X509 verify example

Reinhard_Gentz · June 21, 2018, 5:15pm

Hi I am trying to verify a X509 certificate captured with bro, but I am having trouble using the verify function.

What i have is the event

event x509_certificate(f: fa_file, cert_ref: opaque, cert: X509::Certificate)

how do I feed this information in this function to verify it?

function x509_verify(certs: x509_opaque_vector, root_certs: table_string_of_string, verify_time: time &default=network_time()): X509::Result

https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_X509.functions.bif.bro.html#id-x509_verify

Question 1: How do i convert cert_ref: opaque to certs: x509_opaque_vector?
Question 2: root_certs: table_string_of string: How can I input my own CA root certificate here? In which folder does it go and how do I make bro aware of it?

Thank you
Reinhard

johanna · June 21, 2018, 6:22pm

Hi Reinhard,

is there a reason you want to write this yourself?

policy/protocols/ssl/validate-certs.bro implements certificate validation and you should just have to @load it.

It also shows how the function is called - the vector is really just populated with all the certificates in the chain.

As for question 2: you have to redef the root_certs record and add it there. http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/004566.html has a small script that generates the correct format that still should work.

I hope this helps - let me know if now

Johanna

Reinhard_Gentz · June 21, 2018, 7:32pm

Hello Johanna,

I did have a look at validate-certs.bro and also tried @load on it with no success.

The main part is that I am not sniffing SSL, but KRB. Therefore the SSL chain is never populated (even when loaded).
What I am getting is the certificate the client is using to authenticate (via the event x509_certificate). And I do have the rootcertificate file (.pem) which I put into the script from your link (thank you!)

So i essentially only have one certificate that was directly signed by the root.

the code i have so far is the following code that runs but gives me back: [result=20, result_string=unable to get local issuer certificate, chain_certs=]

event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate){
print “x509 certificate found”;
local chain: vector of opaque of x509 = vector();
chain[0]=cert_ref;
local root:table[string] of string;
root[“emailAddress=reinhard@me.com,CN=Reinhard,O=ME,L=ME,ST=Rainer,C=ME”] = “\x30\x82\x03\xAB\x30\x82\x02\x93\xA0\x03\x02\x01\x02\x02\x09\x00\xD9\x2A\xBF\x14\xBE\xC1\x88\x1C\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x52\x61\x69\x6E\x65\x72\x31\x0C\x30\x0A\x06\x03\x55\x04\x07\x0C\x03\x53\x46\x4F\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x0C\x03\x4C\x42\x4C\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x52\x65\x69\x6E\x68\x61\x72\x64\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x0E\x72\x67\x65\x6E\x74\x7A\x40\x6C\x62\x6C\x2E\x67\x6F\x76\x30\x1E\x17\x0D\x31\x38\x30\x36\x32\x31\x31\x39\x30\x35\x35\x34\x5A\x17\x0D\x31\x39\x30\x36\x32\x31\x31\x39\x30\x35\x35\x34\x5A\x30\x6C\x31\x0B\x30\x09\x06\x03\x55\x04\x06\x13\x02\x44\x45\x31\x0F\x30\x0D\x06\x03\x55\x04\x08\x0C\x06\x52\x61\x69\x6E\x65\x72\x31\x0C\x30\x0A\x06\x03\x55\x04\x07\x0C\x03\x53\x46\x4F\x31\x0C\x30\x0A\x06\x03\x55\x04\x0A\x0C\x03\x4C\x42\x4C\x31\x11\x30\x0F\x06\x03\x55\x04\x03\x0C\x08\x52\x65\x69\x6E\x68\x61\x72\x64\x31\x1D\x30\x1B\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x09\x01\x16\x0E\x72\x67\x65\x6E\x74\x7A\x40\x6C\x62\x6C\x2E\x67\x6F\x76\x30\x82\x01\x22\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01\x05\x00\x03\x82\x01\x0F\x00\x30\x82\x01\x0A\x02\x82\x01\x01\x00\xAE\x0F\x28\x58\x78\xEC\xBE\xAB\x77\x4A\x09\x47\x75\x3A\x86\xFB\xF9\x1A\x32\x00\xD5\xCD\x0E\x27\x61\x9C\xCC\x66\xAC\x59\x47\xD6\xDB\x0B\x9E\x5A\x39\x74\x54\xA6\x0D\xDC\x0D\x8C\xEB\x05\xEE\xF7\x56\xDB\x90\xEB\x07\x03\x8F\x1B\xD0\x01\x2A\x56\xF6\x56\xE9\x3A\xC5\xD9\xAC\xE8\x47\x93\x3B\xF8\x05\x67\xEB\x92\xDA\x02\x87\xA2\xBE\x0D\xF1\xCA\x13\x0C\x67\xAA\x76\xCF\x88\x89\x6F\x23\xB5\x7F\x74\x0D\xD5\xFE\x06\x86\xA1\xF6\xAC\x76\x4A\x55\x74\x29\xDB\xE7\x61\x58\x61\x79\x64\x17\x33\xFF\x14\x10\xAE\xDD\x08\x67\xF5\xD3\x25\xE3\xC7\xFD\xD7\x0F\x67\x95\x34\x65\xC1\x1F\x3E\x05\x26\xED\xF4\xFB\x77\x20\xA5\x16\x9B\xE7\xAC\x9B\x6A\xA0\x24\x8A\x8F\x93\x55\x5D\x2D\xB4\x05\x67\xE4\x53\x4A\x02\x9D\xEB\xE1\x39\x9A\x1E\xE7\xB7\xE6\x6A\x2A\xEA\xEC\x8C\x01\xD7\x7F\x38\x55\x2E\x99\x7E\xF8\x2C\x6D\x9E\x10\x95\x69\xD9\x22\x67\xF2\x07\xD1\x6B\x3C\x51\xF2\x96\xD6\xAE\x67\x19\x57\xBC\x70\x6A\x5A\x6B\xAD\x45\x0B\x63\x07\x9E\x52\x2F\xC5\x43\xED\x8B\x8F\x0A\xA2\xBE\x02\xB0\x37\x07\x59\x7A\xCA\xB9\xEE\xED\xD2\xB2\x60\x59\xE2\x43\xB3\xAB\xA1\x37\x02\x03\x01\x00\x01\xA3\x50\x30\x4E\x30\x1D\x06\x03\x55\x1D\x0E\x04\x16\x04\x14\xFB\x91\x23\xED\xAF\xB9\xEB\x4B\x42\xB4\xD4\x48\x96\xED\x15\x04\xE2\xB3\xA1\x09\x30\x1F\x06\x03\x55\x1D\x23\x04\x18\x30\x16\x80\x14\xFB\x91\x23\xED\xAF\xB9\xEB\x4B\x42\xB4\xD4\x48\x96\xED\x15\x04\xE2\xB3\xA1\x09\x30\x0C\x06\x03\x55\x1D\x13\x04\x05\x30\x03\x01\x01\xFF\x30\x0D\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x01\x0B\x05\x00\x03\x82\x01\x01\x00\x89\x99\x19\x10\x8A\x96\x7A\xB3\x25\xEE\xF1\x49\xBA\x0D\x4E\x98\x81\x79\xCE\xA6\x29\xE9\x0A\x12\xA5\x65\xD4\xC7\xF3\x7E\x24\x98\x91\x19\x15\x9C\xF1\x35\x11\x34\xC8\x0A\x4B\x8B\x40\xB0\xFC\x1E\xF0\xEA\xA0\x8D\x0F\x60\xCA\x3B\x7D\xD5\x2D\x69\xC3\xDE\xE0\xAA\x84\x8D\x4C\xF8\x17\xEC\x5F\xE2\x54\x0F\x55\x03\x71\x81\xA5\xE1\x9E\x35\xC2\xA9\x80\x12\x1C\x7F\x53\xE1\xAA\x52\x0E\xC5\xF6\x7C\x7C\xAE\xD9\xB4\x14\x9F\x10\xDD\x17\xE9\x7F\x2C\xF1\x65\xED\xBD\xAA\x26\x90\x96\xDB\xC1\x4A\x3F\x66\xB0\xB4\xDE\x49\x09\x1A\x94\x4E\x52\x2F\x59\x1C\x78\x84\xD0\x35\x17\xCA\x47\x45\x9F\x2C\x3D\x2A\x74\x4A\x8B\x6A\xAD\x66\x38\x9E\x89\x41\x65\xE9\x4C\x77\xB0\xD9\x2B\x8C\xD8\xD5\x55\x34\x1A\x49\x15\x19\xE8\x21\xB1\x76\x68\x3B\x04\x83\xCB\x00\x10\xCC\x0E\x4F\xEE\xFB\x72\x40\x2D\x84\xCF\x55\x8C\x46\xDE\x85\x4B\x49\x63\xD0\x27\x80\x94\xCD\x5B\xFD\x00\x47\x08\xB1\x4D\xCF\x8D\xE6\xE8\xC6\xD5\x7D\xDC\xB9\x17\x67\x1B\xC6\x85\xCA\xFA\xE5\x06\xF6\x13\x7A\xE6\x92\x55\xDE\xF7\xE3\x55\xBD\xB9\xBB\xD9\x0B\x09\x1C\x8C\x87\xEA\xF7\x44\x6D\xEC\xF3\x08”;

print " verify chain";

print x509_verify(chain, root);
}

printout is:

x509 certificate found
verify chain

[result=20, result_string=unable to get local issuer certificate, chain_certs=]

What is the meaning of the unable to get local issuer certificate? Do i need to copy the .pem somewhere in the filesystem for bro to see it?

Thanks you,
Reinhard

Topic		Replies	Views
Script examples usign the x509 Functions Zeek	2	61	May 6, 2022
Certificate extraction issue Zeek	2	102	May 6, 2022
Bro for Beginners/Logging SSL Certificate Zeek	2	51	May 6, 2022
Problems parsing x509 issuer? Zeek	6	97	May 6, 2022
Trying to get a simple detection on certificate hashes to fire Zeek	3	70	May 6, 2022

X509 verify example

Related Topics