diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index d9604740a7..9059a3e250 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -620,15 +620,33 @@ double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char* } tm lTime; - lTime.tm_sec = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0'); - lTime.tm_min = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0'); - lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0'); - lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0'); - lTime.tm_mon = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1; - lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0'); + size_t i; + if ( atime->type == V_ASN1_GENERALIZEDTIME ) + { + // YYYY format + lTime.tm_year = (lBuffer[0] - '0') * 1000; + lTime.tm_year += (lBuffer[1] - '0') * 100; + lTime.tm_year += (lBuffer[2] - '0') * 10; + lTime.tm_year += (lBuffer[3] - '0'); + if ( lTime.tm_year > 1900) + lTime.tm_year -= 1900; + i = 4; + } + else + { + // YY format + lTime.tm_year = (lBuffer[0] - '0') * 10; + lTime.tm_year += (lBuffer[1] - '0'); + if ( lTime.tm_year < 50 ) + lTime.tm_year += 100; // RFC 2459 + i = 2; + } - if ( lTime.tm_year < 50 ) - lTime.tm_year += 100; // RFC 2459 + lTime.tm_mon = ((lBuffer[i+0] - '0') * 10) + (lBuffer[i+1] - '0') - 1; // MM + lTime.tm_mday = ((lBuffer[i+2] - '0') * 10) + (lBuffer[i+3] - '0'); // DD + lTime.tm_hour = ((lBuffer[i+4] - '0') * 10) + (lBuffer[i+5] - '0'); // hh + lTime.tm_min = ((lBuffer[i+6] - '0') * 10) + (lBuffer[i+7] - '0'); // mm + lTime.tm_sec = ((lBuffer[i+8] - '0') * 10) + (lBuffer[i+9] - '0'); // ss lTime.tm_wday = 0; lTime.tm_yday = 0; diff --git a/testing/btest/Baseline/core.x509-generalizedtime/output b/testing/btest/Baseline/core.x509-generalizedtime/output new file mode 100644 index 0000000000..75605f5668 --- /dev/null +++ b/testing/btest/Baseline/core.x509-generalizedtime/output @@ -0,0 +1,16 @@ +----- x509_certificate ---- +subject: CN=bro-generalizedtime-test,O=Bro,C=NL +not_valid_before: 2015-09-01-13:33:37.000000000 (epoch: 1441114417.0) +not_valid_after : 2025-09-01-13:33:37.000000000 (epoch: 1756733617.0) +----- x509_certificate ---- +subject: CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US +not_valid_before: 2011-05-04-00:00:00.000000000 (epoch: 1304467200.0) +not_valid_after : 2016-07-04-23:59:59.000000000 (epoch: 1467676799.0) +----- x509_certificate ---- +subject: CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB +not_valid_before: 2010-04-16-00:00:00.000000000 (epoch: 1271376000.0) +not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0) +----- x509_certificate ---- +subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE +not_valid_before: 2000-05-30-10:48:38.000000000 (epoch: 959683718.0) +not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0) diff --git a/testing/btest/Traces/tls/x509-generalizedtime.pcap b/testing/btest/Traces/tls/x509-generalizedtime.pcap new file mode 100644 index 0000000000..6f026034df Binary files /dev/null and b/testing/btest/Traces/tls/x509-generalizedtime.pcap differ diff --git a/testing/btest/core/x509-generalizedtime.bro b/testing/btest/core/x509-generalizedtime.bro new file mode 100644 index 0000000000..5d82b28ca8 --- /dev/null +++ b/testing/btest/core/x509-generalizedtime.bro @@ -0,0 +1,10 @@ +# @TEST-EXEC: bro -C -r $TRACES/tls/x509-generalizedtime.pcap %INPUT >>output 2>&1 +# @TEST-EXEC: bro -C -r $TRACES/tls/tls1.2.trace %INPUT >>output 2>&1 +# @TEST-EXEC: btest-diff output +event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) + { + print "----- x509_certificate ----"; + print fmt("subject: %s", cert$subject); + print fmt("not_valid_before: %T (epoch: %s)", cert$not_valid_before, cert$not_valid_before); + print fmt("not_valid_after : %T (epoch: %s)", cert$not_valid_after, cert$not_valid_after); + }