From 5dd19f84a71ca37ebcaa9fbd3b4e6571c95fa329 Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 13:31:21 -0800 Subject: [PATCH] Add parsing of signed certificate timestamps out of X.509 certs. This is a tiny bit evil because it uses parts of the SSL protocol analyzer in the X.509 certificate parser. Which is the fault of the protocol, which replicates the functionality. --- src/analyzer/protocol/ssl/CMakeLists.txt | 1 + .../protocol/ssl/tls-handshake-protocol.pac | 5 -- ...handshake-signed_certificate_timestamp.pac | 5 ++ .../analyzer/x509/CMakeLists.txt | 1 + src/file_analysis/analyzer/x509/X509.cc | 47 +++++++++++++++ src/file_analysis/analyzer/x509/X509.h | 1 + src/file_analysis/analyzer/x509/events.bif | 19 ++++++ .../analyzer/x509/x509-extension.pac | 54 ++++++++++++++++++ .../x509-signed_certificate_timestamp.pac | 1 + .../.stdout | 4 ++ .../Traces/tls/certificate-with-sct.pcap | Bin 0 -> 7584 bytes .../x509/signed_certificate_timestamp.test | 7 +++ 12 files changed, 140 insertions(+), 5 deletions(-) create mode 100644 src/file_analysis/analyzer/x509/x509-extension.pac create mode 120000 src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac create mode 100644 testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout create mode 100644 testing/btest/Traces/tls/certificate-with-sct.pcap create mode 100644 testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test diff --git a/src/analyzer/protocol/ssl/CMakeLists.txt b/src/analyzer/protocol/ssl/CMakeLists.txt index 0f45aa1f32..14e41892c8 100644 --- a/src/analyzer/protocol/ssl/CMakeLists.txt +++ b/src/analyzer/protocol/ssl/CMakeLists.txt @@ -12,6 +12,7 @@ bro_plugin_pac(tls-handshake.pac tls-handshake-protocol.pac tls-handshake-analyz proc-client-hello.pac proc-server-hello.pac proc-certificate.pac + tls-handshake-signed_certificate_timestamp.pac ) bro_plugin_pac(ssl.pac ssl-dtls-analyzer.pac ssl-analyzer.pac ssl-dtls-protocol.pac ssl-protocol.pac ssl-defs.pac proc-client-hello.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 1f3d418717..911ad96bd7 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -554,11 +554,6 @@ type KeyShare(rec: HandshakeRecord) = case rec.msg_type of { default -> other : bytestring &restofdata &transient; }; -type SignatureAndHashAlgorithm() = record { - HashAlgorithm: uint8; - SignatureAlgorithm: uint8; -} - type SignatureAlgorithm(rec: HandshakeRecord) = record { length: uint16; supported_signature_algorithms: SignatureAndHashAlgorithm[] &until($input.length() == 0); diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac index ad9b9d5651..f921db0790 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -2,6 +2,11 @@ # If included there, it uses the exact same syntax and we just symlink it from the X.509 # file analyzer tree. +type SignatureAndHashAlgorithm() = record { + HashAlgorithm: uint8; + SignatureAlgorithm: uint8; +} + type SignedCertificateTimestampList(rec: HandshakeRecord) = record { length: uint16; SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); diff --git a/src/file_analysis/analyzer/x509/CMakeLists.txt b/src/file_analysis/analyzer/x509/CMakeLists.txt index aa663cfa6e..9a2d936c57 100644 --- a/src/file_analysis/analyzer/x509/CMakeLists.txt +++ b/src/file_analysis/analyzer/x509/CMakeLists.txt @@ -7,4 +7,5 @@ include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} bro_plugin_begin(Bro X509) bro_plugin_cc(X509.cc Plugin.cc) bro_plugin_bif(events.bif types.bif functions.bif) +bro_plugin_pac(x509-extension.pac x509-signed_certificate_timestamp.pac) bro_plugin_end() diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index da3c6635a8..e85bc5615d 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -4,6 +4,7 @@ #include "X509.h" #include "Event.h" +#include "x509-extension_pac.h" #include "events.bif.h" #include "types.bif.h" @@ -298,6 +299,52 @@ void file_analysis::X509::ParseExtension(X509_EXTENSION* ex) else if ( OBJ_obj2nid(ext_asn) == NID_subject_alt_name ) ParseSAN(ex); + + else if ( OBJ_obj2nid(ext_asn) == NID_ct_cert_scts || OBJ_obj2nid(ext_asn) == NID_ct_precert_scts ) + ParseSignedCertificateTimestamps(ex); + } + +void file_analysis::X509::ParseSignedCertificateTimestamps(X509_EXTENSION* ext) + { + // Ok, signed certificate timestamps are a bit of an odd case out; we don't + // want to use the (basically nonexistant) OpenSSL functionality to parse them. + // Instead we have our own, self-written binpac parser to parse just them, + // which we will initialize here and tear down immediately again. + + ASN1_OCTET_STRING* ext_val = X509_EXTENSION_get_data(ext); + // the octet string of the extension contains the octet string which in turn + // contains the SCT. Obviously. + + unsigned char* ext_val_copy = (unsigned char*) OPENSSL_malloc(ext_val->length); + unsigned char* ext_val_second_pointer = ext_val_copy; + memcpy(ext_val_copy, ext_val->data, ext_val->length); + + ASN1_OCTET_STRING* inner = d2i_ASN1_OCTET_STRING(NULL, (const unsigned char**) &ext_val_copy, ext_val->length); + if ( !inner ) + { + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse inner octet string"); + return; + } + + binpac::X509Extension::MockConnection* conn = new binpac::X509Extension::MockConnection(this); + binpac::X509Extension::SignedCertTimestampExt* interp = new binpac::X509Extension::SignedCertTimestampExt(conn); + + try + { + interp->NewData(inner->data, inner->data + inner->length); + } + catch( const binpac::Exception& e ) + { + // throw a warning or sth + reporter->Error("X509::ParseSignedCertificateTimestamps could not parse SCT"); + } + + OPENSSL_free(ext_val_second_pointer); + + interp->FlowEOF(); + + delete interp; + delete conn; } void file_analysis::X509::ParseBasicConstraints(X509_EXTENSION* ex) diff --git a/src/file_analysis/analyzer/x509/X509.h b/src/file_analysis/analyzer/x509/X509.h index c671c68a99..ca024ecf64 100644 --- a/src/file_analysis/analyzer/x509/X509.h +++ b/src/file_analysis/analyzer/x509/X509.h @@ -58,6 +58,7 @@ private: void ParseExtension(X509_EXTENSION* ex); void ParseBasicConstraints(X509_EXTENSION* ex); void ParseSAN(X509_EXTENSION* ex); + void ParseSignedCertificateTimestamps(X509_EXTENSION* ext); std::string cert_data; diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index fcdeaa31d1..8b2e2aa525 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -55,3 +55,22 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%); ## x509_parse x509_verify ## x509_get_certificate_string event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%); + +## Generated for the signed_certificate_timestamp X509 extension as defined in +## :rfc:`6962`. The extension is used to transmit signed proofs that are +## used for Certificate Transparency. +## +## f: The file. +## +## version: the version of the protocol to which the SCT conforms. Always +## should be 0 (representing version 1) +## +## logid: 32 bit key id +## +## timestamp: the timestamp of the sct +## +## signature_and_hashalgorithm: signature and hash algorithm used for the +## digitally_signed struct +## +## signature: signature part of the digitally_signed struct +event x509_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac new file mode 100644 index 0000000000..56ca27d909 --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -0,0 +1,54 @@ +# Binpac analyzer for X.509 extensions +# we just use it for the SignedCertificateTimestamp at the moment + +%include binpac.pac +%include bro.pac + +%extern{ +#include "types.bif.h" +#include "file_analysis/File.h" +#include "events.bif.h" +%} + +analyzer X509Extension withcontext { + connection: MockConnection; + flow: SignedCertTimestampExt; +}; + +connection MockConnection(bro_analyzer: BroFileAnalyzer) { + upflow = SignedCertTimestampExt; + downflow = SignedCertTimestampExt; +}; + +%include x509-signed_certificate_timestamp.pac + +# The base record +type HandshakeRecord() = record { + signed_certificate_timestamp_list: SignedCertificateTimestampList(this)[] &transient; +} &byteorder = bigendian; + +flow SignedCertTimestampExt { + flowunit = HandshakeRecord withcontext(connection, this); +}; + +refine connection MockConnection += { + + function proc_signedcertificatetimestamp(rec: HandshakeRecord, version: uint8, logid: const_bytestring, timestamp: uint64, digitally_signed_algorithms: SignatureAndHashAlgorithm, digitally_signed_signature: const_bytestring) : bool + %{ + BifEvent::generate_x509_ext_signed_certificate_timestamp((analyzer::Analyzer *) bro_analyzer(), + bro_analyzer()->GetFile()->GetVal()->Ref(), + version, + new StringVal(logid.length(), reinterpret_cast(logid.begin())), + ((double)timestamp)/1000, + digitally_signed_algorithms->HashAlgorithm(), + digitally_signed_algorithms->SignatureAlgorithm(), + new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) + ); + + return true; + %} +}; + +refine typeattr SignedCertificateTimestamp += &let { + proc : bool = $context.connection.proc_signedcertificatetimestamp(rec, version, logid, timestamp, digitally_signed_algorithms, digitally_signed_signature); +}; diff --git a/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac new file mode 120000 index 0000000000..88305ed8fd --- /dev/null +++ b/src/file_analysis/analyzer/x509/x509-signed_certificate_timestamp.pac @@ -0,0 +1 @@ +../../../analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac \ No newline at end of file diff --git a/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout new file mode 100644 index 0000000000..4b81b287a6 --- /dev/null +++ b/testing/btest/Baseline/scripts.base.files.x509.signed_certificate_timestamp/.stdout @@ -0,0 +1,4 @@ +0, 1474927230.876, 4, 3 +0, 1474927232.863, 4, 3 +0, 1474927232.112, 4, 3 +0, 1474927232.304, 4, 3 diff --git a/testing/btest/Traces/tls/certificate-with-sct.pcap b/testing/btest/Traces/tls/certificate-with-sct.pcap new file mode 100644 index 0000000000000000000000000000000000000000..0b6c1b166e608e97f24de3a487a37ff3abe69499 GIT binary patch literal 7584 zcmbVR30O?+`+m>NG^J(Q7cCmJNy}+pXw@R6P|+go%V?WwDk^EyLP?8CXps_92t~=X z5UE5vLW*b+LTUY^1NI0F06E=l~+I0|^oPWUB9J)X)K405o0gG=V05YM5GxcXt~;=l&`IstCHG{|G(# za?RY_kU0Pt9L+Tdi=}}eI(j{k*m(394zqyXDar`8Aaisq;4avhN8gAT0CITpb`%-4 z09Cw7Xzb$YMJ%-B?C>ED1uUTBFm&`g9Naijbi@)K^_x?S5ojZ*==j5L`8A@b-&(TE z{BA+eUx%@iuXCkQ=XL?KN50i|C6Zv4giX%FjayoMiruRQ0YNF z$OE|`8@PkLfCSut3Qz`0KoP`(7!VB(QDv!8RB@^Zm6=KdP6IWd0HUbU)b&(R>RKv0 zbp<#J&VU?{1zeHvY5;X02V{W^fI%iW0Wv^3a$|MCCZJ7~p-NKMQH7}lDh`|i8-X-P z16qKV%1WiBGEy;s2H>b{R64)~*Z~V*qB2pjfF8_Ykob5ZA>u@S1}uSrfl?kM5Bor8 z4~mqRGX*dJ92P(r3AvAu68A{Q15^e{+5VzE(bPl)@K zYtqZNt5?qEwDqny`o#g-ojG(lq2#{Xk+d>El?F&WkiR)3L%`3Fp&>yp7lC4{X8>%q zfQ<_9=imr@9vne)BxgP(EXvjX^7IpDTGr%AwD=FTe1n5CaW>&1D$i z6?m*U4$qF+WGurA^Pm%YcGg|qrX*J{;wCMk5y_K8adwgshsDriSoYPwj_LV2I}=S! zjfk6^eJLatlA}GvnW!%dui|EsQG``w6=h{)U^!(gWUBJp6c+l;thuQSC(J$%&B*wB zcEAzPn&16}XaF_>Vg|_X^q2?;0vG)TDq|Up@6Rcy6y?h?c6m+@e82hVFm1pAC-qZ9 zGx{QF+&=s4o$9EHR*xE~pAzbswVAzJgRMKWp3qO!$C@eQp3>}9e}C>ajnZZYl>uG? zCE3a9U_s}gzD>z)m0IsFO_SQ#$15-4=)JwInVL2oeXe?_=4MB2Up}QMwN1>pvY1S` zVxoWF#y`4>Ldc(nw-%Y(c6V*PCF)aS+PW`g1T(WPlN+kH1$PR*|vi zi@V6Ti`VGk3%wm&m)ZpLE1fRZ>XXl~mQ9YjrZ~03M@V$o2)M_D8hToZeeQun!E>ML z7CD!lcSTFmlfSwoxXSAKqVlR_x0hYu{mLJ-ae_J-vb=P(p4=0>5ARi&l9 z9sS5MQi0xnNLEQXdV5Mc+AB)?Ir|1U`^reWAZY|E{al5KUjJj2J;{FgBB>vXq|ilD zj?TWY8tR`QP7#)eWpm&hsc4BGs~vqk{FX15{IOheVY#md%#AK*#j(JIh^6Ugf*v5^ zHp6-_9Uku*&In;3SQXEJ1QQ2EoZJpU74L(9s4l|cSS(`$an?40REt7NML;slSu*bNcg32H*%=d(bG`-?$`u1*1Dz}!&Qw4 zf9!ILJa`I`ON2UL9Sl)@vtIZ&zDFEs2ibL3**-CA5{k^2+zj@33H8?77&PRnHF-$|3y$fh(jjI)7~U@PZ??PDt4$KT*qh~&#~f;V z*|#ea)CI={70x_dFdJk0%j{}DSIzz6PV7ReeU;-^Ge0@SXf}#7MDovlo~{&i;4{Jy z4Zd}|R0Ezh6Oc2rc71yDo3_69)tg64)eq!4sZJ<0f&k$5En`B^DWXa>{=-c%0i$W3 z?KZ9{Z90$XU5hGAOs47<%tj$HiCnEdtcxM~5-qB;PJB(AQ|x@Fl0s{7XVXc!kh|wa zV_i16e+#X>fmsdWb~V%3`gN)4KcjK>+#D5}MKX$@Ci)GH~DdUY7R-HWBVKJ!e_4dk9{%i!y)Mzcc^%JoA?=W&Tx%7quj* z4Z%c;okcCd5E)B^I+S|+2hzEgyU zCRVxO5_?qZC1tg#RpllVS9}6)`fbe({hbvN7DreS0xeIU^o)LT$%wMmP^UO0Tlg1+ z8Z=ON_-7Qj_Zq%WVK^*tIL}*BXlqz_O*Ea1;&{s#iTgoi-{Gwx*!|YyaV2{q^`_tC z)=G{D#+QbNkxCRqeaR{=vw;I#Y~_L!S(TNkqa)#?#reT6tGcW7jyB)*k(%ysvZuZ1 z%xTNjHB;1tjW#=GraQC~T#Yb$9);PEX0XBgl}y-sTY48i1JV4mylMLCw2p1+(zBIW zTfXo$tFB>+o0@5OckRg7^(moxxosrnR_Oq|{y3er=N^ z(Y#^33Y!dtX<5|%H|_f+bR=&tqLx3!&D)nm*-!L#Auh<`y!Oc>vZoBg3d#zo_Q|UJ zHvQks{@YKAfi+uOv=wyTS7aB_?G4siz?Pkb{f)D^vy|8Tw1 zh-K{#Ba;{Mr#_cGp0s%Q#v#jGZ+F?<1Z5$G(R7IrXBMW>>~y;JH>GSr$vv~N%!y}9 zZr|-t9M|G|XW0`yr*LPa|8Y)=*Y?5_4`23F`NY;fz2e*$e7w#jvC0^K@T6(H`^M&U zkqAL<_?E`~7mWKg1FWKxo)^saQhz{}M|!R0`NpZKZ?p$Olr^!tjFZtb;{i;heQO ztD^<~S$1Tk5G{gz7o`HxNf+1&7G0bpI?4BA@n3XO23GlbA|_h$$BBPRql~NUGIc}5 zalQ(e*Y>|k_wU-?>+*>3_*1E28J@^78^hNAZFWi>)?W}oO;{b?h-X@qK0H!xL;pYV zTUvNxBajfLS-nh4;&wY`BYjPlGYpGmc+X$v=kc^~GPS2iU4Fe(Sc=DFfom&YP=r=< z)||%Z)yTbB)3P%QI*3as z`=f}bT>iC-n3&g+8%woBNOn<6T=JG`$r&EuyykC$c0HUgh@57$ z(`uOY4IU16a>z`SDG3%2Oo- z-seW3HxiB9mW00-JTZAvWJH4CTJG^iBE!=*NUSz$BbI6WHMTdk#zJ&rYq+KKrx5!G zyKHVhKNZ&E^fDx7-=VjuN61HL^!x7z1H2v5QtgH#a5@XJLc6l&5d40F;&L@P@LNk` zU?hW<-SeFklPSgCm$J#*lW0V7l9E9SM&x$}_BE!?j{d&RL>-bViDK`uq=Q0RFOrw5 z48kqw$yj#cPmq7mA5?W&YxYeaT~S_msI&2Sx*?@2EA%7iC&U#Si0SaMoRDP}jx{~YRLaao z$Hjp45#>MF`|Qb#t6Lq74L!kz+}V|$Q)#M|nUwG)OVK4LbZ7N3+qYNTh>B<9g(M{O z87u=_;OkW{MiM7Zw^l&#+s|W!R}#r#V~4(r9lmBJl{qpVFwN=4HMGTJNQy17?a?e_ z{cZt< zy{oNAV`EbSWR>G%=e!ES<8ou~Zt!Wy+wmc?VkRf>OTYJk_A}2dCl1SRuH=5+A4a$4 z#%CF-22On_o4CKD9Pi|Wk?B0&v|}ntm$U+iKQ}*8hu1TtZV^~vts*va{$exuF16WE zF_5Ff-VWn=`%(U8~>e3>ri-rG`QOw_!cwVsnsz<*ImNCO9?^#Xjd~Q+<+#v6^sYR>! zGfZ04Nt6L7;ESu*k9R9(j%%mOa`|5Uo z$Tk!B(D!K%{J@}BR+Ryi#?2>!)9}Wk&Q$?C9HuM+pRx>`B{Q`!0FT7N1n0yHb0r8f-B!^oQHvZo*0XMf4@bdzli2V92B37F^FU}Pl%^qF66{b+zvYghij)G&ky)Hd|3+2D z6+1OmuYaj=W4!)-N7IMX6B*O{1}yXw`TZsUUu1E*-Mv4Fsa6s zjzRZ_S}pk%o}{cIJ4YOR_Gs$<2{yZ09dFez!_KPJ7dV2P9`-10(zTYA(*4+NDd^7g zG333u;!1nl>jyq1+>Y({H_Ye}z1$zABW@qHizb3q@PdNH7?Dt7IXY?X>&qn4a?;eG zs98zM*?#WZFyG*}PX(=yuLoBtd|6XnnE>5(+Y`woJ>2oskx}%qnR7^e)63OEvsrZ zyOHdQa?g{^=l61Hgbw0AA$x+*Rz?6BU;(!lu0ZvrbK7P4SxXG@qtC2In#l8;?^hpq zX7ak8z9)sDtRS8@NlSG`?R?htoLk1141C-D?KlSg+U+%^V6%JURcT1U3#?YQVN%`8 zqE^xC%{)`CXXLfZ)5KQYzJ2ayIm?OeE$;pzn4)s=_~BFRA2*%d5Xdk&WnJC-&DZ&Q zBV0$-afzKyjUB>MdLg>aPkIZ4WhScg za=Pp#g}MbaSTu6ided?T;f8DcSg*Yw9*Xym2{PEvD%hKQ;a#_8-!os1M6V0s88*Ei z6+Xj{vUgt1ekRnjL%GPG!{d(dlyD1ucqbt}wWaLqc_vcU^$j<;$0JRYEkC=}PzXs) zms(Al4@{q~sT#IUcQoANa&+>(_gwgh-xcdK_xLYf*{>)eH<1~B{9=e~O3E0zVT&Um zTdwG{+=)EP=&J;D{8<+!o1t~#W89y0p`;m77v6B8`&kzjFV=;O!Hj^4fT3dsBl^nFma zNM=dD@!mMe5B`oLzWrhLM}r(atjQ<1UPG2nuYHBnI-W^ot8NozOr6rRXE9vs%7I+> z{2nt9gF!|9#oVW?jl1I9Ze-EYZu`)HZS_8$b<%t@6aPVQ=V80c%d zK~H~=(8}`Bxh>I}-|GnDqnBHQbX9y9r_Y3h3mn!Bq|vR|cSzXw=tHI|Zta!?)+%wE zQ%9SOgVlUW&SJ6z%Uh$G{gh%=LU=kYBtipfGx^{UqM~(_D%es?|T~a%dtQ&Wd z{h1?GNR9|>LlB+T(F1!V;n49%)|sxELJ>99{)&iXT|wz0Vmv?*Igz`>`y)x%?%%Z} zt;1x0ojB)T+vl62Q{RUgTrWZYFAokKJ8IBcZ<)bc^OwNN0_^IS8blHAZuy0{EYXk_ zjf`9Z@}kFPX`)H(L=x>*7%SA_C9r^qxc^B{Bp#rM?1sM(mjwkud>n!LnAGtXA9sbZ oGSAr#{q&IzMMV)ye?$C>kJIx$?q25OF2u(Q^ktM6|56|S51>yUasU7T literal 0 HcmV?d00001 diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test new file mode 100644 index 0000000000..63be26448f --- /dev/null +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -0,0 +1,7 @@ +# @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT +# @TEST-EXEC: btest-diff .stdout + +event x509_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) + { + print version, timestamp, hash_algorithm, signature_algorithm; + }