From 61f7276c80c5ace581f3e040af04c5f876dcb105 Mon Sep 17 00:00:00 2001
From: Liang Zhu <liangzhu@icsi.berkeley.edu>
Date: Fri, 31 Jul 2015 13:39:25 -0700
Subject: [PATCH] parse revocation time and reason in ocsp response

---
 src/file_analysis/analyzer/ocsp/OCSP.cc       |  30 ++++++++++++++++--
 .../ocsp.log                                  |  13 ++++++++
 testing/btest/Traces/tls/ocsp-revoked.pcap    | Bin 0 -> 12864 bytes
 .../base/protocols/ssl/ocsp-revoked.test      |   4 +++
 4 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
 create mode 100644 testing/btest/Traces/tls/ocsp-revoked.pcap
 create mode 100644 testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test

diff --git a/src/file_analysis/analyzer/ocsp/OCSP.cc b/src/file_analysis/analyzer/ocsp/OCSP.cc
index d0b1a62f90..df0dbc5599 100644
--- a/src/file_analysis/analyzer/ocsp/OCSP.cc
+++ b/src/file_analysis/analyzer/ocsp/OCSP.cc
@@ -411,7 +411,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 	OCSP_BASICRESP  *basic_resp  = NULL;
 	OCSP_RESPDATA   *resp_data   = NULL;
 	OCSP_RESPID     *resp_id     = NULL;
-	OCSP_SINGLERESP *single_resp = NULL;	
+	OCSP_SINGLERESP *single_resp = NULL;
+	OCSP_REVOKEDINFO *revoked_info = NULL;
 	
 	//OCSP_CERTSTATUS *cst = NULL;
 	//OCSP_REVOKEDINFO *rev = NULL;
@@ -495,8 +496,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
 		ocsp_fill_cert_id(cert_id, single_resp_bro);
 
 		//certStatus
-		const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
-		single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str));
+		string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
+		string revoke_reason = "";
+		string revoke_time = "";
+
+		//add revocation time and reason if it is revoked
+		if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
+			{
+			revoked_info = single_resp->certStatus->value.revoked;
+			len = -1;
+			len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime));
+			if (len > 0)
+				revoke_time.assign((const char *)buf, len);
+
+			if (revoked_info->revocationReason)
+				{
+				long l = ASN1_ENUMERATED_get(revoked_info->revocationReason);
+				revoke_reason = OCSP_crl_reason_str(l);
+				}
+			}
+		if (revoke_time.length() > 0)
+			cert_status_str += " " + revoke_time;
+		if (revoke_reason.length() > 0)
+			cert_status_str += " " + revoke_reason;
+
+		single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str()));
 
 		//thisUpdate
 		len = -1;
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
new file mode 100644
index 0000000000..8876f251e7
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
@@ -0,0 +1,13 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ocsp
+#open	2015-07-31-20-35-18
+#fields	ts	cid.orig_h	cid.orig_p	cid.resp_h	cid.resp_p	cuid	certId.hashAlgorithm	certId.issuerNameHash	certId.issuerKeyHash	certId.serialNumber	req.id	req.version	req.requestorName	req.index	resp_ts	resp.id	resp.responseStatus	resp.responseType	resp.version	resp.responderID	resp.producedAt	resp.index	resp.certStatus	resp.thisUpdate	resp.nextUpdate	method
+#types	time	addr	port	addr	port	string	string	string	string	string	string	count	string	count	time	string	string	string	count	string	string	count	string	string	string	string
+1438374032.518621	192.168.6.109	41812	23.5.251.27	80	CXWv6p3arKYeMETxOg	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	010BF45E184C4169AB61B41168DF802E	FDsgjS1bTYOzDpRJT4	0	-	1	1438374032.607628	Ftl4F41OsGtUDrOTWc	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707162834Z	1	revoked 20150514145849Z superseded	20150707162834Z	20150929011242Z	POST
+1438374032.650255	192.168.6.109	41813	23.5.251.27	80	CjhGID4nQcgTWjvg4c	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	013D34BFD6348EBA231D6925768ACD87	F5Tv7Z16QkNApNg0yl	0	-	1	1438374032.732035	FXISxH2UuTiDn0qCa1	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707212334Z	1	revoked 20150127203801Z unspecified	20150707212334Z	20150930071359Z	POST
+1438374032.759133	192.168.6.109	41814	23.5.251.27	80	CCvvfg3TEfuqmmG4bh	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	0150C0C06D53F9D39205D84EFB5F2BA4	FGzVem3KYelVVdAze	0	-	1	1438374032.848522	F3OYfx3A0JvMX787V3	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150707030344Z	1	revoked 20150528055348Z (UNKNOWN)	20150707030344Z	20150928205739Z	POST
+1438374032.875001	192.168.6.109	41815	23.5.251.27	80	CsRx2w45OKnoww6xl4	sha1	74241467069FF5E0983F5E3E1A6BA0652A541575	0159ABE7DD3A0B59A66463D6CF200757D591E76A	017447CB30072EE15B9C1B057B731C5A	FbmX4PpDIRU82YGK8	0	-	1	1438374033.033504	FVty9v3KTnCvbg0Xf2	successful	Basic OCSP Response	0	F6215E926EB3EC41FE08FC25F09FB1B9A0344A10	20150708020344Z	1	revoked 20150117113259Z keyCompromise	20150708020344Z	20150928165507Z	POST
+#close	2015-07-31-20-35-18
diff --git a/testing/btest/Traces/tls/ocsp-revoked.pcap b/testing/btest/Traces/tls/ocsp-revoked.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a2cd4509ad0a13b4636fc54488c2b76f452344c4
GIT binary patch
literal 12864
zcmeI2dpuO>AIHxb<2I5@g<Nt}F1en$xlARckW@ChAsUQKF*L@do0vB3My*S2yRBlW
zU6oq43+YA|TTw*UT`DCBZFJE^@q3;lGt5l(_uE&$*Q-BxIj<MTnfLje@AG}W&-ddw
z*U$a_GYKIh;x96Sf?rZ^pO{})rHHtLpW%U+eDipVFeTFGqQ+V!WCnsvTDiyxaZ+fv
zD$P>}*Ou?n%k@S)gVPt~!;7;?eD%l{1R;^-kB~`96y(i>m+(9)C#ML>XPd?3US=;J
zkd=^02;zj;Dy)cyR7giWbG<vNN-hBU!E8<Y)IDRxWO|+PACL~n@{p|dL=l+=?gS4h
z&5V_c3C#=%%?AO!JV70KL`er4Q9|!KNQT6EK%{_>z(b1oex(m2K3gG^sDnJ3_U%BT
z=Ugvu%m#Dw_V%=)TH~q|=LnvF!xLC}uZrZbFm_~Q7&nM5;70IlB7&kKt@xak(VQrO
z_&N^`Z<!#Jg;8nX!>SZK1{dJ7@mcsxTv<WhVz?YhR~{jc6pSCaOd;#l{U4_IJL;~;
z=9qhriYAXl7aw?B&r(_ZOK{N5Dok<VjkL$hN$RM|OMe}YsoVqXBO0Oi60CE^;YPTj
zg0h7IDle~yqa?B>SzUQy9Qm$k@z`c-pLnytnZsaYwxLR*SWAr}BTEU6V&yuCQ7jKm
zUmTsFjy5Ts?TrkG^Hnf{?;!EzbY<kQJVG3jMESj0%8>YnicF#o+H`q-AJGJZ#J(V7
zG#tm~&Qhg#ariMDJ`3Y5<MQG__!-uA;=q1#0HPuzcu^ejg`yF#r8=lmf<BI)fY0Vd
zg>d**99~dFFqgNCg#~hXZ2l_nL3U6m#|jQKKO&5Ug|p+V*vmMRnN%v1O2;j+$ml>Y
z=$05S!m5`N!4J2@!lR=EVEAL$VccN00Nme$4NlAk><}&|n1y*qb1X4C%sn~`JRg;b
zQEgc?dlsF6xz6@hrOb$n<nlRDA1|XhU|yWa-s^BGi%MfLXua1>2WS@N!sl9IbgCFe
z!&%^){_!FpoyQ4+Ny);3!XjWWK;{V*=7KqqEmUv=KTa3t3rZF$Fu^G*o_H)ri#)Q^
z$UmKTxNT~;(tG3ftit2j40m-MHK-Z4!|kZHG<!P32T$CLCvN(TS^Trs$9piT3@U?Z
z&v5X`mZP9#sXJ$Dd_3hqbHJ%o8iVG8t12j)C%GlPRz<-SK;(odiui4;*Uvg^w0Ufe
zc2$J&&g$-alY|Q{=5dzjcdIsM8!oC)(5Gv5dgP{mf4}I_-8mD((^EV36PnUaP+wSG
zJowPDP@U(n_!;v}Mnk)HOYrLP{_Nw2mNZXtTepZ-a3J<X{xqT0O+(j!-A-Yn=?9;8
zxI5dIvwuAO*y3@?WoM&O$NN1N=F7b9c&sYzjGmx+!XdoesX~{NSgk2|u;NX+Ub*j?
zzwhn$pzZuy_eBvsc5Q`q^Xip3?0tpr%DP?JHa0Xoh<Y{qFP+-2`N_<~r=C51-)e?Y
z>p7Yu3$!ve`8lp~D5XA)H*VG;<;{upa{2@NrT*>H18&I{w~X_O4%k)gU67qEBrnB<
zWIu2$!i929*>WV5L{c|pG-T8-e{??j)i<-bD<4knA37Cz1dpYvfWjm<pR6!~G~bJA
zfa}3uC?iICtqNy@$`^z=NAM#f_(aL08sY}<&nhFdM1S_?gL#0>;Rs?Q_$#PpxCy*K
zZiJ!e0_QMxR1`+XW-P$GygV@HshAb!O2@}&s}c!jixXcy@K-91GiY?C1Jl6=cc9wg
z%wCrDKd`X5&R(9_JPs@b!5ls=M921jOq9qFH3XcekYK93PjlR{F}9d~ttup~V3IJ&
z<2Tba%JWv{#%o?ZQiJk+(-5tvx)Z~C9tgjx`}OGNsbwL%+P}MTaKxrDB}iWMwKD4$
zNu#u;P>UaU$K6yl&fImUqTTn;QuVW`O7#t!9kf!e+rK)R(i)+?Gn3uspPH(5#rPKG
zyx9|)!W+kPN_xeShm*H_FXRO#mH19PmAb?H;*stJ=hJvP1-nxg8}PfCN4J)G-g{Pf
z<h(Zf@Ue?8+HTJ&KcG~49euojA3pwGtGnfCywyI}&hSHG`d=yEE_G2Z)5z|=b)kFe
z?%Ae`J5G=NaoaB^O}7cgB=R5V+nz7DThweGyF;aEZAdyS;VCne5g`d74#^Tu5@b<e
z3BNpXU<og^BNhcv!e8nQEa7cA32x*uuSjwzg60ZQeGp?ETuoeS<jEwEWMjcN8fcL9
z@X>p;@ln(fxJK{5QoLOkSUFo!afTgO(7-k0$U3-Ig3NW0$UKAL<WCeVd>H)v2o&uh
zlW+v*!QU|QGMs}4DX1(>azm5e%s>^j<#2D1p-R0=CkfTk4HXC?SvEGYv9Z=sAmgJ2
zq1HhW;Wj~$QMkG2IubrcS0BSZaV<ZRjgNr$GbRtiDSaQ3Q^tqGlWI^BS&pQb&_5@^
z)FZ0auB{U;Ug0@zf1;M9hs3YD@<wgWvn;uzrc2nXRE{ckqG!F1>6QGn{_?$);fC^u
zlG+cgW=tu}%1>?Po_y`{YTV`<VRLg^uz8QwEFDu5)z;^qk7jDl-!*zv1bbS$*`$ti
zuC~dMqj6{67Q9v&z46E@Za|Ad4yK)c+Y9vzQ#TKsuiD~>JyorUnV^)g-8?3t+h+A7
zmj-(6{4MhgbwVp_JuHM~TU;#HtzFA6|6BWR#{FSucO+%`WOjvUk#FA5Xnf#pcgc9H
z@Vj}9hB+e**>|j4FEh>@o9kk6boi24FZQ{ckW$C5IB;oo{EM;MdkRi2pKWE8zqfq6
zzG~~T#-?=n$h|Nl^Fc-q(h~X-Eg@}S1GhN3qpH*nw1n^E()t=Wb8mW`2?mLG2PgUw
zM5;9LY%FMe)X|C3M3ReGqvWhX7+ESrE46yytT`J?%o+`}2{}D*)<BJ4^&?8Pt&EjR
z2#vT5jd2MYK%;}SMy-HBH4Y;*u9DCg2Q<dOb`S9rX*5ONn0rHwUtd!m#9(x-gBnAW
zL>lKKo{jWt6xi8AgAo@ZwgG?`3(xl%47pY@St_2g495KSH9t`ST?HD9N>IQ0tP2?P
zS&-gmFnECc>1^tXCp4=`XjTDq8Z;QRm7=)DLo$qlTAT792BT{|BywD25`n?E&^nO#
zB^r#$j59YGTT8|naE)U&U)dznU`)?=rrP5uARoM?=j3-pt^`JAiyTE1YpGFWoC<;&
zcW7+CjDw>{1EW|AGY-!YW!zU_1mhubu7wKH0t^N`B#H8Mr-C6duYV2?AR7NAB4$G3
zmu@g<G&&8p`&<TtMrG0H(gtH8Cm47Kyr03aV^QfWro$IvFlba7{j(Shi7XZw3@Xiz
zhSTkFDq%1XvBCIwXR*Pc<G}BL{!^yG2<+TxU$gwq9;+)y>b73;UAjK-;j8G9AXY`$
z*1)}^UsrDRyrrFct<fgfy<SMgln;4CZ`CnYI;4jD5?88k@MA`J(eVg-Mg5hXew%*V
zv%;`gzLvHrc~*Cjf9J%%wa4uWZ*)JpJ)E-VopylZjOr?V-yJ0fE9rV3J+6zMm=qRt
z(psn*xWS{iu2=JHTuVYbH~;QoWtyvK=QC$_p3nW(nkLtnGd)WeMtmRU@-_xlNDA0O
zuRf#g-aR}hY~P;E2VyD>bk=YivyE&+X8k6&D^59d%jnaNf8T9e$Vs<YjYf{sN%0Q9
z*}49KQwF7O+>^a^Zms8*9!@-&_!M8TBz$S9-~J(kF=R0Q$zc3TI{+*H22lBDfpr}o
zl9it{`4k6M{(S9$Yf1K>#99J;iLS1w^6!F`f5>1A84QuZC<CcANK2SNw1lb>4P0&e
zn(RM8OW0-MCTifSK}(nkllAf7#6*HPOq!VU5HvoT6HEsXcR`|q<)9jc1W`pMQ3DW7
zq>113BT7yvgmEf_XwD1=PN<xR#DoHt#ca>O2?aGC>PM8eEL|H2jT8xu*W1_RG!jp3
zEUl3?L;Tb-G%h1Fj*-yV2sB=Y4Wt>^_<*|sU{v;iNnZ^$E?=WEh-HZ`f*M<|iZm`j
zJTGkz@PgI^S{Cvgv9SQeMtHu@vNUcJlcluEvMdWa^i017bZ=-`E^ii-f!<<B@3SnU
zw~M179oOh$Lh}s?&E9~%5n2}ftthUokPM@+1Q0*HClY;}Ad2&|HwwK(U|H_W97y~U
zEsJMqX}H(h+I0EbbGia7_Q<p>PkuLC(y=1F`-k=GQ`Tj;S-{A=KPZm1)F?90i7?}q
z&+3<Pa1=LQ+P+jDW}J<=DC16p5p0D-zvsgS*%Lu0L1OS7nMAN~6}j{gO*J6#OSdez
zgM&Tovso6L&H~>I$vu(T5j;zbW-qoZV6TH|$D)5JmIbHdbjIh{6OqVbk!4}h>~SWO
z&afvei?Z0Ve7v*Rve4{lIMa?U+p_#>I_vuyIlXd9c%I`{v!hcJ0zLBfKW}s1m-B1B
zX0CG`SFMI_JbiTA^<|@8#)ndFU!9}&ROL$2!HpqaRZpAVZ66zer#s$eous8we1|97
zPX4YZ<J{YaRjRCeUDKaGs&mlXnS`!7zNwPGcK`Vs4SH*|htpywq#ggNVYJbO<o2kb
zgxIZFHEqY!?oLqpJ-*}RL7zCSGRnH=CQG_+<$O143l?U-{6${Zlo{JPGIzJ_sBL=Z
zzVGfL&5oC`44ZpXGE|EEd)AufS2vZJ7CLOp6z(@dq7R$YDD8@Ps%rh<PWSohks9*~
zZgED<%sD<?`T3jQJD<GNLw(FDg_UbB2kk%oVf>I~8L}+@WLaPd-waB)5cm#wNG=K_
z0Xi9$@KEJ}CET);SQMc5*f6k!|4S1zWLbtRi^#I<2O0Tk%Mx8eG;p;8Tf(LK9eS3X
za8G1{s3o+RPOmf7fI0qnaN-GqSR+leu?3Bfx@k^dOK35pk2vwgpc+pS#A`B%U<bqW
zXKCWBeniQ6h%it`qB(OLI1g=XiFpVti|I#$0rmAYXPkaS8LjmxLSwarMuQGL8?d(o
zG-gX{Y#F918W|ZHrw|%lB{bRrjRvrRG&v`#6*|Zpiy3fa%AHgPu`ETzPSAcck;a9H
zXVtb$d1y_bWhnz@vTrX05EsGoeU@d(Vli1tt1Qd1u)3Rf70?x+Wr?{XCQr&!bcggl
z%kmQ-e>y*l{9#=8+em0u0Q4$oS?XOyaSecE7=^ch_-V^h6ab0)LSzzwW%2(QSD=v~
zeu<Vv;97wzS~vJ+>dCK(()W>RS+uTP-1~>&gB{72lr9#YJ(&d~<IESwT51#-+$@-J
z=;MAF2S>3AjN(<8aesk*H)xVUoWU-OML-%L?oC9HM<9dXAxV_K#m$Dq_tRt&!FuN(
zB_cLM;umjO?3pw>=D*!#A+}HK#cy8WwExbsfY-g4OcrkU-|Vu`doTJwzQ$#bgDsHH
zVp$}zSY%nKR68n_P6L}K@HH+}WLf&|+~2ZLZJFTRGMT$9iTMT-+9)mY<|9US#QA6X
zkpqQ-%onQ+&tABh>1lS=z3koL4WlfVhyP$76ZqW8@@~uU?Lo<EzQX79i!~vYa`P*T
zdCQa9bJyQ{P?NBle(g!)<a6#n(98YD+*`C}d}fp8ok&k3dHsrww`ad;d+%@}DztFT
z<Z73W*QrOeIzF(@J}<0#TQQmIqgL(hkfKDHx2Pdscf?iylzD}3M}4SonVI|n*=pO^
zu;Xe<GjK+_WyQr2xNETC+_~RgDYzTAvsl%mr{J9+{KN+5)#1J;|I*?gA13%#E04n5
zZIs5VjP+WpaKHKXu~)A*cqX5GZT3scj_mrB_Rg8f=2aDKI$D<XMnjfm$g=#CW%=I?
z1}ysHguQQF!)05#6)IXvEZO3>#e3U~tJU2CKKw8E4e<ZV-Z!r;K7gg984~XUq9>{M
zkX%Mc)3`swWu)ikz-2_hCl)5KjGTTZT1KA0Wn}2ZF!(y_(2HTcFNVSVA^~F!vlSka
z`GqjJIYi^rI559r5{Uc)cA(a3V17ZOQ9q)LIlw07fTcu}3Fbgd0%)Z)Yl8>OfhUm2
z9-J6R5G`a76Txd-nzd{Zu^Y@Pf>`p?piiAkJoQ6~r%nV<4O(losb-Vtsh@#a)%_o|
C*fs0`

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
new file mode 100644
index 0000000000..3b3bf0a61b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
@@ -0,0 +1,4 @@
+# This tests a OCSP request missing response
+
+# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
+# @TEST-EXEC: btest-diff ocsp.log