Can I assume the elements in tls.handshake.certificate are in order?

asked 2021-01-11 09:59:36 +0000

edwng gravatar image

Hi guys, I'm using tshark to parse pcap into json, my command is as following: tshark -r xxx.pcap -T json --no-duplicate-keys tls > xxx.json

Then I need to get certs from tls's Certificate record. I find out that the certs are stored as list of strings with the key "tls.handshake.certificate", like this:

"tls.handshake.certificate": [ "30:82:06:f8:30:82:05:e0:a0:03:02:01:02:02:0c:4b:ad...", "30:82:04:69:30:82:03:51:a0:03:02:01:02:02:0b:04:00..." ]

My question is, can I assume that the certs is in order? In another word, the first element of this list is leaf cert and the last one is root?

Thanks in advance

edit retag flag offensive close merge delete