From 747d8707a92f9c78c7999d696983a69a7e32e27c Mon Sep 17 00:00:00 2001
From: Timothy Noel <tnoelhere@gmail.com>
Date: Thu, 4 Jan 2024 10:19:55 -0500
Subject: [PATCH] Skip delegated credentials (#46)

* fix for issue #21, original order

* fix for issue #30 ALPN values

* fix for issue #16

* fix for issue #6

* update to check Cookie and Referer for all cases

* fixes #41
---
 python/common.py | 16 ++++++++++++++++
 python/ja4.py    |  3 ++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/python/common.py b/python/common.py
index c397ecb..d985367 100644
--- a/python/common.py
+++ b/python/common.py
@@ -139,3 +139,19 @@ def scan_tls(layer):
         for l in layer:
             if 'tls_tls_handshake_type' in l:
                 return l
+
+# Get the right signature algorithms
+def get_signature_algorithms(packet): 
+    if 'sig_alg_lengths' in packet and isinstance(packet['sig_alg_lengths'], list):
+        alg_lengths = [ int(int(x)/2) for x in packet['sig_alg_lengths'] ]
+
+        extensions = packet['extensions']
+        idx = 0
+        try:
+            if extensions.index('13') > extensions.index('35'):
+                idx = 1 
+        except Exception as e:
+            pass
+        packet['signature_algorithms'] = packet['signature_algorithms'][alg_lengths[idx]:]
+    return packet['signature_algorithms']
+        
diff --git a/python/ja4.py b/python/ja4.py
index 9ead8f2..874ea97 100644
--- a/python/ja4.py
+++ b/python/ja4.py
@@ -86,6 +86,7 @@ def version_check(ver):
         'supported_versions': 'handshake_extensions_supported_version',
         'alpn': 'handshake_extensions_alps_alpn_str',
         'alpn_list': 'handshake_extensions_alpn_str',
+        'sig_alg_lengths': 'handshake_sig_hash_alg_len',
         'signature_algorithms': 'handshake_sig_hash_alg',
     },
     'x509af': {
@@ -211,7 +212,7 @@ def to_ja4(x, debug_stream):
     ext_len = '{:02d}'.format(len([ x for x in x['extensions'] if x not in GREASE_TABLE]))
     cache_update(x, 'client_ciphers', x['ciphers'], debug_stream)
 
-    x['signature_algorithms'] = [ y[2:] for y in x['signature_algorithms'] ]
+    x['signature_algorithms'] = [ y[2:] for y in get_signature_algorithms(x) ]
 
     # ignore SNI and ALPN extensions
     x['extensions'] = [ x for x in x['extensions'] if x not in ['0x0000', '0x0010'] ]