Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Change x509 not_before/not_after to not be based on local timezone

Browse source 
Not the not_before/not_after fields output GMT based times.

Also adds a new btest diff canonifier which only removes the first
timestamp in a line.

Fixes GH-4521
This commit is contained in:
Johanna Amann 2025-06-04 12:55:14 +01:00
parent 19f2621f7b
commit e797e15d38
5 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
NEWS
View file

@ -162,6 +162,12 @@ Changed Functionality
- Running Zeek with Zeekygen for documentation extraction (-X|--zeekygen - Running Zeek with Zeekygen for documentation extraction (-X|--zeekygen
<cfgfile>) now implies -a, i.e., parse-only mode. <cfgfile>) now implies -a, i.e., parse-only mode.
- The `not_valid_before` and `not_valid_after` times of X509 certificates are
now logged as GMT timestamps. Before, they were logged as local times; thus
the output was dependent on the timezone that your system is set to.
Similarly, the related events and the Zeek data structures all interpreted
times in X509 certificates as local times.
Removed Functionality Removed Functionality
--------------------- ---------------------

2
src/file_analysis/analyzer/x509/X509Common.cc
View file

@ -151,7 +151,7 @@ double X509Common::GetTimeFromAsn1(const ASN1_TIME* atime, file_analysis::File*
lTime.tm_yday = 0; lTime.tm_yday = 0;
lTime.tm_isdst = 0; // No DST adjustment requested lTime.tm_isdst = 0; // No DST adjustment requested
lResult = mktime(&lTime); lResult = timegm(&lTime);
if ( lResult ) { if ( lResult ) {
if ( lTime.tm_isdst != 0 ) if ( lTime.tm_isdst != 0 )

6
testing/btest/Baseline/scripts.base.files.x509.1999/x509.log
View file

@ -7,7 +7,7 @@
#open XXXX-XX-XX-XX-XX-XX #open XXXX-XX-XX-XX-XX-XX
#fields ts fingerprint certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert #fields ts fingerprint certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len host_cert client_cert
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool #types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count bool bool
XXXXXXXXXX.XXXXXX e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1 3 339D9ED8E73927C9 CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - imap.gmx.net,imap.gmx.de - - - F - T F XXXXXXXXXX.XXXXXX e0129ac9d82beb2ad399c85a2d246c0a5376e1094a5410ba9157cc42c3d514c1 3 339D9ED8E73927C9 CN=imap.gmx.net,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE 1384251451.000000 1479427199.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - imap.gmx.net,imap.gmx.de - - - F - T F
XXXXXXXXXX.XXXXXX 3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872 3 21B6777E8CBD0EA8 CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F XXXXXXXXXX.XXXXXX 3c80fe6e6a70e12fae2e7c7b289420f10a69e80dcc88847bb9836ff14a20f872 3 21B6777E8CBD0EA8 CN=TeleSec ServerPass DE-1,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=NRW,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 1362146309.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 F F
XXXXXXXXXX.XXXXXX b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3 3 26 CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE XXXXXXXXXX.XXXXXX XXXXXXXXXX.XXXXXX rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 5 F F XXXXXXXXXX.XXXXXX b6191a50d0c3977f7da99bcdaac86a227daeb9679ec70ba3b0c9d92271c170d3 3 26 CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE CN=Deutsche Telekom Root CA 2,OU=T-TeleSec Trust Center,O=Deutsche Telekom AG,C=DE 931522260.000000 1562716740.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 5 F F
#close XXXX-XX-XX-XX-XX-XX #close XXXX-XX-XX-XX-XX-XX

2
testing/btest/scripts/base/files/x509/1999.test
View file

@ -1,5 +1,5 @@
# Test that the timestamp of a pre-y-2000 certificate is correctly parsed # Test that the timestamp of a pre-y-2000 certificate is correctly parsed
# @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl # @TEST-EXEC: zeek -b -r $TRACES/tls/telesec.pcap base/protocols/ssl
# @TEST-EXEC: btest-diff x509.log # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-first-timestamp btest-diff x509.log

5
testing/scripts/diff-remove-first-timestamp Executable file
View file

@ -0,0 +1,5 @@
#! /usr/bin/env bash
#
# Replace the first timestamp in a line with XXXs (including the #start/end markers in logs).
sed -E -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/' -e 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/'