add a special case to the X509 code that deals with RDP certificates.

Basically, at least some rdp certificates specify a completely invalid and nonsensical value for theyr key type. OpenSSL does not like this and refuses to parse the key in this case. With this change, we detect this case and special-case it, hinting to OpenSSL what kind of key we have. This gives us additional information that we would not have otherwhise in the log file (like key length and the exponent).
2025-10-07 09:08:20 +00:00 · 2015-03-05 12:59:03 -08:00 · 2015-03-05 12:59:03 -08:00 · 9441dc68ec
commit 9441dc68ec
parent 276e072e6e
2 changed files with 21 additions and 3 deletions
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@ -120,6 +120,19 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)

 	pX509Cert->Assign(6, new StringVal(buf));

+	// Special case for RDP server certificates. For some reason some (all?) RDP server
+	// certificates like to specify their key algorithm as md5WithRSAEncryption, which
+	// is wrong on so many levels. We catch this special case here and set it to what is
+	// actually should be (namely - rsaEncryption), so that OpenSSL will parse out the
+	// key later. Otherwise it will just fail to parse the certificate key.
+
+	ASN1_OBJECT* old_algorithm = 0;
+	if ( OBJ_obj2nid(ssl_cert->cert_info->key->algor->algorithm) == NID_md5WithRSAEncryption )
+		{
+		old_algorithm = ssl_cert->cert_info->key->algor->algorithm;
+		ssl_cert->cert_info->key->algor->algorithm = OBJ_nid2obj(NID_rsaEncryption);
+		}
+
 	if ( ! i2t_ASN1_OBJECT(buf, 255, ssl_cert->sig_alg->algorithm) )
 		buf[0] = 0;

@ -152,6 +165,11 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val* cert_val)
 			}
 #endif

+		// set key algorithm back. We do not have to free the value that we created because (I think) it
+		// comes out of a static array from OpenSSL memory.
+		if ( old_algorithm )
+			ssl_cert->cert_info->key->algor->algorithm = old_algorithm;
+
 		unsigned int length = KeyLength(pkey);
 		if ( length > 0 )
 			pX509Cert->Assign(9, new Val(length, TYPE_COUNT));
--- a/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log
+++ b/testing/btest/Baseline/scripts.base.protocols.rdp.rdp-x509/x509.log
@ -3,9 +3,9 @@
 #empty_field	(empty)
 #unset_field	-
 #path	x509
-#open	2015-03-05-05-26-13
+#open	2015-03-05-20-58-46
 #fields	ts	id	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count
 1423755602.103140	F71ADVSn3rOqVhNh1	3	59EB28CB02B1A0D4	L=TURNBKL+CN=SERVR	L=TURNBKL+CN=SERVR	1423664106.000000	1431388800.000000	rsaEncryption	sha1WithRSA	rsa	512	65537	-	-	-	-	-	T	0
-1423755602.103140	F71ADVSn3rOqVhNh1	3	0100000001	serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\0D\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR	L=TURNBKL+CN=SERVR	1365174955.000000	1483228799.000000	md5WithRSAEncryption	sha1WithRSA	-	-	-	-	-	-	-	-	-	-
-#close	2015-03-05-05-26-13
+1423755602.103140	F71ADVSn3rOqVhNh1	3	0100000001	serialNumber=1BcKefYSF97EvkaiCqahPY8uPd0=\0D\0A+L=ncalrpc:SERVR+CN=ncalrpc:SERVR	L=TURNBKL+CN=SERVR	1365174955.000000	1483228799.000000	md5WithRSAEncryption	sha1WithRSA	rsa	512	65537	-	-	-	-	-	-	-
+#close	2015-03-05-20-58-46