mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
X.509: expose the signature type inside the tbs certificate
This change exposes the signature tyope inside the signed portion of an X.509 certificate. In the past, we only exposed the signature type that is contained inside the signature, which is outside the signed portion of the X.509 certificate. In theory, both signature fields should have the same value; it is, however, possible to encode differing values in both fields. The new field is not logged by default.
This commit is contained in:
Johanna Amann
parent
097771229c
commit
989e9c29d2
9 changed files with 183 additions and 150 deletions
3
NEWS
3
NEWS
|
|
@ -55,6 +55,9 @@ New Functionality
|
||||||
verbose output in JSON format about the repository state and any included
|
verbose output in JSON format about the repository state and any included
|
||||||
plugins.
|
plugins.
|
||||||
|
|
||||||
|
- The X.509 certificate parser now exposes the signature type that is given inside
|
||||||
|
the signed portion of the certificate.
|
||||||
|
|
||||||
Changed Functionality
|
Changed Functionality
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4394,6 +4394,7 @@ export {
|
||||||
key_length: count &optional &log; ##< Key length in bits
|
key_length: count &optional &log; ##< Key length in bits
|
||||||
exponent: string &optional &log; ##< Exponent, if RSA-certificate
|
exponent: string &optional &log; ##< Exponent, if RSA-certificate
|
||||||
curve: string &optional &log; ##< Curve, if EC-certificate
|
curve: string &optional &log; ##< Curve, if EC-certificate
|
||||||
|
tbs_sig_alg: string; ##< Name of the signature algorithm given inside the tbsCertificate. Should be equivalent to `sig_alg`.
|
||||||
};
|
};
|
||||||
|
|
||||||
type Extension: record {
|
type Extension: record {
|
||||||
|
|
|
||||||
|
|
@ -157,7 +157,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f)
|
||||||
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
|
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
|
||||||
len = BIO_gets(bio, buf, sizeof(buf));
|
len = BIO_gets(bio, buf, sizeof(buf));
|
||||||
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
|
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
|
||||||
BIO_free(bio);
|
BIO_reset(bio);
|
||||||
|
|
||||||
pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
|
pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
|
||||||
pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
|
pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
|
||||||
|
|
@ -172,6 +172,16 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f)
|
||||||
|
|
||||||
pX509Cert->Assign(7, buf);
|
pX509Cert->Assign(7, buf);
|
||||||
|
|
||||||
|
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
|
||||||
|
i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm);
|
||||||
|
#else
|
||||||
|
const X509_ALGOR* sigalg = X509_get0_tbs_sigalg(ssl_cert);
|
||||||
|
i2a_ASN1_OBJECT(bio, sigalg->algorithm);
|
||||||
|
#endif
|
||||||
|
len = BIO_gets(bio, buf, sizeof(buf));
|
||||||
|
pX509Cert->Assign(13, make_intrusive<StringVal>(len, buf));
|
||||||
|
BIO_free(bio);
|
||||||
|
|
||||||
// Special case for RDP server certificates. For some reason some (all?) RDP server
|
// Special case for RDP server certificates. For some reason some (all?) RDP server
|
||||||
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
|
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
|
||||||
// is wrong on so many levels. We catch this special case here and set it to what is
|
// is wrong on so many levels. We catch this special case here and set it to what is
|
||||||
|
|
|
||||||
|
|
@ -26,8 +26,8 @@ opaque of sha256
|
||||||
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
||||||
============ X509
|
============ X509
|
||||||
opaque of x509
|
opaque of x509
|
||||||
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
|
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
|
||||||
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
|
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
|
||||||
============ Entropy
|
============ Entropy
|
||||||
opaque of entropy
|
opaque of entropy
|
||||||
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
||||||
|
|
|
||||||
|
|
@ -19,8 +19,8 @@
|
||||||
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
||||||
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
|
||||||
============ X509
|
============ X509
|
||||||
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
|
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
|
||||||
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
|
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
|
||||||
============ Entropy
|
============ Entropy
|
||||||
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
||||||
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,13 @@
|
||||||
|
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||||
|
#separator \x09
|
||||||
|
#set_separator ,
|
||||||
|
#empty_field (empty)
|
||||||
|
#unset_field -
|
||||||
|
#path x509
|
||||||
|
#open XXXX-XX-XX-XX-XX-XX
|
||||||
|
#fields ts fingerprint certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve certificate.tbs_sig_alg san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert
|
||||||
|
#types time string count string string string time time string string string count string string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool
|
||||||
|
XXXXXXXXXX.XXXXXX 69a61a3b69be6ee7d371de18396003367811069a652a6eb7c0ccb49da72eb842 3 38C175340AF8A2D022A32CD075EBD0F6 CN=lilawelt.net,C=US CN=WoSign CA Free SSL Certificate G2,O=WoSign CA Limited,C=CN XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - sha256WithRSAEncryption lilawelt.net - - - F - T F
|
||||||
|
XXXXXXXXXX.XXXXXX 41a235ab60f0643e752a2db4e914d68c0542167de9ca28df25fd79a693c29072 3 38F645C1E25D912CCE3B2B391231740D CN=WoSign CA Free SSL Certificate G2,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - sha256WithRSAEncryption - - - - T 0 F F
|
||||||
|
XXXXXXXXXX.XXXXXX ce7e10b3ea550920c2be9d391cb7823a7e8f5bfcd3f13c7e11066a190e5b852d 3 19C28530E93B36 CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 4096 65537 - sha256WithRSAEncryption - - - - T 2 F F
|
||||||
|
#close XXXX-XX-XX-XX-XX-XX
|
||||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
6
testing/btest/scripts/base/files/x509/tbs_sig_alg.test
Normal file
6
testing/btest/scripts/base/files/x509/tbs_sig_alg.test
Normal file
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Tests that the tbs_sig_alg field of a certificate is succesfully parsed
|
||||||
|
|
||||||
|
# @TEST-EXEC: zeek -b -r $TRACES/tls/certificate-with-sct.pcap base/protocols/ssl %INPUT
|
||||||
|
# @TEST-EXEC: btest-diff x509.log
|
||||||
|
|
||||||
|
redef record X509::Certificate$tbs_sig_alg += { &log };
|
||||||
Loading…
Add table
Add a link
Reference in a new issue