Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

X.509: expose the signature type inside the tbs certificate

Browse source 
This change exposes the signature tyope inside the signed portion of an
X.509 certificate. In the past, we only exposed the signature type that
is contained inside the signature, which is outside the signed portion
of the X.509 certificate.

In theory, both signature fields should have the same value; it is,
however, possible to encode differing values in both fields. The new
field is not logged by default.
This commit is contained in:
Johanna Amann 2023-02-28 15:45:20 +00:00
parent 097771229c
commit 989e9c29d2
9 changed files with 183 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -55,6 +55,9 @@ New Functionality
verbose output in JSON format about the repository state and any included
plugins.
- The X.509 certificate parser now exposes the signature type that is given inside
the signed portion of the certificate.
Changed Functionality
---------------------

1
scripts/base/init-bare.zeek
View file

@ -4394,6 +4394,7 @@ export {
key_length: count &optional &log; ##< Key length in bits
exponent: string &optional &log; ##< Exponent, if RSA-certificate
curve: string &optional &log; ##< Curve, if EC-certificate
tbs_sig_alg: string; ##< Name of the signature algorithm given inside the tbsCertificate. Should be equivalent to `sig_alg`.
};
type Extension: record {

12
src/file_analysis/analyzer/x509/X509.cc
View file

@ -157,7 +157,7 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f)
X509_NAME_print_ex(bio, X509_get_issuer_name(ssl_cert), 0, XN_FLAG_RFC2253);
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(3, make_intrusive<StringVal>(len, buf));
BIO_free(bio);
BIO_reset(bio);
pX509Cert->AssignTime(5, GetTimeFromAsn1(X509_get_notBefore(ssl_cert), f, reporter));
pX509Cert->AssignTime(6, GetTimeFromAsn1(X509_get_notAfter(ssl_cert), f, reporter));
@ -172,6 +172,16 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f)
pX509Cert->Assign(7, buf);
#if ( OPENSSL_VERSION_NUMBER < 0x10100000L )
i2a_ASN1_OBJECT(bio, ssl_cert->sig_alg->algorithm);
#else
const X509_ALGOR* sigalg = X509_get0_tbs_sigalg(ssl_cert);
i2a_ASN1_OBJECT(bio, sigalg->algorithm);
#endif
len = BIO_gets(bio, buf, sizeof(buf));
pX509Cert->Assign(13, make_intrusive<StringVal>(len, buf));
BIO_free(bio);
// Special case for RDP server certificates. For some reason some (all?) RDP server
// certificates like to specify their key algorithm as md5WithRSAEncryption, which
// is wrong on so many levels. We catch this special case here and set it to what is

4
testing/btest/Baseline/broker.opaque/out
View file

@ -26,8 +26,8 @@ opaque of sha256
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
============ X509
opaque of x509
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
============ Entropy
opaque of entropy
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]

4
testing/btest/Baseline/language.copy-all-opaques/out
View file

@ -19,8 +19,8 @@
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
25b6746d5172ed6352966a013d93ac846e1110d5a25e8f183b5931f4688842a1
============ X509
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
[version=3, serial=040000000001154B5AC394, subject=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, issuer=CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE, cn=GlobalSign Root CA, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha1WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>, tbs_sig_alg=sha1WithRSAEncryption]
============ Entropy
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]
[entropy=4.715374, chi_square=591.981818, mean=75.472727, monte_carlo_pi=4.0, serial_correlation=-0.11027]

13
testing/btest/Baseline/scripts.base.files.x509.tbs_sig_alg/x509.log Normal file
View file

@ -0,0 +1,13 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path x509
#open XXXX-XX-XX-XX-XX-XX
#fields ts fingerprint certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve certificate.tbs_sig_alg san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert
#types time string count string string string time time string string string count string string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool
XXXXXXXXXX.XXXXXX 69a61a3b69be6ee7d371de18396003367811069a652a6eb7c0ccb49da72eb842 3 38C175340AF8A2D022A32CD075EBD0F6 CN=lilawelt.net,C=US CN=WoSign CA Free SSL Certificate G2,O=WoSign CA Limited,C=CN XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - sha256WithRSAEncryption lilawelt.net - - - F - T F
XXXXXXXXXX.XXXXXX 41a235ab60f0643e752a2db4e914d68c0542167de9ca28df25fd79a693c29072 3 38F645C1E25D912CCE3B2B391231740D CN=WoSign CA Free SSL Certificate G2,O=WoSign CA Limited,C=CN CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 2048 65537 - sha256WithRSAEncryption - - - - T 0 F F
XXXXXXXXXX.XXXXXX ce7e10b3ea550920c2be9d391cb7823a7e8f5bfcd3f13c7e11066a190e5b852d 3 19C28530E93B36 CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha256WithRSAEncryption rsa 4096 65537 - sha256WithRSAEncryption - - - - T 2 F F
#close XXXX-XX-XX-XX-XX-XX

84
testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
View file

File diff suppressed because one or more lines are too long

206
testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
View file

File diff suppressed because one or more lines are too long

6
testing/btest/scripts/base/files/x509/tbs_sig_alg.test Normal file
View file

@ -0,0 +1,6 @@
# Tests that the tbs_sig_alg field of a certificate is succesfully parsed
# @TEST-EXEC: zeek -b -r $TRACES/tls/certificate-with-sct.pcap base/protocols/ssl %INPUT
# @TEST-EXEC: btest-diff x509.log
redef record X509::Certificate$tbs_sig_alg += { &log };