diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro index 0a07685fa5..11e5232d95 100644 --- a/scripts/base/init-bare.bro +++ b/scripts/base/init-bare.bro @@ -3003,6 +3003,7 @@ export { #responseExtensions:xxx signatureAlgorithm: string &log &optional; signature: string &optional; #&log; + certs: vector of opaque of x509 &optional; }; type CertId: record { hashAlgorithm: string &log &optional; diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc index 340838eb1a..d54f1f345b 100644 --- a/src/file_analysis/analyzer/ocsp/OCSP.cc +++ b/src/file_analysis/analyzer/ocsp/OCSP.cc @@ -15,6 +15,16 @@ #include #include +// helper function of sk_X509_value to avoid namespace problem +// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y) +// X509 => file_analysis::X509 +X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i) + { + return sk_X509_value(certs, i); + } + +#include "file_analysis/analyzer/x509/X509.h" + using namespace file_analysis; IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); @@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) { if (resp_val == NULL) return NULL; - OCSP_RESPONSE *resp = NULL; OCSP_RESPBYTES *resp_bytes = NULL; OCSP_CERTID *cert_id = NULL; @@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val) if (len > 0) ocsp_resp_record->Assign(7, new StringVal(len, buf)); } + //certs + if (basic_resp->certs) + { + VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType()); + int num_certs = sk_X509_num(basic_resp->certs); + for (i=0; icerts, i)); + //::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i)); + if (this_cert) + certs_vector->Assign(i, new file_analysis::X509Val(this_cert)); + else + reporter->Weird("OpenSSL returned null certificate"); + } + ocsp_resp_record->Assign(8, certs_vector); + } clean_up: if (basic_resp) OCSP_BASICRESP_free(basic_resp); diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout new file mode 100644 index 0000000000..b6a95f4f0c --- /dev/null +++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout @@ -0,0 +1 @@ +[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=] diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test new file mode 100644 index 0000000000..5ed2bf3253 --- /dev/null +++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test @@ -0,0 +1,15 @@ +# This tests OCSP response containing a certificate + +# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) +{ +if (resp?$certs) + { + for (x in resp$certs) + { + print x509_parse(resp$certs[x]); + } + } +} \ No newline at end of file