Dear,
"The field name x509af.utcTime appears multiple times (e.g., for notBefore and notAfter). How can I differentiate between these two values in a Lua script to check a certificate's validity?"
Best regards,
Tom
x509af.notBefore and x509af.notAfter are BER encoded (TLV = Type, Length, Value) fields.
(Look for UTCTime 23 17 in A Layman's Guide to a Subset of ASN.1, BER, and DER)
epan/dissectors/packet-x509af.c:
static const ber_sequence_t Validity_sequence[] = {
{ &hf_x509af_notBefore , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
{ &hf_x509af_notAfter , BER_CLASS_ANY/*choice*/, -1/*choice*/, BER_FLAGS_NOOWNTAG|BER_FLAGS_NOTCHKTAG, dissect_x509af_Time },
{ NULL, 0, 0, 0, NULL }
};
BER is visible in the packet details by enabling the BER preference
ber.show_internals Changed Boolean TRUE
notBefore: utcTime (0)
00.. .... = Class: UNIVERSAL (0)
..0. .... = P/C: Primitive Encoding
...1 0111 = Tag: UTCTime (23)
Length: 13
utcTime: 2015-12-16 01:00:05 (UTC)
notAfter: utcTime (0)
00.. .... = Class: UNIVERSAL (0)
..0. .... = P/C: Primitive Encoding
...1 0111 = Tag: UTCTime (23)
Length: 13
utcTime: 2030-12-16 01:00:05 (UTC)
Packet bytes 0000 17 0d 31 35 31 32 31 36 30 31 30 30 30 35 5a ..151216010005Z
decodes as
0x17 = decimal 23 = UTCTime (23)
0x0d = decimal 13 = Length: 13
Remaining 13 (from length above) bytes are time string.
notBefore: utcTime (0)
00.. .... = Class: UNIVERSAL (0)
..0. .... = P/C: Primitive Encoding
...1 0111 = Tag: UTCTime (23)
Length: 13
utcTime: 2015-12-16 01:00:05 (UTC)
Your lua code could grab x509af.notBefore and x509af.notAfter, verify type (0x17) and length (length field + 2 bytes for type and length bytes) then use an offset of two bytes into the field for the time string.
No personal experience but this might help: Firanel / lua-ber: Lua BER encoding / decoding
Asked: 2025-06-05 07:00:28 +0000
Seen: 28 times
Last updated: yesterday
