From a51ee9e1555381e252ea4c26066c67ce93b3ad4b Mon Sep 17 00:00:00 2001 From: Johanna Amann Date: Tue, 7 Feb 2017 10:43:45 -0800 Subject: [PATCH] Pull signed_certificate_timestamp into a separate pac file. That allows us to use the same code to parse the signed certificate timestamp X.509 extension in the X.509 file analyzer. --- .../protocol/ssl/tls-handshake-protocol.pac | 19 +-------------- ...handshake-signed_certificate_timestamp.pac | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 18 deletions(-) create mode 100644 src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac diff --git a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac index 65da41e0db..1f3d418717 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-protocol.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-protocol.pac @@ -491,24 +491,7 @@ type SSLExtension(rec: HandshakeRecord) = record { }; } &length=data_len+4 &exportsourcedata; -type SignedCertificateTimestampList(rec: HandshakeRecord) = record { - length: uint16; - SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); -} &length=length+2; - -type SignedCertificateTimestamp(rec: HandshakeRecord) = record { - # before - framing - length: uint16; - # from here: SignedCertificateTimestamp - version: uint8; - logid: bytestring &length=32; - timestamp: uint64; - extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them - extensions: bytestring &length=extensions_length; - digitally_signed_algorithms: SignatureAndHashAlgorithm; - digitally_signed_signature_length: uint16; - digitally_signed_signature: bytestring &length=digitally_signed_signature_length; -} &length=length+2; +%include tls-handshake-signed_certificate_timestamp.pac type ServerNameHostName() = record { length: uint16; diff --git a/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac new file mode 100644 index 0000000000..ad9b9d5651 --- /dev/null +++ b/src/analyzer/protocol/ssl/tls-handshake-signed_certificate_timestamp.pac @@ -0,0 +1,23 @@ +# We keep this extension separate, because it also can be included in X.509 certificates. +# If included there, it uses the exact same syntax and we just symlink it from the X.509 +# file analyzer tree. + +type SignedCertificateTimestampList(rec: HandshakeRecord) = record { + length: uint16; + SCTs: SignedCertificateTimestamp(rec)[] &until($input.length() == 0); +} &length=length+2; + +type SignedCertificateTimestamp(rec: HandshakeRecord) = record { + # before - framing + length: uint16; + # from here: SignedCertificateTimestamp + version: uint8; + logid: bytestring &length=32; + timestamp: uint64; + extensions_length: uint16; # extensions are not actually defined yet, so we cannot parse them + extensions: bytestring &length=extensions_length; + digitally_signed_algorithms: SignatureAndHashAlgorithm; + digitally_signed_signature_length: uint16; + digitally_signed_signature: bytestring &length=digitally_signed_signature_length; +} &length=length+2; +