diff --git a/NEWS b/NEWS index a28285dae8..485bff0a78 100644 --- a/NEWS +++ b/NEWS @@ -162,6 +162,12 @@ Changed Functionality - Running Zeek with Zeekygen for documentation extraction (-X|--zeekygen ) now implies -a, i.e., parse-only mode. +- The `not_valid_before` and `not_valid_after` times of X509 certificates are + now logged as GMT timestamps. Before, they were logged as local times; thus + the output was dependent on the timezone that your system is set to. + Similarly, the related events and the Zeek data structures all interpreted + times in X509 certificates as local times. + Removed Functionality --------------------- diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc index a1ed4f6d91..f630ec3ee0 100644 --- a/src/file_analysis/analyzer/x509/X509Common.cc +++ b/src/file_analysis/analyzer/x509/X509Common.cc @@ -151,7 +151,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File* lTime.tm_yday = 0; lTime.tm_isdst = 0; // No DST adjustment requested - lResult = mktime(&lTime); + lResult = timegm(&lTime); if ( lResult ) { if ( lTime.tm_isdst != 0 ) diff --git a/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log index 55c4947967..70ff9a4ca7 100644 --- a/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log +++ b/testing/btest/Baseline/scripts.base.files.x509.1999/x509.log @@ -7,7 +7,7 @@ #open XXXX-XX-XX-XX-XX-XX #fields ts fingerprint certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert #types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool -XXXXXXXXXX.XXXXXX e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1 3 339D9ED8E73927C9 CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - imap.gmx.net,imap.gmx.de - - - F - T F -XXXXXXXXXX.XXXXXX 3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872 3 21B6777E8CBD0EA8 CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F -XXXXXXXXXX.XXXXXX b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3 3 26 CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 5 F F +XXXXXXXXXX.XXXXXX e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1 3 339D9ED8E73927C9 CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE 1384251451.000000 1479427199.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - imap.gmx.net,imap.gmx.de - - - F - T F +XXXXXXXXXX.XXXXXX 3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872 3 21B6777E8CBD0EA8 CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 1362146309.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F +XXXXXXXXXX.XXXXXX b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3 3 26 CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 931522260.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 5 F F #close XXXX-XX-XX-XX-XX-XX diff --git a/testing/btest/scripts/base/files/x509/1999.test b/testing/btest/scripts/base/files/x509/1999.test index 3ea1ea36ad..0d8902facc 100644 --- a/testing/btest/scripts/base/files/x509/1999.test +++ b/testing/btest/scripts/base/files/x509/1999.test @@ -1,5 +1,5 @@ # Test that the timestamp of a pre-y-2000 certificate is correctly parsed # @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl -# @TEST-EXEC: btest-diff x509.log +# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-first-timestamp btest-diff x509.log diff --git a/testing/scripts/diff-remove-first-timestamp b/testing/scripts/diff-remove-first-timestamp new file mode 100755 index 0000000000..b8137fd8d3 --- /dev/null +++ b/testing/scripts/diff-remove-first-timestamp @@ -0,0 +1,5 @@ +#! /usr/bin/env bash +# +# Replace the first timestamp in a line with XXXs (including the #start/end markers in logs). + +sed -E -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/' -e 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/'