diff --git a/src/analyzer/protocol/ssl/events.bif b/src/analyzer/protocol/ssl/events.bif index 5f0e0c4557..721fcd249c 100644 --- a/src/analyzer/protocol/ssl/events.bif +++ b/src/analyzer/protocol/ssl/events.bif @@ -238,13 +238,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec ## ## logid: 32 bit key id ## -## timestamp: the current NTP Time +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); +event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%); ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with ## an unencrypted handshake, and Bro extracts as much information out of that diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac index 6882e48cbb..d7ccef45b6 100644 --- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac +++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac @@ -259,7 +259,7 @@ refine connection Handshake_Conn += { bro_analyzer()->Conn(), ${rec.is_orig}, version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, ha, new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) ); diff --git a/src/file_analysis/analyzer/x509/events.bif b/src/file_analysis/analyzer/x509/events.bif index f8084fa864..206555e9dd 100644 --- a/src/file_analysis/analyzer/x509/events.bif +++ b/src/file_analysis/analyzer/x509/events.bif @@ -67,10 +67,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati ## ## logid: 32 bit key id ## -## timestamp: the timestamp of the sct +## timestamp: the NTP Time when the entry was logged measured since +## the epoch, ignoring leap seconds, in milliseconds. ## ## signature_and_hashalgorithm: signature and hash algorithm used for the ## digitally_signed struct ## ## signature: signature part of the digitally_signed struct -event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%); +event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%); diff --git a/src/file_analysis/analyzer/x509/x509-extension.pac b/src/file_analysis/analyzer/x509/x509-extension.pac index e77a82307a..937706fd3b 100644 --- a/src/file_analysis/analyzer/x509/x509-extension.pac +++ b/src/file_analysis/analyzer/x509/x509-extension.pac @@ -39,7 +39,7 @@ refine connection MockConnection += { bro_analyzer()->GetFile()->GetVal()->Ref(), version, new StringVal(logid.length(), reinterpret_cast(logid.begin())), - ((double)timestamp)/1000, + timestamp, digitally_signed_algorithms->HashAlgorithm(), digitally_signed_algorithms->SignatureAlgorithm(), new StringVal(digitally_signed_signature.length(), reinterpret_cast(digitally_signed_signature.begin())) diff --git a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test index 5b4c02dd01..c0fe06d4d3 100644 --- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string) +event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm; } diff --git a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test index bcc0a87637..d0eaacd096 100644 --- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test +++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test @@ -1,7 +1,7 @@ # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT # @TEST-EXEC: btest-diff .stdout -event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) +event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string) { - print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm; + print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm; }