SSL/TLS: Parse CertificateRequest message

This commit introduces parsing of the CertificateRequest message in the TLS handshake. It introduces a new event ssl_certificate_request, as well as a new function parse_distinguished_name, which can be used to parse part of the ssl_certificate_request event parameters. This commit also introduces a new policy script, which appends information about the CAs a TLS server requests in the CertificateRequest message, if it sends it.
2025-10-08 01:28:20 +00:00 · 2023-03-09 08:20:50 +01:00 · 2023-03-09 08:20:50 +01:00 · b56b856da9
commit b56b856da9
parent b73dda5cff
17 changed files with 221 additions and 4 deletions
--- a/testing/btest/Baseline/bifs.x509_parse_dn/.stdout
+++ b/testing/btest/Baseline/bifs.x509_parse_dn/.stdout
@ -0,0 +1,5 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+CN=certauth.idrix.fr
+
+CN=Senate PIV-I CA G4,OU=Office of the Sergeant at Arms,OU=U.S. Senate,O=U.S. Government,C=US
+OU=\E3\82\A2\E3\83\97\E3\83\AA\E3\82\B1\E3\83\BC\E3\82\B7\E3\83\A7\E3\83\B3CA,O=\E6\97\A5\E6\9C\AC\E5\9B\BD\E6\94\BF\E5\BA\9C,C=JP
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.certificate_request/out
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.certificate_request/out
@ -0,0 +1,15 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[1, 2, 64]
+[[HashAlgorithm=4, SignatureAlgorithm=3], [HashAlgorithm=5, SignatureAlgorithm=3], [HashAlgorithm=6, SignatureAlgorithm=3], [HashAlgorithm=8, SignatureAlgorithm=7], [HashAlgorithm=8, SignatureAlgorithm=8], [HashAlgorithm=8, SignatureAlgorithm=9], [HashAlgorithm=8, SignatureAlgorithm=10], [HashAlgorithm=8, SignatureAlgorithm=11], [HashAlgorithm=8, SignatureAlgorithm=4], [HashAlgorithm=8, SignatureAlgorithm=5], [HashAlgorithm=8, SignatureAlgorithm=6], [HashAlgorithm=4, SignatureAlgorithm=1], [HashAlgorithm=5, SignatureAlgorithm=1], [HashAlgorithm=6, SignatureAlgorithm=1], [HashAlgorithm=3, SignatureAlgorithm=3], [HashAlgorithm=3, SignatureAlgorithm=1], [HashAlgorithm=3, SignatureAlgorithm=2], [HashAlgorithm=4, SignatureAlgorithm=2], [HashAlgorithm=5, SignatureAlgorithm=2], [HashAlgorithm=6, SignatureAlgorithm=2]]
+========
+[1]
+[[HashAlgorithm=4, SignatureAlgorithm=1]]
+0H1\x0b0\x09\x06\x03U\x04\x06\x13\x02US1\x130\x11\x06\x03U\x04\x08\x0c\x0aSome-State1\x120\x10\x06\x03U\x04\x07\x0c\x09Somewhere1\x100\x0e\x06\x03U\x04\x0a\x0c\x07SomeOrg
+O=SomeOrg,L=Somewhere,ST=Some-State,C=US
+========
+[1, 64, 2]
+[]
+========
+[1, 2]
+[]
+========
--- a/testing/btest/Baseline/scripts.policy.protocols.ssl.certificate-request-info/ssl.log
+++ b/testing/btest/Baseline/scripts.policy.protocols.ssl.certificate-request-info/ssl.log
@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	ssl
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	version	cipher	curve	server_name	resumed	last_alert	next_protocol	established	ssl_history	cert_chain_fps	client_cert_chain_fps	sni_matches_cert	requested_client_certificate_authorities
+#types	time	string	addr	port	addr	port	string	string	string	string	bool	string	string	bool	string	vector[string]	vector[string]	bool	vector[string]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	fd42:496a:d659:bb85::1	52464	fd42:496a:d659:bb85:216:3eff:fe6a:a257	3000	TLSv12	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	x25519	-	F	handshake_failure	-	F	CsxkrnXGIl	0a171ee771a26530c650fe8b8a6bf205177bfb64fbb3e5303ba348c13ffc7dfa,c628dd5aae1f216da6ce4f8f914fb7141c2b0afd3522cce5900bcc4840657bfd	(empty)	-	O=SomeOrg\x2cL=Somewhere\x2cST=Some-State\x2cC=US
+#close XXXX-XX-XX-XX-XX-XX
--- a/testing/btest/Traces/tls/certificate-request-failed.pcap
+++ b/testing/btest/Traces/tls/certificate-request-failed.pcap
--- a/testing/btest/Traces/tls/client-certificate.pcap
+++ b/testing/btest/Traces/tls/client-certificate.pcap
--- a/testing/btest/bifs/x509_parse_dn.zeek
+++ b/testing/btest/bifs/x509_parse_dn.zeek
@ -0,0 +1,10 @@
+# @TEST-EXEC: zeek -b %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event zeek_init()
+	{
+	print parse_distinguished_name("0\x1c1\x1a0\x18\x06\x03U\x04\x03\x13\x11certauth.idrix.fr");
+	print parse_distinguished_name("00000\x1c1\x1a0\x18\x06\x03U\x04\x03\x13\x11certauth.idrix.fr"); # invalid
+	print parse_distinguished_name("\x30\x81\x83\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x55\x53\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x13\x0F\x55\x2E\x53\x2E\x20\x47\x6F\x76\x65\x72\x6E\x6D\x65\x6E\x74\x31\x14\x30\x12\x06\x03\x55\x04\x0B\x13\x0B\x55\x2E\x53\x2E\x20\x53\x65\x6E\x61\x74\x65\x31\x27\x30\x25\x06\x03\x55\x04\x0B\x13\x1E\x4F\x66\x66\x69\x63\x65\x20\x6F\x66\x20\x74\x68\x65\x20\x53\x65\x72\x67\x65\x61\x6E\x74\x20\x61\x74\x20\x41\x72\x6D\x73\x31\x1B\x30\x19\x06\x03\x55\x04\x03\x13\x12\x53\x65\x6E\x61\x74\x65\x20\x50\x49\x56\x2D\x49\x20\x43\x41\x20\x47\x34");
+	print parse_distinguished_name("\x30\x4C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x4A\x50\x31\x18\x30\x16\x06\x03\x55\x04\x0A\x0C\x0F\xE6\x97\xA5\xE6\x9C\xAC\xE5\x9B\xBD\xE6\x94\xBF\xE5\xBA\x9C\x31\x23\x30\x21\x06\x03\x55\x04\x0B\x0C\x1A\xE3\x82\xA2\xE3\x83\x97\xE3\x83\xAA\xE3\x82\xB1\xE3\x83\xBC\xE3\x82\xB7\xE3\x83\xA7\xE3\x83\xB3\x43\x41\x30");
+	}
--- a/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
+++ b/testing/btest/scripts/base/protocols/ssl/certificate_request.zeek
@ -0,0 +1,22 @@
+# This tests the certificate_request message parsing
+
+# @TEST-EXEC: zeek -b -r $TRACES/tls/client-certificate.pcap %INPUT > out
+# @TEST-EXEC: zeek -C -b -r $TRACES/tls/certificate-request-failed.pcap %INPUT >> out
+# @TEST-EXEC: zeek -C -b -r $TRACES/tls/webrtc-stun.pcap %INPUT >> out
+# @TEST-EXEC: zeek -C -b -r $TRACES/mysql/encrypted.trace %INPUT >> out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/ssl
+@load base/protocols/mysql
+
+event ssl_certificate_request(c: connection, is_client: bool, certificate_types: index_vec, supported_signature_algorithms: SSL::SignatureAndHashAlgorithm, certificate_authorities: string_vec)
+	{
+	print certificate_types;
+	print supported_signature_algorithms;
+	for ( i in certificate_authorities )
+		{
+		print certificate_authorities[i];
+		print parse_distinguished_name(certificate_authorities[i]);
+		}
+	print "========";
+	}
--- a/testing/btest/scripts/policy/protocols/ssl/certificate-request-info.zeek
+++ b/testing/btest/scripts/policy/protocols/ssl/certificate-request-info.zeek
@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -C -r $TRACES/tls/certificate-request-failed.pcap %INPUT
+# @TEST-EXEC: btest-diff ssl.log
+
+@load protocols/ssl/certificate-request-info
--- a/testing/external/commit-hash.zeek-testing
+++ b/testing/external/commit-hash.zeek-testing
@ -1 +1 @@
-ce420be749831180789003152320cadb6c8101e1
+0afa1572c003bceccb6fc10a4c7865e8777799c9
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-b78a6881733079ef5e17c4dea95a8a2566f8b3b8
+a35c14be50c65604d31d672166bd1fef2791e6e9