SSL: Update OCSP/SCT scripts and documentation.

src/file_analysis/analyzer/x509/events.bif

@@ -13,7 +13,7 @@
 ##
 ## .. bro:see:: x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate%);
 
 ## Generated for X509 extensions seen in a certificate.
@@ -27,7 +27,7 @@ event x509_certificate%(f: fa_file, cert_ref: opaque of x509, cert: X509::Certif
 ##
 ## .. bro:see:: x509_certificate x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_extension%(f: fa_file, ext: X509::Extension%);
 
 ## Generated for the X509 basic constraints extension seen in a certificate.
@@ -39,7 +39,7 @@ event x509_extension%(f: fa_file, ext: X509::Extension%);
 ##
 ## .. bro:see:: x509_certificate x509_extension
 ##              x509_ext_subject_alternative_name x509_parse x509_verify
-##              x509_get_certificate_string
+##              x509_get_certificate_string x509_ocsp_ext_signed_certificate_timestamp
 event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 
 ## Generated for the X509 subject alternative name extension seen in a certificate.
@@ -52,13 +52,14 @@ event x509_ext_basic_constraints%(f: fa_file, ext: X509::BasicConstraints%);
 ## ext: The parsed subject alternative name extension.
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_parse x509_verify
+##              x509_parse x509_verify x509_ocsp_ext_signed_certificate_timestamp
 ##              x509_get_certificate_string
 event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternativeName%);
 
 ## Generated for the signed_certificate_timestamp X509 extension as defined in
 ## :rfc:`6962`. The extension is used to transmit signed proofs that are
-## used for Certificate Transparency.
+## used for Certificate Transparency. Raised when the extension is encountered
+## in an X.509 certificate or in an OCSP reply.
 ##
 ## f: The file.
 ##
@@ -74,4 +75,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp x509_extension x509_ext_basic_constraints
+##              x509_parse x509_verify x509_ext_subject_alternative_name
+##              x509_get_certificate_string ssl_extension_signed_certificate_timestamp
+##              sct_verify ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
 event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);

src/file_analysis/analyzer/x509/functions.bif

@@ -140,6 +140,8 @@ X509* x509_get_ocsp_signer(STACK_OF(X509) *certs, OCSP_RESPID *rid)
 	return 0;
 	}
 
+// Convert hash algorithm registry numbers to the OpenSSL EVP_MD.
+// Mapping at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
 const EVP_MD* hash_to_evp(int hash)
 	{
 	switch ( hash )
@@ -483,7 +485,7 @@ x509_ocsp_cleanup:
 ##
 ## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
 ##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_ocsp_verify
+##              x509_get_certificate_string x509_ocsp_verify sct_verify
 function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()%): X509::Result
 	%{
 	X509_STORE* ctx = x509_get_root_store(root_certs->AsTableVal());
@@ -571,6 +573,28 @@ x509_verify_chainerror:
 	return rrecord;
 	%}
 
+## Verifies a Signed Certificate Timestamp as used for Certificate Transparency.
+## See RFC6962 for more details.
+##
+## cert: Certificate against which the SCT should be validated.
+##
+## logid: Log id of the SCT.
+##
+## log_key: Public key of the Log that issued the SCT proof.
+##
+## timestamp: Timestamp at which the proof was generated.
+##
+## hash_algorithm: Hash algorithm that was used for the SCT proof.
+##
+## issuer_key_hash: The SHA-256 hash of the certificate issuer's public key.
+##                  This only has to be provided if the SCT was encountered in an X.509
+##                  certificate extension; in that case, it is necessary for validation.
+##
+## Returns: T if the validation could be performed succesfully, F otherwhise.
+##
+## .. bro:see:: ssl_extension_signed_certificate_timestamp
+##              x509_ocsp_ext_signed_certificate_timestamp
+##              x509_verify
 function sct_verify%(cert: opaque of x509, logid: string, log_key: string, signature: string, timestamp: count, hash_algorithm: count, issuer_key_hash: string &default=""%): bool
 	%{
 	assert(cert);
@@ -789,6 +813,17 @@ StringVal* x509_entity_hash(file_analysis::X509Val *cert_handle, unsigned int ha
 	}
 %%}
 
+## Get the hash of the subject's distinguished name.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_issuer_name_hash x509_spki_hash
+##              x509_verify sct_verify
 function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
@@ -796,17 +831,17 @@ function x509_subject_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	return x509_entity_hash(cert_handle, hash_alg, 0);
 	%}
 
-## Get the hash of issuer name of a certificate
+## Get the hash of the issuer's distinguished name.
 ##
 ## cert: The X509 certificate opaque handle.
 ##
-## hash_alg: the hash algorithm to use
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
 ##
-## Returns: A string of hash of issuer name.
+## Returns: The hash as a string.
 ##
-## .. bro:see:: x509_certificate x509_extension x509_ext_basic_constraints
-##              x509_ext_subject_alternative_name x509_parse
-##              x509_get_certificate_string x509_verify
+## .. bro:see:: x509_subject_name_hash x509_spki_hash
+##              x509_verify sct_verify
 function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;
@@ -814,6 +849,17 @@ function x509_issuer_name_hash%(cert: opaque of x509, hash_alg: count%): string
 	return x509_entity_hash(cert_handle, hash_alg, 1);
 	%}
 
+## Get the hash of the Subject Public Key Information of the certificate.
+##
+## cert: The X509 certificate opaque handle.
+##
+## hash_alg: the hash algorithm to use, according to the IANA mapping at
+##           https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18
+##
+## Returns: The hash as a string.
+##
+## .. bro:see:: x509_subject_name_hash x509_issuer_name_hash
+##              x509_verify sct_verify
 function x509_spki_hash%(cert: opaque of x509, hash_alg: count%): string
 	%{
 	file_analysis::X509Val *cert_handle = (file_analysis::X509Val *) cert;

src/file_analysis/analyzer/x509/ocsp_events.bif

@@ -1,6 +1,8 @@
 ## Event that is raised when encountering an OCSP request, e.g. in an HTTP
 ## connection. See :rfc:`6960` for more details.
 ##
+## This event is raised exactly once for each OCSP Request.
+##
 ## f: The file.
 ##
 ## req: version: the version of the OCSP request. Typically 0 (Version 1).
@@ -8,23 +10,111 @@
 ## requestorName: name of the OCSP requestor. This attribute is optional; if
 ##                it is not set, an empty string is returned here.
 ##
+## .. bro:see:: ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_request%(f: fa_file, version: count, requestorName: string%);
 
+## Event that is raised when encountering an OCSP request for a certificate, 
+## e.g. in an HTTP connection. See :rfc:`6960` for more details.
+##
+## Note that a single OCSP request can contain requests for several certificates.
+## Thus this event can fire several times for one OCSP request, each time
+## requesting information for a different (or in theory even the same) certificate.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for the issuerKeyHash.
+##
+## issuerKeyHash: Hash of the issuers public key.
+##
+## serialNumber: Serial number of the certificate for which the status is requested.
+##
+## .. bro:see:: ocsp_request ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_request_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string%);
 
-## Generated for encountered OCSP response
+## This event is raised when encountering an OCSP reply, e.g. in an HTTP
+## connection or a TLS extension. See :rfc:`6960` for more details.
+##
+## This event is raised exactly once for each OCSP reply.
+##
+## f: The file.
+##
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate
+##              ocsp_response_bytes ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_status%(f: fa_file, status: string%);
+
+## This event is raised when encountering an OCSP response that contains response information.
+## An OCSP reply can be encountered, for example, in an HTTP connection or
+## a TLS extension. See :rfc:`6960` for more details on OCSP.
 ##
 ## f: The file.
 ##
 ## req_ref: An opaque pointer to the underlying OpenSSL data structure of the
-##          OCSP response
+##          OCSP response.
 ##
-## req: The parsed OCSP response information.
+## status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
 ##
-event ocsp_response_status%(f: fa_file, status: string%);
-
+## version: Version of the OCSP response (typically - for version 1). 
+##
+## responderId: The id of the OCSP responder; either a public key hash or a distinguished name.
+##
+## producedAt: Time at which the reply was produced.
+##
+## signatureAlgorithm: Algorithm used for the OCSP signature.
+##
+## certs: Optional list of certificates that are sent with the OCSP response; these typically
+##        are needed to perform validation of the reply.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_certificate ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_response_bytes%(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector%);
 
-event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time%);
+## This event is raised for each SingleResponse contained in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## hashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash.
+##
+## issuerNameHash: Hash of the issuer's distinguished name.
+##
+## issuerKeyHash: Hash of the issuer's public key.
+##
+## serialNumber: Serial number of the affected certificate.
+##
+## certStatus: Status of the certificate.
+##
+## revokeTime: Time the certificate was revoked, 0 if not revoked.
+##
+## revokeTeason: Reason certificate was revoked; empty string if not revoked or not specified.
+##
+## thisUpdate: Time this response was generated.
+##
+## nextUpdate: Time next response will be ready; 0 if not supploed.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_extension
+##              x509_ocsp_ext_signed_certificate_timestamp
+event ocsp_response_certificate%(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time%);
 
+## This event is raised when an OCSP extension is encountered in an OCSP response.
+## See :rfc:`6960` for more details on OCSP.
+##
+## f: The file.
+##
+## ext: The parsed extension (same format as X.509 extensions).
+##
+## global_resp: T if extension encountered in the global response (in ResponseData),
+##              F when encountered in a SingleResponse.
+##
+## .. bro:see:: ocsp_request ocsp_request_certificate ocsp_response_status
+##              ocsp_response_bytes ocsp_response_certificate
+##              x509_ocsp_ext_signed_certificate_timestamp
 event ocsp_extension%(f: fa_file, ext: X509::Extension, global_resp: bool%);