From 2327f5bba509244f3c00d0d5ecc4176c181d1a46 Mon Sep 17 00:00:00 2001
From: Yun Zheng Hu <hu@fox-it.com>
Date: Thu, 10 Sep 2015 10:50:35 +0200
Subject: [PATCH] Fixed parsing of V_ASN1_GENERALIZEDTIME timestamps in x509
 certificates

---
 src/file_analysis/analyzer/x509/X509.cc       |  34 +++++++++++++-----
 .../Baseline/core.x509-generalizedtime/output |  16 +++++++++
 .../Traces/tls/x509-generalizedtime.pcap      | Bin 0 -> 8770 bytes
 testing/btest/core/x509-generalizedtime.bro   |  10 ++++++
 4 files changed, 52 insertions(+), 8 deletions(-)
 create mode 100644 testing/btest/Baseline/core.x509-generalizedtime/output
 create mode 100644 testing/btest/Traces/tls/x509-generalizedtime.pcap
 create mode 100644 testing/btest/core/x509-generalizedtime.bro

diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index d9604740a7..9059a3e250 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -620,15 +620,33 @@ double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char*
 		}
 
 	tm lTime;
-	lTime.tm_sec  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
-	lTime.tm_min  = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
-	lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
-	lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
-	lTime.tm_mon  = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
-	lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
+	size_t i;
+	if ( atime->type == V_ASN1_GENERALIZEDTIME )
+		{
+		// YYYY format
+		lTime.tm_year =  (lBuffer[0] - '0') * 1000;
+		lTime.tm_year += (lBuffer[1] - '0') * 100;
+		lTime.tm_year += (lBuffer[2] - '0') * 10;
+		lTime.tm_year += (lBuffer[3] - '0');
+		if ( lTime.tm_year > 1900)
+			lTime.tm_year -= 1900;
+		i = 4;
+		}
+	else
+		{
+		// YY format
+		lTime.tm_year =  (lBuffer[0] - '0') * 10;
+		lTime.tm_year += (lBuffer[1] - '0');
+		if ( lTime.tm_year < 50 )
+			lTime.tm_year += 100; // RFC 2459
+		i = 2;
+		}
 
-	if ( lTime.tm_year < 50 )
-		lTime.tm_year += 100; // RFC 2459
+	lTime.tm_mon  = ((lBuffer[i+0] - '0') * 10) + (lBuffer[i+1] - '0') - 1; // MM
+	lTime.tm_mday = ((lBuffer[i+2] - '0') * 10) + (lBuffer[i+3] - '0');     // DD
+	lTime.tm_hour = ((lBuffer[i+4] - '0') * 10) + (lBuffer[i+5] - '0');     // hh
+	lTime.tm_min  = ((lBuffer[i+6] - '0') * 10) + (lBuffer[i+7] - '0');     // mm
+	lTime.tm_sec  = ((lBuffer[i+8] - '0') * 10) + (lBuffer[i+9] - '0');     // ss
 
 	lTime.tm_wday = 0;
 	lTime.tm_yday = 0;
diff --git a/testing/btest/Baseline/core.x509-generalizedtime/output b/testing/btest/Baseline/core.x509-generalizedtime/output
new file mode 100644
index 0000000000..75605f5668
--- /dev/null
+++ b/testing/btest/Baseline/core.x509-generalizedtime/output
@@ -0,0 +1,16 @@
+----- x509_certificate ----
+subject: CN=bro-generalizedtime-test,O=Bro,C=NL
+not_valid_before: 2015-09-01-13:33:37.000000000 (epoch: 1441114417.0)
+not_valid_after : 2025-09-01-13:33:37.000000000 (epoch: 1756733617.0)
+----- x509_certificate ----
+subject: CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US
+not_valid_before: 2011-05-04-00:00:00.000000000 (epoch: 1304467200.0)
+not_valid_after : 2016-07-04-23:59:59.000000000 (epoch: 1467676799.0)
+----- x509_certificate ----
+subject: CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+not_valid_before: 2010-04-16-00:00:00.000000000 (epoch: 1271376000.0)
+not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0)
+----- x509_certificate ----
+subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+not_valid_before: 2000-05-30-10:48:38.000000000 (epoch: 959683718.0)
+not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0)
diff --git a/testing/btest/Traces/tls/x509-generalizedtime.pcap b/testing/btest/Traces/tls/x509-generalizedtime.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..6f026034df358a0dd174d3f7b5d69047444d88cb
GIT binary patch
literal 8770
zcmbuFbyQSs*T&B<4BZWag0zTqDh<*hB^}a&bO}mHr*un$w9?HG(%ndxgmj0%H{-jO
zua7?K{pXvt_FA07%<sOgz3+Ro*k{Jt$}$iDMBu+KL;wW4m=@Vk!z4li6ktEY1HfRM
zAq4?S>QDd$1&{y$;lr=OfG`sFDD>kD2o}|Ir=a?L6Gs{Nn?E7k-qt?>00cxx1qcj=
zfIui{56Q^*;lD#f_zztiMu)%o=Lddr|FgzVI_$G>Izkzo3||3MKX<BNAhZozK{g%F
zj*^$}KXgO{6f}UaSqn~wt%MBMoed+4!pQLWOE;(R5S-ky`G;;<7=6bJ2Zu0~5dePa
zg^}UJ(g#SuHVg)jzlig~;y;PK|4JmmA#4c$MHGT-B?5zh99WVwz+klvk?HH_j|fB=
z+OF@TY|iH{mygtZOyptQ`k~P08o3An>cB0O21*S@gQ7xFpbSuYC;=27iU*~G(n29n
zL?{^g0Llo(hGIc60ZYIP-~%`SB0vCm0&oE=02&k-iVH=6VgL|WkxPLRAPfivf`Jg&
z^7jEW00lq-hyfCS6hH?MVD~Tq3;+!RLIfdz5Wxswxc6(A_g~rkvre2|)o|}V2!GUR
z2Ue#OFC5@IFWY~-!+dMQY9s_FzG6cHJix%u_|J~|Z{@+ZUNvx{$CrO4k^tWyzxqYg
zffI?qU_cWA0Mx+XHFS~`R-$|5x0PlN7u}tP2JN`}UBhPbr~9c~yBy>Dl$sjOynK=@
zwc`y-O6WWe6ND7VAyVh}zDsv@n5`sA+CUj#DYyl}PXIcA2nIk1FgoZ49ROVdpfdn;
z%<2Q$hlM5r0(gTJ6AAT!zm)$OCI|$90IY&+=&YznU^PS}d;|qKHVjrY_yrmUSk&Hz
zjf(Xi{0fXg^1|MR+04Y+#NN=#!p+3k(c+Z}v!jWFBkO$<Y<5;QE>=EPHZ~5}i$@E7
zgZ=j#|L--t(|%VCf&gIeFo4xN2*KMMSbQ(Wd%H+3>Jf{Gkc2);ae`wo(e#vgI_PD#
zobRTFy1X*+JRQZ!b%mcRF{8x6HZ*A4c4%9S(siSdE{nN#Br|(iTuJHl!?SRsdyEG;
z*X89@OKs|M+cdR`kyZ6wR>_9`ji=U7E;|hcD@6yJfocG~aofyk_A^s}EoioO7y))H
zK)=g_B^3<QwXnTAu~AlD!6IXW^iEyDXIAywi?6Mzt9s@~xmJ638p!lDdobdPER-y2
z;-ps2yj%1y#56%UUYarV7Yyn}zM|Lf+;I`|+f9^Be7THvbp$ozvX!=N1WOu6MmF;*
zUQs+?cr(Athl<=sKmG1w(rebX?xEE^TYlcxCrMBqn|tsL){g-I-C%%N1W`VxiTf&k
z6;1fjP|jMO%>CM)y3vzPR*5x=Cy7r4SxQzL*qv*ex=2U+%P?aFgkOkT9r-9k@fKo=
zt;eZ$a^gZjfEVABnh&OcF-RQXjB=muA=7WBY&}1}=v}DJgKT+)q1u0*tlSclj^#fm
z+9I5zXtR2to?N-FVrr^>aeewj->0gL6AKxE&XVmoa;zAU`R+?kRbn}2PX&)4tedH9
z>WU%%s|T;`5AR@JiOEna{jkp*E?hIZ>#xYeaf4bcS@#g`2oVd`%HXFFoBg-*{b!fw
z%u<D)Mtze%dfSPDff%C~4)#@|+OOUw3_IgGaALG960FStKjW`%=_zvyCsy11E0F{T
zSZe-7lz<cAVxQu`y158q)trHtU~hlUto~DX{C$ba^bWvCA<a@r$bQuN^C~!C%JOA|
zt$83c8FM7$?OD#f0mkOE*InfG*<c?Ryy4RaaB-mTzuEn}oz?zqXTU$3j~HXViIeaj
z?aUn3d?esRooytb7-kn9f7wmzSAr8cZ~kf5N%&_1VRn7Se%ZB#*)=DC*#&{%rVVC0
zXdL|63}p}#L@z5OK^7%>-6JXf7<8!IU%ZJd8kl4f9x0T)RzRBmF=Txr$d>*PX(7x_
z$nAX8rt(waq7GSDG++CH-vgz2azy6lRxX>44twPxc0Ke~WBM*HPD^sQ_*t0v|Iyv+
z;Nrb+|0NxT|B?=CI1zL2w{-lO;54uLpTy{YCBnKpZ_2Ok4o|T4Z|SIZEm2I!qwi`(
zNq$CtOz0k&<;N3Zh+t)l?Z#zYYjoh7fW#q?yko*s`xQOqME)H({r)<}lm5@zyH|DI
zhy@HLqoRHNp@#A6`SOiFmV9P%Vr#Ri%CAgmT1zt6qO~~S;)h`3f2HHE!;tO+7yp9i
zk6ISOY8eAN3_s#8{#i>nk(~({n1pQ%c>J|Hx|Ke`iJu++l?dA%1^+z^9`M~k4BHp)
zh4P=K81_x6OfVu{L1W7nNF_Cg<x6P=p~0|5pep?eA|yYqf#Y>*?64&7yb&Kt8R<C;
zJPwifyV7I2Wn&Sp%tCSGH{gMwj@*$VcH_;tw;kM5vu`cJGKG4vB;KAT*tpADbmzsx
z>CDA><t{tryqqI>MfP!}fSOnMb)&Ng+yfjRR8YxklsH{8s9V0pz->A_L<Y<VfuHf`
z-*iGvuLihHtEoS#9+Pk4EbK)B9LcNys=5`d>K-tggp{lLt^Inc^_Dw0t7|10ond4O
z>LvAqQT$^^L+-Bn2bh2)Gu2!Kx^B$ca}qKxKfSHe>QtVhsoFg{&5ws&p2SeaZ;s8^
zOFnqk>K&9}bLKdHp~86M+ezy6?v_{AsC9}FA9ZzVWo9xRVx7vpRG|xwf=7W(rsGqe
z+!u?=Z#e90KUHWEN=my9^dGzX5>RI`^5m}bZJxThi=JU%4JLY8;e)CrJjIb(bTifN
zuH2A>a*5hx4^->Pq@olwr+IcMPN>?qXI%O2X~|Tc$t-b=q4t(C*d>OAFP7C!A0SO~
z0EON6`E%%`S1ohqQoWe_?Kt!KqctkBKeAY-VQD=gh<%&aA7W}4*;*DLeF`QtJPo!P
zx#)A_k4$!)WbCDl;*Jir7wr|<NyavF{NlDh=fAB@AvWAcnpA-IWIbD!uqBW<7Rvq5
zNA$cjjm6Hx^0P05#3pgd%TMTAq-gj+m~7NndFj`buXXG9yuzn8j2U`AyAsfwd!lE_
zq-hbb7nXmcLC9$sD<keL&=)Lu`$5l>n(&2E9<Bxo!&cxP-$6K~fcC!2WM>#>lWVh=
zlkdh@&|V4&bCBoc-4p|!cQxL3-m{}c(q6{cyI^GY%K1LR;%X!-xOnJRFO6NB6&rmu
z^oEnRtn0$~0M*9LRYC*%fj<*PgMaCFD-Zw4@3!gUm9l(MCWmP+w~<j+d{d%LS#vxW
ze~_S1t&;=?=z3Un<obrLzkBT2*|b0=tyRH64o;Vk$Ll%?I44xgejYXM>vz<<>KZiq
ze)6ls(@2j8T8P0<Lj_0C(hjWee`z6aQb237=qbdEG#ij<=CB{E`k=2QY57W0J792N
zB{Yi~o5Y48cG8fJS~+6-vnA(tPV5|B@6A}Ot>=ic4(=KG1;w<iv<8k<rDnXk)>*Ar
zsDJ9`T{{LYEPTNyu43)4g@W$)N;zRl7A{CeEGMU%+EroUXZjX0<h(da`&KUfq@*hC
zS)Oso){x(325acz#_%8-aZB~3iEjQ-mE-1WEykK$pV1Z72BccxN;|WU&U}&ENy>5R
z)uu#bb%(5uO%CO)&=};v)*~j7m1(pnet*%dw_Wroj?w1j2lUmg=9Nx^J?0DcjYCfU
z%gtUEp?pXY$2m_<Ou~;!gZ{+}ZS~m5B78v$zDWdD$vuw<nJ<$n-`8F~>n$TIm^L#`
z$$k3vu<FGCHn!wwapBuLgIALpwPcT}@r=(l-Q`)&ka;lhBc{cnik<duKQ_~a^D~)~
ztVDwO8_9*Mi9_YMj=5q5QWy0h-6MXY8Xl%jwxu)OZG0Mps#vnnZp(e-a~lU|uCrHi
z+MOZ^0`VjfE_uZp$+3G?(WDJ$td$XMO|3Ui)RM)yv&ads0!D^)K$EF{`79JHP8%&_
zL@cR9l8{mMPyHjMstta|5~sb(D6U7gR^`aGgD9j(GE3^-CB%W|kh?`(fq0%1;KvL|
zXbGl$qO9Uf(TKcB{kRRW1dJZ2=J-ROpr7T{n^sWw)*B2QD2iU}i?;h@8N6@g)(~L2
zR$K`^94L7>S-vWlAsVN4$`?qW74(hCu+!YO++IjD<5~Zq0)_V=W%mUcPjw83K4+ne
z2yZT8HBXzF)*+kTUG<S&Es6Y_Bxhy)k#8af0XvvB)<hK|$hP`zqI4#COvB_5|MsY*
zmZkU=%dm!E+495SMatOintP`q)NW;Q=w>2;+uT@+IN%8jHucf?@+UZ7(?2>_8iyO+
zVm6!>rtkBc>Z3>6NT`Lq#^Doh%TQ`w(<p$Tk+C=oEoXlnB#krBMrW939DR~BiFl<&
z&ijC`NUqQ<EG<DH{{tUK%vCyKvVg~{O{IJtm#}<dqA<3r514U;WQ?nf15bT<$_O+H
zV%MVzSx18nmduhhHT*9lR36<eG>oQVw0Qv`rw->KMkVb2fICqG9ye#MB`=a2Y8knd
zJ7k|KmG4>I!Hr%~X*8Mg;9?38X5uoxpC~F&i_8;#uU0y@bFG84z?+&IvImJ$^Sx(V
zw4H`f9WCePb1NOv{8*)vudo=&K$IzlCs}ac{ML{$iCkb+6$eVUEEMF8xM~ieA}~}v
z^SB6A`o`q)LE!5;d!xh4dZ(8Qvn1K#IF!fv!66m)PkAp^4uvB-LcX*KY3Fla%CGcw
zcT$V8i3T1E3jNri-X{k=m)LEe9I~qr=%)N=ix$E_#y|P`1=s1PbUfLw<9bN6uH_3K
z*h~AA*WRBU-4V<GA`*;VRyI&#*)@x)Us2JUzpb$FiaCDx_9HXaDx!(>S1RxF=)0^{
zj1`&pVzbmEw+?w#gje0!%=+r&A7Hplv;~gc@t5ZC`>@_?8;C|lBH<H$ns0IT_F3&#
zc1v|eTU)Asbv^-Cm}HjZ>|rc)<B1V1XoynkZS8K_xNxR<1jvTf6pyEP;}-VM4asYW
z^A0~pYPaqWlN0Pmc#5m8cEhgNe&f!@o~yXly_+AW@6h6nI(mqg_WR(sU@ex7z4qNo
z#@c#Jqen>7&1LQ?vT-*T3)B1=#b!Aj0yDGB9(|;m$5hpOFYzq_o9F|!@(E~UUH6eH
zk!_H56FGCL_6;t}w1fdMpJIkf@w8KlPIyhs2l2<5Y%@iC{-V|hn7kc7hD`HJw;aws
zy(}3$FkbD6^~#xyeo?LZ1)<=2sb}Q*#uqcG_jf-xYh~0Z4}Z<8QLFwjI$VY4tr71~
z5#9SK0KB4jR|mt40}Bi~t}uTb9Rj|ObMk!EODJzcg=ZLJSyb{dpB#UNAc)>q-Wc0K
zx87;}5kBYO=k-npzqu&QA0_!lWil$9wG%>^n?$%u8Sy5W?^*pK(g!H@9~ve?^PQMh
zUGifPLjsGfMir5`SiCFqJ)WP}E`Jdm{34*7)LyXNlwbp4%e3Ch9jUSnKGOa`kOsv7
zzer%YQy(a0LNrTqd=+l}`g3Tg*ZbPR*iUUw*bTuS7&M61!;-vFXR(D)ymth~2p>;y
z`DB00Ik3Pccj}kSTP7t9B~ua`{Uqfk&g~`2O=obV-+~%5eU^>Ov!K`5&v;^<=#@I3
zfp=_S@B>6&l=BW{I+uri!UHuem%ZZyS7-{ORr^q|rQmm0D51lBI}fuWc`YC^P1GIa
zsaf}?G0P@T#T|9K6zJ1P`zF6N!?T7QPx_D%!jaSc1vgSxeT{sRS4iPbvCUqyn`dcO
z1`dsf`jQTxSoi+f;P|KrTNB?gB3R3$UCKQ_wXm=|PD(oT=&bWK1Foq#_9^9)MzT*Y
zIA11Hi0g$UBPyxduD(N0H@s$6jhklo0f8m5kCn$PM1w`#Jw7Xg6WuiSS7_qZ41Ig&
z2x9~LY`wx%TbC2)7aSy(y%72rj{<<)XSY3N_tGa)HQzoPD%m(kk8^R>C8O$|SAT0R
zxkmmGFVPBwM>th^rvOWVcSe`_m9ags*%y=rBn%>oaI{{OK1%2uzQFyqM7#-U6JOfw
zG<>b@_#M|A;xy$w)`5Myo=N(R#!^afA4+A2WvdHn$x>o>^((anS&FJiA5O-zd@<cg
zoEg-3wYhMo`ljh{5jODoTsbuo<la&HDU!@sc@&k0)8NI>0bN@)W2~176)l}4mfLyO
zTUPbRcjtE{qLYOr)}@Ja%LKBot1BO<-ui*c9c~c5MwvX@?7VAChF>_C5($WR-Y6z~
z`gYA^huNjdoJuH1cMv;wE9I|wt&1sPo+;TewI-SO#n5`~Dc2#xNgaEu1pyUXt9uu1
z;2luet>kB$b$iaz=)BTAn#Slw{A9Kclf46!M!6~FMO_JnkW^X+C!~j{_ug|fai9eq
zTM0S&QP48HmG^Q7B<f<!BqIk7qI2*1^805qT7BO$CQa()8N__kJa<2$k{oli%{s$s
zKCweH*Z!GU(v3mK^2~TXeWOCp*Vtszxcup3CDe=Vgzhks@u4iCp?h-<2Q0`6*)<7A
zOPdd|ak_f~Czth(7>!J>d@iUH>1|C@9BFu6M$#nSS+-ky(j^gnb=)bVo~SUn*5x3}
zY3=M#Vt79^auXq;?4=hoN7%^H^*p0<<vxK1gJAte)$0@~{2PpUh6~$?BIL<WAt&OQ
z*8|&XkPwB?%k|^d$B<9OIvbu4nVWjjwq6aLx~3$S_#yi15fom{QjCeb^igD=w%ghe
zWWs({NE+r=P;RqiLaoxgOLgq#A~u-{W!_2<mE0>zZLiAW>bOM9w8i6*RBDwB<p5?r
zWny3^HKEmZtET2VLy7_j@D|>~Z|1^p+X0=nFU#3es}<_KxoyVi>e7B>U^TMrD&vpp
zQp}rd`9onQy^}~UN^?8oJ9<OLC{fRyoiPnNLS)Nc+la)cRJRs==I{AYCSGE@(ap=)
zit6*Z8`hV&vwL2bVW`!p2A{IpOzPT;lykQd%1?+D6=8%mgkAMB%F)OoSUY%scJX0f
z%AGE-A4rlh+N94>avc_1D4-X}K}3>pF1Io(Eeb^uC=Z)5Ck|-fQ?vaN66=uk(qhB2
z5cADz=f-&RgEY<8rVEPVt(B*{4~!c3@EPJuLhcs0eYc5tZqCE`@+b>CtDJ0I!(E@<
zMAFo;>DlW>)eb6mL4voqlSc~+d-QZ70NVXwn{#zlB}sX4I(F4j4u5-InhO-bR$QdF
zLs2&Wieb$CtNLR-r#?tB8ckpr!rgZ>5KQ$GR3%eaUrc1qSWMlHb)Q;5<r2HYxW)cV
z+ko?SnN!PxNc3az)jI^!5xe$>Wy_nQ7jI~9R)&NikU}@o?-UGIqOMQW>pUL@kH|nv
zHaNc&Fx9;i?-!g@!F{vB<QRc3++TpL^z6Y%$Vg&P%E}a-YmE`rB}suMvtz1+rU>D;
zckQ0v$3y3Li4NZ@T^*XtR@4mbBvy3TT*g&sTSvK=<S8WG#yksNeiVx4Ce3W7A4;$N
zm?H!WLkvg@LD^h97cD}Qa;kE>5$R-0$PF;(cs`AFY=gs-|NV(Q8G*0F2{Jik@XZWm
zJ<IXaR~4QI*;g$m=5_`LKBqzMB)qg?12qLP8pBvOg-vn!p3BwQcWjG4cPzMS*>@n}
z&qqIdCm>tFHT0R<#6!P6s^xI`UBp{aa?|I;WUHzLyIsW}Ie~AFp_TRR1@hz0kpwhO
z_45t4_6u(MZMy6+iV2tl?hYPDSFM}`0UM;~H<PI!slKVb>5%~Rhqj)Ec8nQNf>F~Q
zZD=H}c2i2drf)%7vwFM8SU%Zzay%0CVjY(+vX&pXZ_hQy20y7do&)UFoa_p(j6ID;
zN<uPXaCMeBFX_V4Hra03P@;y+mU>KdD1D>K5K>0&x#a~nh(4C&{^){j!QxL`0rZq>
z&t)LX=shDvLCmq$`#Pd02a$}99CgP(s7QA1QcF4X(mJ@j4bdWK8hum%UjOQ$mxahn
zD0loV*VSQLtmd59jTS?Ac+M~eM+|pb=~39T)LW&te)9wHKEo-(0y)Tf>|Mn5MhcO%
zV%%)=D0i9~Ru^J^XS8t`CmZdqozqK$Itsqm<r@Qir_tAOuV2<&e2<T0?vX}{RGLHQ
z18AG&x3i*|f)Xar?AAlR7b}%E-ppFG3=lu0F%Rr8Yn?W(t5G0y4n*6P^eL4+on4?{
z^o3kR(r<`+tLz!aD?I%0{UdZH(e`neM!>fp4Hf2?NnvllA?wO?sU<6%1rUf+_k618
z7_%n!Ld9JzMsQ`t!yloFxd=ibF;;wMlYK>|Kx*Iof{yzn@^ob($eCkOZjSRI;ofVL
z;QBR=A0p$<ldYdu9uX&yrcLkFeTv7-sYplWfHJLl7vwy86nwb^<gb0kwewTfz@@4X
z6t5<^(%#g{#4!_07%WtdVxC8SWl-K@enL_u!?UIQIL5N?z9fCI5z^VGca`os;;2U(
zQjYvHc24LOHHt`=Y<1K<>i6@Ka&<K-8BX4$-mO9LAugfCsgByrc%ptoYp=mFu1BDc
z|4xFUoxW<ens&H%nHhiFb)t2BhMhi-CBE`fcy7%|3;BJ`XgJbt(-=KU{z~PBA6m}D
z6}?k9=k7*}-euA>`7{-`I0u_fv?lkV(T=_^sqEciHO^-xTEa_0C3Pa0KUnG`I7Dw5
zCb+4LE07)J&zzR9zMZUgFpG9)bupN|?;{I9d1&veZPU1~Aj=q5K4w8bN5?3Yk?F^9
zXZC>$GY^S9-9YLaEDxkvU5@*7Mpch5$>JY=J;NDqLMLy&{VIjN1-e8YEUi4BJ3>VA
zBNREfNT;j^%FE`u8E`f5-6%h*2=1}UMhEC?QhoE5YeShIORCVm@}UXTmL7C-J$h<N
zh{|QDG%VxYafuX5@fKahlQ%!<>3a54Q48uFqdjDFhb8(ZuZW(Ijm5S)5Yk%w2Dxdi
z_~C5qVAV$axb_nwXYM!}?<r6gZ;y>f7Hb4$x+xc<j{DA*QD3AM`fdM*Z0ze^&zOcD
z{->prllwWNVXFLrt>GAvw#0h`Yp7iubs=oh7Al0BNkc?J{<WZE1Db-A86`>a5NC9b
z9~<gwg$&U=FV9ES)mzxrYBN<h6;NNbtvBT73E*Z2CM1SPWwTqI)o}+|o)3Al=y%L?
z@-SLYjA1RdL=n3T9)Y|ew;F5+NxLT9#{({BiN#n`<fXYY?I<{iFCpW016f7Nw@1p)
zSz|2A-|u*Dq24{UJ0#s~?<7MK)J(<DEi2{nkqS3>?;0-vo^!eq2tydzbLhJiPfy(L
zeb1gN*Y*uO@ifh~G+(-H@YVix%zi!}t!{0H2;+Fy+uV`u1F5^sPiG*Er;n3!3BO=v
z#%XWlLi_Iiz&?+OyWqQH|HZg;OMl0+J#9p5h#>O{vx`;S9>X&AUWNNwl`M09pKZj`
z)Q%dv`m)jOhE|+<vG>m!wqxrHsMMGwsig!nKM57jZOe)!wiN7+Pkk>f(bpLccbito
z3;iTJ5$a6c+ZsEG@di<a%$MR-JsH@P<;C^a@WUsqW*NjQDpC(q>KRui)#C01RBl={
zmn|G5jmYqu>9_mmZ7KsDrg`i}<TpZC+!n-!nCa6A^J?GAyLB!MX!HSl(sl<NP8-Sx
zn*7tcsynPeF;n-5?0ba^jqFa}72&;kq;Y0@<m2MAC;}m*6;guB={G4J{)LX)hS6e<
zTt@?wj{}~zkPBjq-y0Vc3`e($P;Dq8o|cR-!rNgUo?mZCebcqTXwQJ3mpdxKTK=e3
zETn(zV?g%`OYxaw4nD%>#L9pgeC&$IjQrnu^`FCbPA}-sVf)2D$F3T+KgX`Pz|n6H
zXMc`e|04c10cVSZ6Nef8Ij?qxJ<U*9g-yV7LZAPdfWzn2R&XNP?;8IiG7!LtUvvH@
zs)oWI#{>SVe-qLFCsFo0oLDvRH&LS&rg7d!`fsAr|0M35!-)hf|3a*TYxJS}n|SXL
zG7t|N`NQL{xqlGKPvV8uzY<|{fAN-o5(!~*e<i7z;ZdVmk!M3BBdao=<9J~v)^*I>
z+&gteMt(~eabBoR`D5uct2HOjv6yOmZya-Ulh3Lq_tJ2uRTf4CrmCohwsW#2_9v;5
x+n%?gtJ1=Y!v>Sd4O0k@Kj-!UgZ%>Bc*HlD%-_C+p;7nq&9E<x9H0Wg{{e9FBy<1(

literal 0
HcmV?d00001

diff --git a/testing/btest/core/x509-generalizedtime.bro b/testing/btest/core/x509-generalizedtime.bro
new file mode 100644
index 0000000000..5d82b28ca8
--- /dev/null
+++ b/testing/btest/core/x509-generalizedtime.bro
@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/x509-generalizedtime.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls1.2.trace %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+        {
+                print "----- x509_certificate ----";
+                print fmt("subject: %s", cert$subject);
+                print fmt("not_valid_before: %T (epoch: %s)", cert$not_valid_before, cert$not_valid_before);
+                print fmt("not_valid_after : %T (epoch: %s)", cert$not_valid_after, cert$not_valid_after);
+        }