78 lines
10 KiB
Plaintext
78 lines
10 KiB
Plaintext
# @TEST-EXEC: zeek -b -r $TRACES/tls/certificate-with-sct.pcap %INPUT
|
|
# @TEST-EXEC: btest-diff .stdout
|
|
|
|
@load protocols/ssl/validate-certs
|
|
|
|
redef SSL::ssl_store_valid_chain = T;
|
|
|
|
# Test needs a certificate that has since been removed from root stores
|
|
redef SSL::root_certs += {
|
|
["CN=Certification Authority of WoSign,O=WoSign CA Limited,C=CN"] = "\x30\x82\x05\x76\x30\x82\x03\x5E\xA0\x03\x02\x01\x02\x02\x10\x5E\x68\xD6\x11\x71\x94\x63\x50\x56\x00\x68\xF3\x3E\xC9\xC5\x91\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x1E\x17\x0D\x30\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x17\x0D\x33\x39\x30\x38\x30\x38\x30\x31\x30\x30\x30\x31\x5A\x30\x55\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x43\x4E\x31\x1A\x30\x18\x06\x03\x55\x04\x0A\x13\x11\x57\x6F\x53\x69\x67\x6E\x20\x43\x41\x20\x4C\x69\x6D\x69\x74\x65\x64\x31\x2A\x30\x28\x06\x03\x55\x04\x03\x13\x21\x43\x65\x72\x74\x69\x66\x69\x63\x61\x74\x69\x6F\x6E\x20\x41\x75\x74\x68\x6F\x72\x69\x74\x79\x20\x6F\x66\x20\x57\x6F\x53\x69\x67\x6E\x30\x82\x02\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x02\x0F\x00\x30\x82\x02\x0A\x02\x82\x02\x01\x00\xBD\xCA\x8D\xAC\xB8\x91\x15\x56\x97\x7B\x6B\x5C\x7A\xC2\xDE\x6B\xD9\xA1\xB0\xC3\x10\x23\xFA\xA7\xA1\xB2\xCC\x31\xFA\x3E\xD9\xA6\x29\x6F\x16\x3D\xE0\x6B\xF8\xB8\x40\x5F\xDB\x39\xA8\x00\x7A\x8B\xA0\x4D\x54\x7D\xC2\x22\x78\xFC\x8E\x09\xB8\xA8\x85\xD7\xCC\x95\x97\x4B\x74\xD8\x9E\x7E\xF0\x00\xE4\x0E\x89\xAE\x49\x28\x44\x1A\x10\x99\x32\x0F\x25\x88\x53\xA4\x0D\xB3\x0F\x12\x08\x16\x0B\x03\x71\x27\x1C\x7F\xE1\xDB\xD2\xFD\x67\x68\xC4\x05\x5D\x0A\x0E\x5D\x70\xD7\xD8\x97\xA0\xBC\x53\x41\x9A\x91\x8D\xF4\x9E\x36\x66\x7A\x7E\x56\xC1\x90\x5F\xE6\xB1\x68\x20\x36\xA4\x8C\x24\x2C\x2C\x47\x0B\x59\x76\x66\x30\xB5\xBE\xDE\xED\x8F\xF8\x9D\xD3\xBB\x01\x30\xE6\xF2\xF3\x0E\xE0\x2C\x92\x80\xF3\x85\xF9\x28\x8A\xB4\x54\x2E\x9A\xED\xF7\x76\xFC\x15\x68\x16\xEB\x4A\x6C\xEB\x2E\x12\x8F\xD4\xCF\xFE\x0C\xC7\x5C\x1D\x0B\x7E\x05\x32\xBE\x5E\xB0\x09\x2A\x42\xD5\xC9\x4E\x90\xB3\x59\x0D\xBB\x7A\x7E\xCD\xD5\x08\x5A\xB4\x7F\xD8\x1C\x69\x11\xF9\x27\x0F\x7B\x06\xAF\x54\x83\x18\x7B\xE1\xDD\x54\x7A\x51\x68\x6E\x77\xFC\xC6\xBF\x52\x4A\x66\x46\xA1\xB2\x67\x1A\xBB\xA3\x4F\x77\xA0\xBE\x5D\xFF\xFC\x56\x0B\x43\x72\x77\x90\xCA\x9E\xF9\xF2\x39\xF5\x0D\xA9\xF4\xEA\xD7\xE7\xB3\x10\x2F\x30\x42\x37\x21\xCC\x30\x70\xC9\x86\x98\x0F\xCC\x58\x4D\x83\xBB\x7D\xE5\x1A\xA5\x37\x8D\xB6\xAC\x32\x97\x00\x3A\x63\x71\x24\x1E\x9E\x37\xC4\xFF\x74\xD4\x37\xC0\xE2\xFE\x88\x46\x60\x11\xDD\x08\x3F\x50\x36\xAB\xB8\x7A\xA4\x95\x62\x6A\x6E\xB0\xCA\x6A\x21\x5A\x69\xF3\xF3\xFB\x1D\x70\x39\x95\xF3\xA7\x6E\xA6\x81\x89\xA1\x88\xC5\x3B\x71\xCA\xA3\x52\xEE\x83\xBB\xFD\xA0\x77\xF4\xE4\x6F\xE7\x42\xDB\x6D\x4A\x99\x8A\x34\x48\xBC\x17\xDC\xE4\x80\x08\x22\xB6\xF2\x31\xC0\x3F\x04\x3E\xEB\x9F\x20\x79\xD6\xB8\x06\x64\x64\x02\x31\xD7\xA9\xCD\x52\xFB\x84\x45\x69\x09\x00\x2A\xDC\x55\x8B\xC4\x06\x46\x4B\xC0\x4A\x1D\x09\x5B\x39\x28\xFD\xA9\xAB\xCE\x00\xF9\x2E\x48\x4B\x26\xE6\x30\x4C\xA5\x58\xCA\xB4\x44\x82\x4F\xE7\x91\x1E\x33\xC3\xB0\x93\xFF\x11\xFC\x81\xD2\xCA\x1F\x71\x29\xDD\x76\x4F\x92\x25\xAF\x1D\x81\xB7\x0F\x2F\x8C\xC3\x06\xCC\x2F\x27\xA3\x4A\xE4\x0E\x99\xBA\x7C\x1E\x45\x1F\x7F\xAA\x19\x45\x96\xFD\xFC\x3D\x02\x03\x01\x00\x01\xA3\x42\x30\x40\x30\x0E\x06\x03\x55\x1D\x0F\x01\x01\xFF\x04\x04\x03\x02\x01\x06\x30\x0F\x06\x03\x55\x1D\x13\x01\x01\xFF\x04\x05\x30\x03\x01\x01\xFF\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xE1\x66\xCF\x0E\xD1\xF1\xB3\x4B\xB7\x06\x20\x14\xFE\x87\x12\xD5\xF6\xFE\xFB\x3E\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x05\x05\x00\x03\x82\x02\x01\x00\xA8\xCB\x72\x40\xB2\x76\xC1\x7E\x7B\xFC\xAD\x64\xE3\x32\x7B\xCC\x3C\xB6\x5D\x46\xD3\xF5\x2C\xE2\x70\x5D\xC8\x2E\xD8\x06\x7D\x98\xD1\x0B\x21\xA0\x89\x59\x24\x01\x9D\xF9\xAF\x09\x7D\x0A\x23\x82\x34\xD5\xFC\x7C\x72\x99\xB9\xA3\xD7\x54\xF4\xEA\x52\x70\x0E\xC5\xF5\xD6\x3B\xE1\x3A\x09\x32\xE6\x21\x39\x93\xBD\xB3\x15\xEA\x4F\x6A\xF4\xF5\x8B\x3F\x2F\x7C\x8D\x58\x2E\xC5\xE1\x39\xA0\x3E\xC7\x3D\x4A\x73\x9E\x40\x7A\xC0\x2B\x61\xA9\x67\xC9\xF3\x24\xB9\xB3\x6D\x55\x2C\x5A\x1D\x9E\x25\x72\xCE\x0B\xAD\xAA\xC7\x55\x62\x0B\xBE\xFB\x63\xB3\x61\x44\x23\xA3\xCB\xE1\x1A\x0E\xF7\x9A\x06\x4D\xDE\xD4\x23\x4E\x21\x96\x5B\x39\x5B\x57\x1D\x2F\x5D\x08\x5E\x09\x79\xFF\x7C\x97\xB5\x4D\x83\xAE\x0D\xD6\xE6\xA3\x79\xE0\x33\xD0\x99\x96\x02\x30\xA7\x3E\xFF\xD2\xA3\x43\x3F\x05\x5A\x06\xEA\x44\x02\xDA\x7C\xF8\x48\xD0\x33\xA9\xF9\x07\xC7\x95\xE1\xF5\x3E\xF5\x5D\x71\xBA\xF2\x95\xA9\x74\x88\x61\x59\xE3\xBF\xCA\x5A\x13\xBA\x72\xB4\x8C\x5D\x36\x87\xE9\xA6\xC5\x3C\x13\xBF\xDE\xD0\x44\x26\xEE\xB7\xEC\x2E\x70\xFA\xD7\x9D\xB7\xAC\xE5\xC5\x40\x5A\xE6\xD7\x6C\x7B\x2C\xC3\x56\x9B\x47\xCD\x0B\xCE\xFA\x1B\xB4\x21\xD7\xB7\x66\xB8\xF4\x25\x30\x8B\x5C\x0D\xB9\xEA\x67\xB2\xF4\x6D\xAE\xD5\xA1\x9E\x4F\xD8\x9F\xE9\x27\x02\xB0\x1D\x06\xD6\x8F\xE3\xFB\x48\x12\x9F\x7F\x11\xA1\x10\x3E\x4C\x51\x3A\x96\xB0\xD1\x13\xF1\xC7\xD8\x26\xAE\x3A\xCA\x91\xC4\x69\x9D\xDF\x01\x29\x64\x51\x6F\x68\xDA\x14\xEC\x08\x41\x97\x90\x8D\xD0\xB2\x80\xF2\xCF\xC2\x3D\xBF\x91\x68\xC5\x80\x67\x1E\xC4\x60\x13\x55\xD5\x61\x99\x57\x7C\xBA\x95\x0F\x61\x49\x3A\xCA\x75\xBC\xC9\x0A\x93\x3F\x67\x0E\x12\xF2\x28\xE2\x31\x1B\xC0\x57\x16\xDF\x08\x7C\x19\xC1\x7E\x0F\x1F\x85\x1E\x0A\x36\x7C\x5B\x7E\x27\xBC\x7A\xBF\xE0\xDB\xF4\xDA\x52\xBD\xDE\x0C\x54\x70\x31\x91\x43\x95\xC8\xBC\xF0\x3E\xDD\x09\x7E\x30\x64\x50\xED\x7F\x01\xA4\x33\x67\x4D\x68\x4F\xBE\x15\xEF\xB0\xF6\x02\x11\xA2\x1B\x13\x25\x3A\xDC\xC2\x59\xF1\xE3\x5C\x46\xBB\x67\x2C\x02\x46\xEA\x1E\x48\xA6\xE6\x5B\xD9\xB5\xBC\x51\xA2\x92\x96\xDB\xAA\xC6\x37\x22\xA6\xFE\xCC\x20\x74\xA3\x2D\xA9\x2E\x6B\xCB\xC0\x82\x11\x21\xB5\x93\x79\xEE\x44\x86\xBE\xD7\x1E\xE4\x1E\xFB",
|
|
};
|
|
|
|
redef SSL::ct_logs += {
|
|
["\x68\xf6\x98\xf8\x1f\x64\x82\xbe\x3a\x8c\xee\xb9\x28\x1d\x4c\xfc\x71\x51\x5d\x67\x93\xd4\x44\xd1\x0a\x67\xac\xbb\x4f\x4f\xfb\xc4"] = SSL::CTInfo($description="Google 'Aviator' log", $operator="Google", $url="ct.googleapis.com/aviator/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\xd7\xf4\xcc\x69\xb2\xe4\x0e\x90\xa3\x8a\xea\x5a\x70\x09\x4f\xef\x13\x62\xd0\x8d\x49\x60\xff\x1b\x40\x50\x07\x0c\x6d\x71\x86\xda\x25\x49\x8d\x65\xe1\x08\x0d\x47\x34\x6b\xbd\x27\xbc\x96\x21\x3e\x34\xf5\x87\x76\x31\xb1\x7f\x1d\xc9\x85\x3b\x0d\xf7\x1f\x3f\xe9"),
|
|
["\xdd\xeb\x1d\x2b\x7a\x0d\x4f\xa6\x20\x8b\x81\xad\x81\x68\x70\x7e\x2e\x8e\x9d\x01\xd5\x5c\x88\x8d\x3d\x11\xc4\xcd\xb6\xec\xbe\xcc"] = SSL::CTInfo($description="Symantec log", $operator="DigiCert", $url="ct.ws.symantec.com/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x96\xea\xac\x1c\x46\x0c\x1b\x55\xdc\x0d\xfc\xb5\x94\x27\x46\x57\x42\x70\x3a\x69\x18\xe2\xbf\x3b\xc4\xdb\xab\xa0\xf4\xb6\x6c\xc0\x53\x3f\x4d\x42\x10\x33\xf0\x58\x97\x8f\x6b\xbe\x72\xf4\x2a\xec\x1c\x42\xaa\x03\x2f\x1a\x7e\x28\x35\x76\x99\x08\x3d\x21\x14\x86"),
|
|
["\xee\x4b\xbd\xb7\x75\xce\x60\xba\xe1\x42\x69\x1f\xab\xe1\x9e\x66\xa3\x0f\x7e\x5f\xb0\x72\xd8\x83\x00\xc4\x7b\x89\x7a\xa8\xfd\xcb"] = SSL::CTInfo($description="Google 'Rocketeer' log", $operator="Google", $url="https://ct.googleapis.com/rocketeer/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x20\x5b\x18\xc8\x3c\xc1\x8b\xb3\x31\x08\x00\xbf\xa0\x90\x57\x2b\xb7\x47\x8c\x6f\xb5\x68\xb0\x8e\x90\x78\xe9\xa0\x73\xea\x4f\x28\x21\x2e\x9c\xc0\xf4\x16\x1b\xaa\xf9\xd5\xd7\xa9\x80\xc3\x4e\x2f\x52\x3c\x98\x01\x25\x46\x24\x25\x28\x23\x77\x2d\x05\xc2\x40\x7a"),
|
|
["\xa4\xb9\x09\x90\xb4\x18\x58\x14\x87\xbb\x13\xa2\xcc\x67\x70\x0a\x3c\x35\x98\x04\xf9\x1b\xdf\xb8\xe3\x77\xcd\x0e\xc8\x0d\xdc\x10"] = SSL::CTInfo($description="Google 'Pilot' log", $operator="Google", $url="https://ct.googleapis.com/pilot/", $maximum_merge_delay=86400, $key="\x30\x59\x30\x13\x06\x07\x2a\x86\x48\xce\x3d\x02\x01\x06\x08\x2a\x86\x48\xce\x3d\x03\x01\x07\x03\x42\x00\x04\x7d\xa8\x4b\x12\x29\x80\xa3\x3d\xad\xd3\x5a\x77\xb8\xcc\xe2\x88\xb3\xa5\xfd\xf1\xd3\x0c\xcd\x18\x0c\xe8\x41\x46\xe8\x81\x01\x1b\x15\xe1\x4b\xf1\x1b\x62\xdd\x36\x0a\x08\x18\xba\xed\x0b\x35\x84\xd0\x9e\x40\x3c\x2d\x9e\x9b\x82\x65\xbd\x1f\x04\x10\x41\x4c\xa0"),
|
|
};
|
|
|
|
|
|
export {
|
|
type LogInfo: record {
|
|
version: count;
|
|
logid: string;
|
|
timestamp: count;
|
|
sig_alg: count;
|
|
hash_alg: count;
|
|
signature: string;
|
|
};
|
|
}
|
|
|
|
redef record SSL::Info += {
|
|
ct_proofs: vector of LogInfo &default=vector();
|
|
};
|
|
|
|
event x509_ocsp_ext_signed_certificate_timestamp(f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)
|
|
{
|
|
print version, SSL::ct_logs[logid]$description, double_to_time(timestamp/1000.0), hash_algorithm, signature_algorithm;
|
|
|
|
if ( |f$conns| != 1 )
|
|
return;
|
|
|
|
local c: connection &is_assigned;
|
|
|
|
for ( cid in f$conns )
|
|
{
|
|
if ( ! f$conns[cid]?$ssl )
|
|
return;
|
|
|
|
c = f$conns[cid];
|
|
}
|
|
|
|
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
|
|
return;
|
|
|
|
c$ssl$ct_proofs[|c$ssl$ct_proofs|] = LogInfo($version=version, $logid=logid, $timestamp=timestamp, $sig_alg=signature_algorithm, $hash_alg=hash_algorithm, $signature=signature);
|
|
}
|
|
|
|
event ssl_established(c: connection)
|
|
{
|
|
if ( ! c$ssl?$cert_chain || |c$ssl$cert_chain| == 0 || ! c$ssl$cert_chain[0]?$x509 )
|
|
return;
|
|
|
|
if ( |c$ssl$valid_chain| < 2 )
|
|
return;
|
|
|
|
local cert = c$ssl$cert_chain[0]$x509$handle;
|
|
local issuer_key_hash = x509_spki_hash(c$ssl$valid_chain[1], 4);
|
|
|
|
for ( i in c$ssl$ct_proofs )
|
|
{
|
|
local log = c$ssl$ct_proofs[i];
|
|
|
|
print "Verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp, log$hash_alg, issuer_key_hash);
|
|
print "Bad verify of", SSL::ct_logs[log$logid]$description, sct_verify(cert, log$logid, SSL::ct_logs[log$logid]$key, log$signature, log$timestamp+1, log$hash_alg, issuer_key_hash);
|
|
}
|
|
}
|