Merge remote-tracking branch 'origin/topic/johanna/gh-4521'

* origin/topic/johanna/gh-4521:
  Change x509 not_before/not_after to not be based on local timezone

CHANGES

@@ -1,3 +1,14 @@
+8.0.0-dev.443 | 2025-06-18 13:27:06 +0100
+
+  * Change x509 not_before/not_after to not be based on local timezone (Johanna Amann, Corelight)
+
+    Not the not_before/not_after fields output GMT based times.
+
+    Also adds a new btest diff canonifier which only removes the first
+    timestamp in a line.
+
+  * Mark ZeekString vector helper methods deprecated (Tim Wojtulewicz, Corelight)
+
 8.0.0-dev.439 | 2025-06-18 13:12:59 +0200
 
   * Enable Spicy SSL analyzer in nightly CI job against Spicy `HEAD` (Benjamin Bannier, Corelight)

NEWS

@@ -162,6 +162,12 @@ Changed Functionality
 - Running Zeek with Zeekygen for documentation extraction (-X|--zeekygen
   <cfgfile>) now implies -a, i.e., parse-only mode.
 
+- The `not_valid_before` and `not_valid_after` times of X509 certificates are
+  now logged as GMT timestamps. Before, they were logged as local times; thus
+  the output was dependent on the timezone that your system is set to.
+  Similarly, the related events and the Zeek data structures all interpreted
+  times in X509 certificates as local times.
+
 Removed Functionality
 ---------------------
 

VERSION

@@ -1 +1 @@
-8.0.0-dev.439
+8.0.0-dev.443

src/file_analysis/analyzer/x509/X509Common.cc

@@ -151,7 +151,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File*
     lTime.tm_yday = 0;
     lTime.tm_isdst = 0; // No DST adjustment requested
 
-    lResult = mktime(&lTime);
+    lResult = timegm(&lTime);
 
     if ( lResult ) {
         if ( lTime.tm_isdst != 0 )

testing/btest/Baseline/scripts.base.files.x509.1999/x509.log

@@ -7,7 +7,7 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fingerprint	certificate.version	certificate.serial	certificate.subject	certificate.issuer	certificate.not_valid_before	certificate.not_valid_after	certificate.key_alg	certificate.sig_alg	certificate.key_type	certificate.key_length	certificate.exponent	certificate.curve	san.dns	san.uri	san.email	san.ip	basic_constraints.ca	basic_constraints.path_len	host_cert	client_cert
 #types	time	string	count	string	string	string	time	time	string	string	string	count	string	string	vector[string]	vector[string]	vector[string]	vector[addr]	bool	count	bool	bool
-XXXXXXXXXX.XXXXXX	e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-	T	F
-XXXXXXXXXX.XXXXXX	3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
-XXXXXXXXXX.XXXXXX	b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	XXXXXXXXXX.XXXXXX	XXXXXXXXXX.XXXXXX	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5	F	F
+XXXXXXXXXX.XXXXXX	e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1	3	339D9ED8E73927C9	CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	1384251451.000000	1479427199.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	imap.gmx.net,imap.gmx.de	-	-	-	F	-	T	F
+XXXXXXXXXX.XXXXXX	3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872	3	21B6777E8CBD0EA8	CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	1362146309.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	0	F	F
+XXXXXXXXXX.XXXXXX	b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3	3	26	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE	931522260.000000	1562716740.000000	rsaEncryption	sha1WithRSAEncryption	rsa	2048	65537	-	-	-	-	-	T	5	F	F
 #close XXXX-XX-XX-XX-XX-XX

testing/btest/scripts/base/files/x509/1999.test

@@ -1,5 +1,5 @@
 # Test that the timestamp of a pre-y-2000 certificate is correctly parsed
 
 # @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl
-# @TEST-EXEC: btest-diff x509.log
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-first-timestamp btest-diff x509.log
 

testing/scripts/diff-remove-first-timestamp

@@ -0,0 +1,5 @@
+#! /usr/bin/env bash
+#
+# Replace the first timestamp in a line with XXXs (including the #start/end markers in logs).
+
+sed -E -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/' -e 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/'