Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-06 16:48:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

parse revocation time and reason in ocsp response

Browse source
This commit is contained in:
Liang Zhu 2015-07-31 13:39:25 -07:00
parent 5d168792ee
commit 61f7276c80
4 changed files with 44 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/file_analysis/analyzer/ocsp/OCSP.cc
View file

@ -411,7 +411,8 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
OCSP_BASICRESP *basic_resp = NULL; OCSP_BASICRESP *basic_resp = NULL;
OCSP_RESPDATA *resp_data = NULL; OCSP_RESPDATA *resp_data = NULL;
OCSP_RESPID *resp_id = NULL; OCSP_RESPID *resp_id = NULL;
OCSP_SINGLERESP *single_resp = NULL; OCSP_SINGLERESP *single_resp = NULL;
OCSP_REVOKEDINFO *revoked_info = NULL;
//OCSP_CERTSTATUS *cst = NULL; //OCSP_CERTSTATUS *cst = NULL;
//OCSP_REVOKEDINFO *rev = NULL; //OCSP_REVOKEDINFO *rev = NULL;
@ -495,8 +496,31 @@ RecordVal *file_analysis::OCSP::ParseResponse(OCSP_RESPVal *resp_val)
ocsp_fill_cert_id(cert_id, single_resp_bro); ocsp_fill_cert_id(cert_id, single_resp_bro);
//certStatus //certStatus
const char *cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type); string cert_status_str = OCSP_cert_status_str(single_resp->certStatus->type);
single_resp_bro->Assign(4, new StringVal(strlen(cert_status_str), cert_status_str)); string revoke_reason = "";
string revoke_time = "";
//add revocation time and reason if it is revoked
if (single_resp->certStatus->type == V_OCSP_CERTSTATUS_REVOKED)
{
revoked_info = single_resp->certStatus->value.revoked;
len = -1;
len = ASN1_GENERALIZEDTIME_to_cstr(buf, buf_len, (void *)(revoked_info->revocationTime));
if (len > 0)
revoke_time.assign((const char *)buf, len);
if (revoked_info->revocationReason)
{
long l = ASN1_ENUMERATED_get(revoked_info->revocationReason);
revoke_reason = OCSP_crl_reason_str(l);
}
}
if (revoke_time.length() > 0)
cert_status_str += " " + revoke_time;
if (revoke_reason.length() > 0)
cert_status_str += " " + revoke_reason;
single_resp_bro->Assign(4, new StringVal(cert_status_str.length(), cert_status_str.c_str()));
//thisUpdate //thisUpdate
len = -1; len = -1;

13
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log Normal file
View file

@ -0,0 +1,13 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2015-07-31-20-35-18
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
#types time addr port addr port string string string string string string count string count time string string string count string string count string string string string
1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CXWv6p3arKYeMETxOg sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 010BF45E184C4169AB61B41168DF802E FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707162834Z 1 revoked 20150514145849Z superseded 20150707162834Z 20150929011242Z POST
1438374032.650255 192.168.6.109 41813 23.5.251.27 80 CjhGID4nQcgTWjvg4c sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 013D34BFD6348EBA231D6925768ACD87 F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707212334Z 1 revoked 20150127203801Z unspecified 20150707212334Z 20150930071359Z POST
1438374032.759133 192.168.6.109 41814 23.5.251.27 80 CCvvfg3TEfuqmmG4bh sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0150C0C06D53F9D39205D84EFB5F2BA4 FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150707030344Z 1 revoked 20150528055348Z (UNKNOWN) 20150707030344Z 20150928205739Z POST
1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CsRx2w45OKnoww6xl4 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 017447CB30072EE15B9C1B057B731C5A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 20150708020344Z 1 revoked 20150117113259Z keyCompromise 20150708020344Z 20150928165507Z POST
#close 2015-07-31-20-35-18

BIN
testing/btest/Traces/tls/ocsp-revoked.pcap Normal file
View file

Binary file not shown.

4
testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test Normal file
View file

@ -0,0 +1,4 @@
# This tests a OCSP request missing response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log