add parsing certificates in OCSP responses

2025-10-04 15:48:19 +00:00 · 2015-08-18 19:35:43 -07:00 · 2015-08-18 19:35:43 -07:00 · 1989f34a0a
commit 1989f34a0a
parent 12c68f197c
4 changed files with 42 additions and 1 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -3003,6 +3003,7 @@ export {
 		#responseExtensions:xxx
 		signatureAlgorithm: string  &log &optional;
 		signature:          string  &optional;  #&log;
+		certs:              vector of opaque of x509 &optional;
 		};
 	type CertId: record {
 		hashAlgorithm:      string  &log &optional;
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@ -15,6 +15,16 @@
 #include <openssl/asn1.h>
 #include <openssl/opensslconf.h>

+// helper function of sk_X509_value to avoid namespace problem
+// sk_X509_value(X,Y) = > SKM_sk_value(X509,X,Y)
+// X509 => file_analysis::X509
+X509 *helper_sk_X509_value(STACK_OF(X509) *certs, int i)
+	{
+	return sk_X509_value(certs, i);
+	}
+
+#include "file_analysis/analyzer/x509/X509.h"
+
 using namespace file_analysis;

 IMPLEMENT_SERIAL(OCSP_REQVal, SER_OCSP_REQ_VAL);
@ -404,7 +414,6 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 	{
 	if (resp_val == NULL)
 		return NULL;
-
 	OCSP_RESPONSE   *resp        = NULL;
 	OCSP_RESPBYTES  *resp_bytes  = NULL;
 	OCSP_CERTID     *cert_id     = NULL;
@ -551,6 +560,21 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 		if (len > 0)
 			ocsp_resp_record->Assign(7, new StringVal(len, buf));
 		}
+	//certs
+	if (basic_resp->certs)
+		{
+		VectorVal *certs_vector = new VectorVal(internal_type("x509_opaque_vector")->AsVectorType());
+		int num_certs = sk_X509_num(basic_resp->certs);
+		for (i=0; i<num_certs; i++) {
+			::X509 *this_cert = X509_dup(helper_sk_X509_value(basic_resp->certs, i));
+			//::X509 *this_cert = X509_dup(sk_X509_value(basic_resp->certs, i));
+			if (this_cert)
+				certs_vector->Assign(i, new file_analysis::X509Val(this_cert));
+			else
+				reporter->Weird("OpenSSL returned null certificate");
+		}
+		ocsp_resp_record->Assign(8, certs_vector);
+	  }
 clean_up:
 	if (basic_resp)
 		OCSP_BASICRESP_free(basic_resp);
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
@ -0,0 +1 @@
+[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
@ -0,0 +1,15 @@
+# This tests OCSP response containing a certificate
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
+{
+if (resp?$certs)
+        {
+	for (x in resp$certs)
+		{
+		print x509_parse(resp$certs[x]);
+		}
+	}
+}
				`@ -0,0 +1 @@`
				`[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]`