Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-11 19:18:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Pull signed_certificate_timestamp into a separate pac file.

Browse source 
That allows us to use the same code to parse the signed certificate
timestamp X.509 extension in the X.509 file analyzer.
This commit is contained in:
Johanna Amann 2017-02-07 10:43:45 -08:00
parent 3882ba6fbf
commit a51ee9e155
2 changed files with 24 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/analyzer/protocol/ssl/tls-handshake-protocol.pac
View file

@ -491,24 +491,7 @@ type SSLExtension(rec: HandshakeRecord) = record {
};
} &length=data_len+4 &exportsourcedata;
type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
length: uint16;
SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
} &length=length+2;
type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
# before - framing
length: uint16;
# from here: SignedCertificateTimestamp
version: uint8;
logid: bytestring &length=32;
timestamp: uint64;
extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
extensions: bytestring &length=extensions_length;
digitally_signed_algorithms: SignatureAndHashAlgorithm;
digitally_signed_signature_length: uint16;
digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
} &length=length+2;
%include tls-handshake-signed_certificate_timestamp.pac
type ServerNameHostName() = record {
length: uint16;

23
src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac Normal file
View file

@ -0,0 +1,23 @@
# We keep this extension separate, because it also can be included in X.509 certificates.
# If included there, it uses the exact same syntax and we just symlink it from the X.509
# file analyzer tree.
type SignedCertificateTimestampList(rec: HandshakeRecord) = record {
length: uint16;
SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0);
} &length=length+2;
type SignedCertificateTimestamp(rec: HandshakeRecord) = record {
# before - framing
length: uint16;
# from here: SignedCertificateTimestamp
version: uint8;
logid: bytestring &length=32;
timestamp: uint64;
extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them
extensions: bytestring &length=extensions_length;
digitally_signed_algorithms: SignatureAndHashAlgorithm;
digitally_signed_signature_length: uint16;
digitally_signed_signature: bytestring &length=digitally_signed_signature_length;
} &length=length+2;