Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2025-06-05 11:16:13 +0000

Chuckc gravatar image

x509af.notBefore and x509af.notAfter are BER encoded (TLV = Type, Length, Value) fields.
(Look for UTCTime 23 17 in A Layman's Guide to a Subset of ASN.1, BER, and DER)

epan/dissectors/packet-x509af.c:

static const ber_sequence_t Validity_sequence[] = {
  { &hf_x509af_notBefore    , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
  { &hf_x509af_notAfter     , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
  { NULL, 0, 0, 0, NULL }
};

BER is visible in the packet details by enabling the BER preference
ber.show_internals Changed Boolean TRUE 

notBefore: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2015-12-16 01:00:05 (UTC)

notAfter: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2030-12-16 01:00:05 (UTC)

Packet bytes 0000 17 0d 31 35 31 32 31 36 30 31 30 30 30 35 5a ..151216010005Z
decodes as 0x17 = decimal 23 = UTCTime (23)
0x0d = decimal 13 = Length: 13 Remaining 13 (from length above) bytes are time string.

notBefore: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2015-12-16 01:00:05 (UTC)

Your lua code could grab x509af.notBefore and x509af.notAfter, verify type (0x17) and length (length field + 2 bytes for type and length bytes) then use an offset of two bytes into the field for the time string.

x509af.notBefore and x509af.notAfter are BER encoded (TLV = Type, Length, Value) fields.
(Look for UTCTime 23 17 in A Layman's Guide to a Subset of ASN.1, BER, and DER)

epan/dissectors/packet-x509af.c:

static const ber_sequence_t Validity_sequence[] = {
  { &hf_x509af_notBefore    , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
  { &hf_x509af_notAfter     , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
  { NULL, 0, 0, 0, NULL }
};

BER is visible in the packet details by enabling the BER preference
ber.show_internals Changed Boolean TRUE 

notBefore: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2015-12-16 01:00:05 (UTC)

notAfter: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2030-12-16 01:00:05 (UTC)

Packet bytes 0000 17 0d 31 35 31 32 31 36 30 31 30 30 30 35 5a ..151216010005Z
decodes as 0x17 = decimal 23 = UTCTime (23)
0x0d = decimal 13 = Length: 13 13
Remaining 13 (from length above) bytes are time string.

notBefore: utcTime (0)
    00.. .... = Class: UNIVERSAL (0)
    ..0. .... = P/C: Primitive Encoding
    ...1 0111 = Tag: UTCTime (23)
    Length: 13
    utcTime: 2015-12-16 01:00:05 (UTC)

Your lua code could grab x509af.notBefore and x509af.notAfter, verify type (0x17) and length (length field + 2 bytes for type and length bytes) then use an offset of two bytes into the field for the time string.