SCT: pass timestamp as uint64 instead of time

For verification, we need the exact uint64 as it was seen on the wire; converting it to a double might mean that we loose precision.
2025-10-04 07:38:19 +00:00 · 2017-03-16 18:18:39 -07:00 · 2017-03-16 18:18:39 -07:00 · d50bddfbfb
commit d50bddfbfb
parent dcf4907857
6 changed files with 12 additions and 10 deletions
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -238,13 +238,14 @@ event ssl_extension_server_name%(c: connection, is_orig: bool, names: string_vec
 ##
 ## logid: 32 bit key id
 ##
-## timestamp: the current NTP Time
+## timestamp: the NTP Time when the entry was logged measured since
 ##            the epoch, ignoring leap seconds, in milliseconds.
 ##
 ## signature_and_hashalgorithm: signature and hash algorithm used for the
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
-event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
+event ssl_extension_signed_certificate_timestamp%(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string%);
 ## Generated at the end of an SSL/TLS handshake. SSL/TLS sessions start with
 ## an unencrypted handshake, and Bro extracts as much information out of that
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@ -259,7 +259,7 @@ refine connection Handshake_Conn += {
 			bro_analyzer()->Conn(), ${rec.is_orig},
 			version,
 			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			((double)timestamp)/1000,
+			timestamp,
 			ha,
 			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
 		);
--- a/src/file_analysis/analyzer/x509/events.bif
+++ b/src/file_analysis/analyzer/x509/events.bif
@ -67,10 +67,11 @@ event x509_ext_subject_alternative_name%(f: fa_file, ext: X509::SubjectAlternati
 ##
 ## logid: 32 bit key id
 ##
-## timestamp: the timestamp of the sct
+## timestamp: the NTP Time when the entry was logged measured since
 ##            the epoch, ignoring leap seconds, in milliseconds.
 ##
 ## signature_and_hashalgorithm: signature and hash algorithm used for the
 ##                              digitally_signed struct
 ##
 ## signature: signature part of the digitally_signed struct
-event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string%);
+event x509_ocsp_ext_signed_certificate_timestamp%(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string%);
--- a/src/file_analysis/analyzer/x509/x509-extension.pac
+++ b/src/file_analysis/analyzer/x509/x509-extension.pac
@ -39,7 +39,7 @@ refine connection MockConnection += {
 			bro_analyzer()->GetFile()->GetVal()->Ref(),
 			version,
 			new StringVal(logid.length(), reinterpret_cast<const char*>(logid.begin())),
-			((double)timestamp)/1000,
+			timestamp,
 			digitally_signed_algorithms->HashAlgorithm(),
 			digitally_signed_algorithms->SignatureAlgorithm(),
 			new StringVal(digitally_signed_signature.length(), reinterpret_cast<const char*>(digitally_signed_signature.begin()))
--- a/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/files/x509/signed_certificate_timestamp.test
@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/certificate-with-sct.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
-event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: time, hash_algorithm: count, signature_algorithm: count, signature: string)
+event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
 	{
-	print version, SSL::ct_logs[logid]$description, timestamp, hash_algorithm, signature_algorithm;
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
 	}
--- a/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
+++ b/testing/btest/scripts/base/protocols/ssl/signed_certificate_timestamp.test
@ -1,7 +1,7 @@
 # @TEST-EXEC: bro -r $TRACES/tls/signed_certificate_timestamp.pcap %INPUT
 # @TEST-EXEC: btest-diff .stdout
-event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: time, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
+event ssl_extension_signed_certificate_timestamp(c: connection, is_orig: bool, version: count, logid: string, timestamp: count, signature_and_hashalgorithm: SSL::SignatureAndHashAlgorithm, signature: string)
 	{
-	print version, SSL::ct_logs[logid]$description, timestamp, signature_and_hashalgorithm;
+	print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), signature_and_hashalgorithm;
 	}