diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc index 69f399c9dc..b294d448be 100644 --- a/src/file_analysis/analyzer/x509/X509.cc +++ b/src/file_analysis/analyzer/x509/X509.cc @@ -120,6 +120,19 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) pX509Cert->Assign(6, new StringVal(buf)); + // Special case for RDP server certificates. For some reason some (all?) RDP server + // certificates like to specify their key algorithm as md5WithRSAEncryption, which + // is wrong on so many levels. We catch this special case here and set it to what is + // actually should be (namely - rsaEncryption), so that OpenSSL will parse out the + // key later. Otherwise it will just fail to parse the certificate key. + + ASN1_OBJECT* old_algorithm = 0; + if ( OBJ_obj2nid(ssl_cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption ) + { + old_algorithm = ssl_cert->cert_info->key->algor->algorithm; + ssl_cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption); + } + if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) ) buf[0] = 0; @@ -152,6 +165,11 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val) } #endif + // set key algorithm back. We do not have to free the value that we created because (I think) it + // comes out of a static array from OpenSSL memory. + if ( old_algorithm ) + ssl_cert->cert_info->key->algor->algorithm = old_algorithm; + unsigned int length = KeyLength(pkey); if ( length > 0 ) pX509Cert->Assign(9, new Val(length, TYPE_COUNT)); diff --git a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log index 31e42b000e..b936507784 100644 --- a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log +++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log @@ -3,9 +3,9 @@ #empty_field (empty) #unset_field - #path x509 -#open 2015-03-05-05-26-13 +#open 2015-03-05-20-58-46 #fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len #types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count 1423755602.103140 F71ADVSn3rOqVhNh1 3 59EB28CB02B1A0D4 L=TURNBKL+CN=SERVR L=TURNBKL+CN=SERVR 1423664106.000000 1431388800.000000 rsaEncryption sha1WithRSA rsa 512 65537 - - - - - T 0 -1423755602.103140 F71ADVSn3rOqVhNh1 3 0100000001 serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\0D\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR L=TURNBKL+CN=SERVR 1365174955.000000 1483228799.000000 md5WithRSAEncryption sha1WithRSA - - - - - - - - - - -#close 2015-03-05-05-26-13 +1423755602.103140 F71ADVSn3rOqVhNh1 3 0100000001 serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\0D\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR L=TURNBKL+CN=SERVR 1365174955.000000 1483228799.000000 md5WithRSAEncryption sha1WithRSA rsa 512 65537 - - - - - - - +#close 2015-03-05-20-58-46