[Bro] X509 verify example

Reinhard Gentz rgentz at asu.edu
Thu Jun 21 12:32:53 PDT 2018 

Hello Johanna,

I did have a look at validate-certs.bro  and also tried @load on it with no
success.

The main part is that I am not sniffing SSL, but KRB. Therefore the SSL
chain is never populated (even when loaded).
What I am getting is the certificate the client is using to authenticate
(via the event x509_certificate). And I do have the rootcertificate file
(.pem) which I  put into the script from your link (thank you!)

So i essentially only have one certificate that was directly signed by the
root.


the code i have so far is the following code that runs but gives me back:
[result=20, result_string=unable to get local issuer certificate,
chain_certs=<uninitialized>]


event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert:
X509::Certificate){
 print "x509 certificate found";
 local chain: vector of opaque of x509 = vector();
 chain[0]=cert_ref;
 local root:table[string] of string;
 root["emailAddress=reinhard at me.com,CN=Reinhard,O=ME,L=ME,ST=Rainer,C=ME"]
=
"\x30\x82\x03\xAB\x30\x82\x02\x93\xA0\x03\x02\x01\x02\x02\x09\x00\xD9\x2A\xBF\x14\xBE\xC1\x88\x1C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x52\x61\x69\x6E\x65\x72\x31\x0C\x30\x0A\x06\x03\x55\x04\x07\x0C\x03\x53\x46\x4F\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x0C\x03\x4C\x42\x4C\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x52\x65\x69\x6E\x68\x61\x72\x64\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x0E\x72\x67\x65\x6E\x74\x7A\x40\x6C\x62\x6C\x2E\x67\x6F\x76\x30\x1E\x17\x0D\x31\x38\x30\x36\x32\x31\x31\x39\x30\x35\x35\x34\x5A\x17\x0D\x31\x39\x30\x36\x32\x31\x31\x39\x30\x35\x35\x34\x5A\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x52\x61\x69\x6E\x65\x72\x31\x0C\x30\x0A\x06\x03\x55\x04\x07\x0C\x03\x53\x46\x4F\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x0C\x03\x4C\x42\x4C\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x52\x65\x69\x6E\x68\x61\x72\x64\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x0E\x72\x67\x65\x6E\x74\x7A\x40\x6C\x62\x6C\x2E\x67\x6F\x76\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAE\x0F\x28\x58\x78\xEC\xBE\xAB\x77\x4A\x09\x47\x75\x3A\x86\xFB\xF9\x1A\x32\x00\xD5\xCD\x0E\x27\x61\x9C\xCC\x66\xAC\x59\x47\xD6\xDB\x0B\x9E\x5A\x39\x74\x54\xA6\x0D\xDC\x0D\x8C\xEB\x05\xEE\xF7\x56\xDB\x90\xEB\x07\x03\x8F\x1B\xD0\x01\x2A\x56\xF6\x56\xE9\x3A\xC5\xD9\xAC\xE8\x47\x93\x3B\xF8\x05\x67\xEB\x92\xDA\x02\x87\xA2\xBE\x0D\xF1\xCA\x13\x0C\x67\xAA\x76\xCF\x88\x89\x6F\x23\xB5\x7F\x74\x0D\xD5\xFE\x06\x86\xA1\xF6\xAC\x76\x4A\x55\x74\x29\xDB\xE7\x61\x58\x61\x79\x64\x17\x33\xFF\x14\x10\xAE\xDD\x08\x67\xF5\xD3\x25\xE3\xC7\xFD\xD7\x0F\x67\x95\x34\x65\xC1\x1F\x3E\x05\x26\xED\xF4\xFB\x77\x20\xA5\x16\x9B\xE7\xAC\x9B\x6A\xA0\x24\x8A\x8F\x93\x55\x5D\x2D\xB4\x05\x67\xE4\x53\x4A\x02\x9D\xEB\xE1\x39\x9A\x1E\xE7\xB7\xE6\x6A\x2A\xEA\xEC\x8C\x01\xD7\x7F\x38\x55\x2E\x99\x7E\xF8\x2C\x6D\x9E\x10\x95\x69\xD9\x22\x67\xF2\x07\xD1\x6B\x3C\x51\xF2\x96\xD6\xAE\x67\x19\x57\xBC\x70\x6A\x5A\x6B\xAD\x45\x0B\x63\x07\x9E\x52\x2F\xC5\x43\xED\x8B\x8F\x0A\xA2\xBE\x02\xB0\x37\x07\x59\x7A\xCA\xB9\xEE\xED\xD2\xB2\x60\x59\xE2\x43\xB3\xAB\xA1\x37\x02\x03\x01\x00\x01\xA3\x50\x30\x4E\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFB\x91\x23\xED\xAF\xB9\xEB\x4B\x42\xB4\xD4\x48\x96\xED\x15\x04\xE2\xB3\xA1\x09\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFB\x91\x23\xED\xAF\xB9\xEB\x4B\x42\xB4\xD4\x48\x96\xED\x15\x04\xE2\xB3\xA1\x09\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x89\x99\x19\x10\x8A\x96\x7A\xB3\x25\xEE\xF1\x49\xBA\x0D\x4E\x98\x81\x79\xCE\xA6\x29\xE9\x0A\x12\xA5\x65\xD4\xC7\xF3\x7E\x24\x98\x91\x19\x15\x9C\xF1\x35\x11\x34\xC8\x0A\x4B\x8B\x40\xB0\xFC\x1E\xF0\xEA\xA0\x8D\x0F\x60\xCA\x3B\x7D\xD5\x2D\x69\xC3\xDE\xE0\xAA\x84\x8D\x4C\xF8\x17\xEC\x5F\xE2\x54\x0F\x55\x03\x71\x81\xA5\xE1\x9E\x35\xC2\xA9\x80\x12\x1C\x7F\x53\xE1\xAA\x52\x0E\xC5\xF6\x7C\x7C\xAE\xD9\xB4\x14\x9F\x10\xDD\x17\xE9\x7F\x2C\xF1\x65\xED\xBD\xAA\x26\x90\x96\xDB\xC1\x4A\x3F\x66\xB0\xB4\xDE\x49\x09\x1A\x94\x4E\x52\x2F\x59\x1C\x78\x84\xD0\x35\x17\xCA\x47\x45\x9F\x2C\x3D\x2A\x74\x4A\x8B\x6A\xAD\x66\x38\x9E\x89\x41\x65\xE9\x4C\x77\xB0\xD9\x2B\x8C\xD8\xD5\x55\x34\x1A\x49\x15\x19\xE8\x21\xB1\x76\x68\x3B\x04\x83\xCB\x00\x10\xCC\x0E\x4F\xEE\xFB\x72\x40\x2D\x84\xCF\x55\x8C\x46\xDE\x85\x4B\x49\x63\xD0\x27\x80\x94\xCD\x5B\xFD\x00\x47\x08\xB1\x4D\xCF\x8D\xE6\xE8\xC6\xD5\x7D\xDC\xB9\x17\x67\x1B\xC6\x85\xCA\xFA\xE5\x06\xF6\x13\x7A\xE6\x92\x55\xDE\xF7\xE3\x55\xBD\xB9\xBB\xD9\x0B\x09\x1C\x8C\x87\xEA\xF7\x44\x6D\xEC\xF3\x08";

 print " verify chain";
 print x509_verify(chain, root);
}


printout is:
x509 certificate found
verify chain
[result=20, result_string=unable to get local issuer certificate,
chain_certs=<uninitialized>]


What is the meaning of the unable to get local issuer certificate? Do i
need to copy the .pem somewhere in the filesystem for bro to see it?

Thanks you,
Reinhard



On Thu, Jun 21, 2018 at 11:22 AM, Johanna Amann <johanna at icir.org> wrote:

> Hi Reinhard,
>
> is there a reason you want to write this yourself?
>
> policy/protocols/ssl/validate-certs.bro implements certificate validation
> and you should just have to @load it.
>
> It also shows how the function is called - the vector is really just
> populated with all the certificates in the chain.
>
> As for question 2: you have to redef the root_certs record and add it
> there. http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February
> /004566.html has a small script that generates the correct format that
> still should work.
>
> I hope this helps - let me know if now :)
>
> Johanna
>
>
> On 21 Jun 2018, at 10:15, Reinhard Gentz wrote:
>
> Hi I am trying to verify a X509 certificate captured with bro, but I am
>> having trouble using the verify function.
>>
>> What i have is the event
>>
>> event x509_certificate(f: fa_file, cert_ref: opaque, cert:
>> X509::Certificate)
>>
>> how do I feed this information in this function to verify it?
>>
>> function x509_verify(certs: x509_opaque_vector, root_certs:
>> table_string_of_string, verify_time: time &default=network_time()):
>> X509::Result
>>
>> https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_
>> X509.functions.bif.bro.html#id-x509_verify
>>
>>
>> Question 1: How do i convert cert_ref: opaque to certs:
>> x509_opaque_vector?
>> Question 2: root_certs: table_string_of string: How can I input my own CA
>> root certificate here? In which folder does it go and how do I make bro
>> aware of it?
>>
>> Thank you
>> Reinhard
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180621/0685be65/attachment.html

More information about the Bro mailing list