Parse X509 certificates in SSL/TLS messages (#1915)

Author: seladb

Common++/src/Logger.cpp

@@ -64,6 +64,8 @@ namespace pcpp
 			return "OFF";
 		case LogLevel::Error:
 			return "ERROR";
+		case LogLevel::Warn:
+			return "WARN";
 		case LogLevel::Info:
 			return "INFO";
 		case LogLevel::Debug:

Packet++/header/SSLHandshake.h

@@ -4,6 +4,7 @@
 #include "SSLCommon.h"
 #include "PointerVector.h"
 #include "Asn1Codec.h"
+#include "X509Decoder.h"
 
 /// @file
 /// See detailed explanation of the TLS/SSL protocol support in PcapPlusPlus in SSLLayer.h
@@ -228,10 +229,16 @@ namespace pcpp
 			return m_DataLen;
 		}
 
-		/// @return The root ASN.1 record of the certificate data. All of the certificate data will be under this
-		/// record. If the Root ASN.1 record is malformed, an exception is thrown
+		/// @return The root ASN.1 record of the certificate data. All the certificate data will be under this
+		/// record. If the certificate data isn't complete, this method will return nullptr. If the Root ASN.1 record
+		/// is malformed, an exception is thrown
 		Asn1SequenceRecord* getRootAsn1Record();
 
+		/// Parse the certificate data as X509 certificate. If the certificate data isn't complete, this method will
+		/// return nullptr
+		/// @return A unique pointer to the parsed X509 certificate
+		std::unique_ptr<X509Certificate> getX509Certificate();
+
 		/// Certificate messages usually spread on more than 1 packet. So a certificate is likely to split between 2
 		/// packets or more. This method provides an indication whether all certificate data exists or only part of it
 		/// @return True if this data contains all certificate data, false otherwise

Packet++/src/SSLHandshake.cpp

@@ -1222,6 +1222,12 @@ namespace pcpp
 
 	Asn1SequenceRecord* SSLx509Certificate::getRootAsn1Record()
 	{
+		if (!m_AllDataExists)
+		{
+			PCPP_LOG_ERROR("Certificate data is not complete, cannot parse ASN.1 record");
+			return nullptr;
+		}
+
 		if (m_Asn1Record == nullptr)
 		{
 			m_Asn1Record = Asn1Record::decode(m_Data, m_DataLen);
@@ -1230,6 +1236,17 @@ namespace pcpp
 		return m_Asn1Record->castAs<Asn1SequenceRecord>();
 	}
 
+	std::unique_ptr<X509Certificate> SSLx509Certificate::getX509Certificate()
+	{
+		if (!m_AllDataExists)
+		{
+			PCPP_LOG_ERROR("Certificate data is not complete, cannot parse X509 certificate");
+			return nullptr;
+		}
+
+		return X509Certificate::fromDER(m_Data, m_DataLen);
+	}
+
 	// ---------------------------
 	// SSLHandshakeMessage methods
 	// ---------------------------

Packet++/src/X509Decoder.cpp

@@ -975,7 +975,7 @@ namespace pcpp
 	std::unique_ptr<X509Certificate> X509Certificate::fromPEM(const std::string& pemData)
 	{
 		auto derData = PemCodec::decode(pemData, certificatePemLabel);
-		std::unique_ptr<uint8_t[]> derDataBuffer(new uint8_t[derData.size()]);
+		auto derDataBuffer = std::make_unique<uint8_t[]>(derData.size());
 		std::copy(derData.begin(), derData.end(), derDataBuffer.get());
 		return std::unique_ptr<X509Certificate>(new X509Certificate(std::move(derDataBuffer), derData.size()));
 	}

Tests/Packet++Test/Tests/SSLTests.cpp

@@ -4,6 +4,7 @@
 #include "Packet.h"
 #include "SSLLayer.h"
 #include "SystemUtils.h"
+#include "Logger.h"
 #include <fstream>
 #include <sstream>
 
@@ -344,34 +345,41 @@ PTF_TEST_CASE(SSLMultipleRecordParsing3Test)
 	PTF_ASSERT_EQUAL(certMsg->getNumOfCertificates(), 3);
 	PTF_ASSERT_NULL(certMsg->getCertificate(1000));
 
-	pcpp::SSLx509Certificate* cert = certMsg->getCertificate(0);
-	PTF_ASSERT_NOT_NULL(cert);
-	PTF_ASSERT_TRUE(cert->allDataExists());
-	PTF_ASSERT_EQUAL(cert->getDataLength(), 1509);
-	std::string certBuffer(cert->getData(), cert->getData() + cert->getDataLength());
-	std::size_t pos = certBuffer.find("LDAP Intermediate CA");
-	PTF_ASSERT_TRUE(pos != std::string::npos);
-	pos = certBuffer.find("Internal Development CA");
-	PTF_ASSERT_EQUAL(pos, std::string::npos, ptr);
-	auto asn1Record = cert->getRootAsn1Record();
-	PTF_ASSERT_NOT_NULL(asn1Record);
-	PTF_ASSERT_EQUAL(asn1Record->getSubRecords().size(), 3);
-
-	cert = certMsg->getCertificate(1);
-	PTF_ASSERT_NOT_NULL(cert);
-	PTF_ASSERT_TRUE(cert->allDataExists());
-	PTF_ASSERT_EQUAL(cert->getDataLength(), 1728);
-	certBuffer = std::string(cert->getData(), cert->getData() + cert->getDataLength());
-	pos = certBuffer.find("Internal Development CA");
-	PTF_ASSERT_TRUE(pos != std::string::npos);
-
-	cert = certMsg->getCertificate(2);
-	PTF_ASSERT_NOT_NULL(cert);
-	PTF_ASSERT_TRUE(cert->allDataExists());
-	PTF_ASSERT_EQUAL(cert->getDataLength(), 1713);
-	certBuffer = std::string(cert->getData(), cert->getData() + cert->getDataLength());
-	pos = certBuffer.find("Internal Development CA");
-	PTF_ASSERT_TRUE(pos != std::string::npos);
+	{
+		auto cert = certMsg->getCertificate(0);
+		PTF_ASSERT_NOT_NULL(cert);
+		PTF_ASSERT_TRUE(cert->allDataExists());
+		PTF_ASSERT_EQUAL(cert->getDataLength(), 1509);
+		auto asn1Record = cert->getRootAsn1Record();
+		PTF_ASSERT_NOT_NULL(asn1Record);
+		PTF_ASSERT_EQUAL(asn1Record->getSubRecords().size(), 3);
+		auto x509Cert = cert->getX509Certificate();
+		PTF_ASSERT_EQUAL(
+		    x509Cert->getIssuer().toString(),
+		    "C=US, ST=Washington, L=Seattle, O=Hubspan, Inc., OU=Development, CN=LDAP Intermediate CA, [email protected]");
+	}
+
+	{
+		auto cert = certMsg->getCertificate(1);
+		PTF_ASSERT_NOT_NULL(cert);
+		PTF_ASSERT_TRUE(cert->allDataExists());
+		PTF_ASSERT_EQUAL(cert->getDataLength(), 1728);
+		auto x509Cert = cert->getX509Certificate();
+		PTF_ASSERT_EQUAL(
+		    x509Cert->getSubject().toString(),
+		    "C=US, ST=Washington, L=Seattle, O=Hubspan, Inc., OU=Development, CN=LDAP Intermediate CA, [email protected]");
+	}
+
+	{
+		auto cert = certMsg->getCertificate(2);
+		PTF_ASSERT_NOT_NULL(cert);
+		PTF_ASSERT_TRUE(cert->allDataExists());
+		PTF_ASSERT_EQUAL(cert->getDataLength(), 1713);
+		auto x509Cert = cert->getX509Certificate();
+		PTF_ASSERT_EQUAL(
+		    x509Cert->getSubject().toString(),
+		    "C=US, ST=Washington, O=Hubspan, Inc., OU=Development, CN=Internal Development CA, [email protected]");
+	}
 
 	pcpp::SSLCertificateRequestMessage* certReqMsg =
 	    handshakeLayer->getHandshakeMessageOfType<pcpp::SSLCertificateRequestMessage>();
@@ -482,6 +490,10 @@ PTF_TEST_CASE(SSLPartialCertificateParseTest)
 	pcpp::SSLx509Certificate* cert = certMsg->getCertificate(0);
 	PTF_ASSERT_FALSE(cert->allDataExists());
 	PTF_ASSERT_EQUAL(cert->getDataLength(), 1266);
+	pcpp::Logger::getInstance().suppressLogs();
+	PTF_ASSERT_NULL(cert->getX509Certificate());
+	PTF_ASSERT_NULL(cert->getRootAsn1Record());
+	pcpp::Logger::getInstance().enableLogs();
 
 	READ_FILE_AND_CREATE_PACKET(2, "PacketExamples/SSL-PartialCertificate2.dat");
 
@@ -499,6 +511,10 @@ PTF_TEST_CASE(SSLPartialCertificateParseTest)
 	cert = certMsg->getCertificate(0);
 	PTF_ASSERT_FALSE(cert->allDataExists());
 	PTF_ASSERT_EQUAL(cert->getDataLength(), 1268);
+	pcpp::Logger::getInstance().suppressLogs();
+	PTF_ASSERT_NULL(cert->getX509Certificate());
+	PTF_ASSERT_NULL(cert->getRootAsn1Record());
+	pcpp::Logger::getInstance().enableLogs();
 }  // SSLPartialCertificateParseTest
 
 PTF_TEST_CASE(SSLNewSessionTicketParseTest)