecimal characters representing 2 bytes (octets).

Note: For PEM format files this represents the binary content of each structure unpacked from its base64 encoding. The [Size] value for the binary diplay will consequently differ significantly from the file size shown in the window title bar.

This panel is always populated even if the data contents are incorrectly DER encoded and may provide diagnostic assistance.

ASN.1 View

Security viewer - ASN.1

All security files are encoded using DER (Distinguished Encoding Rules) of the ASN.1 (Abstract Syntax Notation 1) standards. PEM is a base64 encoding (to allow it to be sent by media such as email) of a DER structure. This panel provides what is typically called a schema-less interpretation of the DER structure. If the information in the Info View was incomplete or the structure(s) not recognized by LDAPviewer's interpretation functions the informed user may be able to identify it from its ASN.1 elements.

Certain structures, specifically those with the keyword IMPLICIT, that may be interpreted in the Info View (such as embedded X.509 certificates in PKCS#12) cannot be interprepted by the ASN.1 View since they require schema (ASN.1 module) knowledge not available to the raw ASN.1 analysis.

The numbers on the left-hand side indicate the byte offset (correlates with the Hex View) of the start of an ASN.1 spanning item (the vertical lines are provided as a visual convenience) which are typically SEQUENCE, SET and Context Specific encapsulations.

If the selected file has an invalid format (it is not valid DER encoding - after any PEM to DER translation) the following message is displayed:

Security viewer - ASN.1 - Invalid format

Depending on the file type the PEM View panel or the HEX Viewpanel may be used to inspect the structure.

© LV Project 2016. Creative Commons Attribution 4.0 International License.