Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-04 15:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add parsing certificates in OCSP responses

Browse source
This commit is contained in:
Liang Zhu 2015-08-18 19:35:43 -07:00
parent 12c68f197c
commit 1989f34a0a
4 changed files with 42 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
scripts/base/init-bare.bro
View file

@ -3003,6 +3003,7 @@ export {
#responseExtensions:xxx #responseExtensions:xxx
signatureAlgorithm: string &log &optional; signatureAlgorithm: string &log &optional;
signature: string &optional; #&log; signature: string &optional; #&log;
certs: vector of opaque of x509 &optional;
}; };
type CertId: record { type CertId: record {
hashAlgorithm: string &log &optional; hashAlgorithm: string &log &optional;

26
src/file_analysis/analyzer/ocsp/OCSP.cc
View file

@ -15,6 +15,16 @@
#include <openssl/asn1.h> #include <openssl/asn1.h>
#include <openssl/opensslconf.h> #include <openssl/opensslconf.h>
// helper function of sk_X509_value to avoid namespace problem
// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
// X509 => file_analysis::X509
X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
{
return sk_X509_value(certs, i);
}
#include "file_analysis/analyzer/x509/X509.h"
using namespace file_analysis; using namespace file_analysis;
IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL); IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
{ {
if (resp_val == NULL) if (resp_val == NULL)
return NULL; return NULL;
OCSP_RESPONSE *resp = NULL; OCSP_RESPONSE *resp = NULL;
OCSP_RESPBYTES *resp_bytes = NULL; OCSP_RESPBYTES *resp_bytes = NULL;
OCSP_CERTID *cert_id = NULL; OCSP_CERTID *cert_id = NULL;
@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
if (len > 0) if (len > 0)
ocsp_resp_record->Assign(7, new StringVal(len, buf)); ocsp_resp_record->Assign(7, new StringVal(len, buf));
} }
//certs
if (basic_resp->certs)
{
VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
int num_certs = sk_X509_num(basic_resp->certs);
for (i=0; i<num_certs; i++) {
::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
if (this_cert)
certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
else
reporter->Weird("OpenSSL returned null certificate");
}
ocsp_resp_record->Assign(8, certs_vector);
}
clean_up: clean_up:
if (basic_resp) if (basic_resp)
OCSP_BASICRESP_free(basic_resp); OCSP_BASICRESP_free(basic_resp);

1
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout Normal file
View file

@ -0,0 +1 @@
[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]

15
testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test Normal file
View file

@ -0,0 +1,15 @@
# This tests OCSP response containing a certificate
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
{
if (resp?$certs)
{
for (x in resp$certs)
{
print x509_parse(resp$certs[x]);
}
}
}