Fixed parsing of V_ASN1_GENERALIZEDTIME timestamps in x509 certificates

src/file_analysis/analyzer/x509/X509.cc

@@ -620,15 +620,33 @@ double file_analysis::X509::GetTimeFromAsn1(const ASN1_TIME* atime, const char*
 		}
 
 	tm lTime;
-	lTime.tm_sec  = ((lBuffer[10] - '0') * 10) + (lBuffer[11] - '0');
+	size_t i;
-	lTime.tm_min  = ((lBuffer[8] - '0') * 10) + (lBuffer[9] - '0');
+	if ( atime->type == V_ASN1_GENERALIZEDTIME )
-	lTime.tm_hour = ((lBuffer[6] - '0') * 10) + (lBuffer[7] - '0');
+		{
-	lTime.tm_mday = ((lBuffer[4] - '0') * 10) + (lBuffer[5] - '0');
+		// YYYY format
-	lTime.tm_mon  = (((lBuffer[2] - '0') * 10) + (lBuffer[3] - '0')) - 1;
+		lTime.tm_year =  (lBuffer[0] - '0') * 1000;
-	lTime.tm_year = ((lBuffer[0] - '0') * 10) + (lBuffer[1] - '0');
+		lTime.tm_year += (lBuffer[1] - '0') * 100;
-
+		lTime.tm_year += (lBuffer[2] - '0') * 10;
+		lTime.tm_year += (lBuffer[3] - '0');
+		if ( lTime.tm_year > 1900)
+			lTime.tm_year -= 1900;
+		i = 4;
+		}
+	else
+		{
+		// YY format
+		lTime.tm_year =  (lBuffer[0] - '0') * 10;
+		lTime.tm_year += (lBuffer[1] - '0');
 		if ( lTime.tm_year < 50 )
 			lTime.tm_year += 100; // RFC 2459
+		i = 2;
+		}
+
+	lTime.tm_mon  = ((lBuffer[i+0] - '0') * 10) + (lBuffer[i+1] - '0') - 1; // MM
+	lTime.tm_mday = ((lBuffer[i+2] - '0') * 10) + (lBuffer[i+3] - '0');     // DD
+	lTime.tm_hour = ((lBuffer[i+4] - '0') * 10) + (lBuffer[i+5] - '0');     // hh
+	lTime.tm_min  = ((lBuffer[i+6] - '0') * 10) + (lBuffer[i+7] - '0');     // mm
+	lTime.tm_sec  = ((lBuffer[i+8] - '0') * 10) + (lBuffer[i+9] - '0');     // ss
 
 	lTime.tm_wday = 0;
 	lTime.tm_yday = 0;

testing/btest/Baseline/core.x509-generalizedtime/output

@@ -0,0 +1,16 @@
+----- x509_certificate ----
+subject: CN=bro-generalizedtime-test,O=Bro,C=NL
+not_valid_before: 2015-09-01-13:33:37.000000000 (epoch: 1441114417.0)
+not_valid_after : 2025-09-01-13:33:37.000000000 (epoch: 1756733617.0)
+----- x509_certificate ----
+subject: CN=*.taleo.net,OU=Comodo PremiumSSL Wildcard,OU=Web,O=Taleo Inc.,street=4140 Dublin Boulevard,street=Suite 400,L=Dublin,ST=CA,postalCode=94568,C=US
+not_valid_before: 2011-05-04-00:00:00.000000000 (epoch: 1304467200.0)
+not_valid_after : 2016-07-04-23:59:59.000000000 (epoch: 1467676799.0)
+----- x509_certificate ----
+subject: CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
+not_valid_before: 2010-04-16-00:00:00.000000000 (epoch: 1271376000.0)
+not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0)
+----- x509_certificate ----
+subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
+not_valid_before: 2000-05-30-10:48:38.000000000 (epoch: 959683718.0)
+not_valid_after : 2020-05-30-10:48:38.000000000 (epoch: 1590835718.0)

testing/btest/core/x509-generalizedtime.bro

@@ -0,0 +1,10 @@
+# @TEST-EXEC: bro -C -r $TRACES/tls/x509-generalizedtime.pcap %INPUT >>output 2>&1
+# @TEST-EXEC: bro -C -r $TRACES/tls/tls1.2.trace %INPUT >>output 2>&1
+# @TEST-EXEC: btest-diff output
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+        {
+                print "----- x509_certificate ----";
+                print fmt("subject: %s", cert$subject);
+                print fmt("not_valid_before: %T (epoch: %s)", cert$not_valid_before, cert$not_valid_before);
+                print fmt("not_valid_after : %T (epoch: %s)", cert$not_valid_after, cert$not_valid_after);
+        }