Switch to base 16 for TLS serial number in packetbeat in line with EC…

…S changes (#41542) (#41693)

* switch to base 16 for cert serial  number

* uppercase

* linter...

* clean up test

* try to fix integration tests

* add changelog

* update readme

(cherry picked from commit 38b2d66)

Co-authored-by: Alex K. <[email protected]>
Co-authored-by: fearful-symmetry <[email protected]>

CHANGELOG.next.asciidoc

@@ -73,6 +73,9 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 
 *Packetbeat*
 
+- Use base-16 for reporting `serial_number` value in TLS fields in line with the ECS recommendation. {pull}41542[41542]
+
+- Expire source port mappings. {pull}41581[41581]
 
 *Winlogbeat*
 

packetbeat/protos/tls/parse.go

@@ -18,7 +18,7 @@
 package tls
 
 import (
-	"crypto/dsa" //lint:ignore SA1019 Deprecated, but still used. So we have to handle it.
+	"crypto/dsa" //nolint:staticcheck // SA1019 Deprecated, but still used. So we have to handle it.
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"crypto/x509"
@@ -270,7 +270,7 @@ func (parser *parser) parse(buf *streambuf.Buffer) parserResult {
 				debugf("handshake completed")
 			}
 			// discard remaining data for this stream (encrypted)
-			buf.Advance(buf.Len())
+			_ = buf.Advance(buf.Len())
 			return resultEncrypted
 
 		case recordTypeHandshake:
@@ -300,7 +300,7 @@ func (parser *parser) parse(buf *streambuf.Buffer) parserResult {
 			}
 		}
 
-		buf.Advance(limit)
+		_ = buf.Advance(limit)
 	}
 
 	if buf.Len() == 0 {
@@ -350,10 +350,10 @@ func (parser *parser) bufferHandshake(buf *streambuf.Buffer, length int) (err er
 		}
 		if !parser.parseHandshake(header.handshakeType,
 			bufferView{&parser.handshakeBuf, handshakeHeaderSize, limit}) {
-			parser.handshakeBuf.Advance(limit)
+			_ = parser.handshakeBuf.Advance(limit)
 			return fmt.Errorf("bad handshake %+v", header)
 		}
-		parser.handshakeBuf.Advance(limit)
+		_ = parser.handshakeBuf.Advance(limit)
 	}
 	if parser.handshakeBuf.Len() == 0 {
 		parser.handshakeBuf.Reset()
@@ -639,7 +639,7 @@ func certToMap(cert *x509.Certificate) mapstr.M {
 	certMap := mapstr.M{
 		"signature_algorithm":  cert.SignatureAlgorithm.String(),
 		"public_key_algorithm": toString(cert.PublicKeyAlgorithm),
-		"serial_number":        cert.SerialNumber.Text(10),
+		"serial_number":        strings.ToUpper(cert.SerialNumber.Text(16)),
 		"issuer":               toMap(&cert.Issuer),
 		"subject":              toMap(&cert.Subject),
 		"not_before":           cert.NotBefore,

packetbeat/protos/tls/parse_test.go

@@ -302,7 +302,7 @@ func TestCertificates(t *testing.T) {
 		"not_before":                  "2015-11-03 00:00:00 +0000 UTC",
 		"public_key_algorithm":        "RSA",
 		"public_key_size":             "2048",
-		"serial_number":               "19132437207909210467858529073412672688",
+		"serial_number":               "E64C5FBC236ADE14B172AEB41C78CB0",
 		"signature_algorithm":         "SHA256-RSA",
 		"issuer.common_name":          "DigiCert SHA2 High Assurance Server CA",
 		"issuer.country":              "US",

packetbeat/protos/tls/tls_test.go

@@ -26,8 +26,8 @@ import (
 	"testing"
 	"time"
 
-	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/elastic/beats/v7/libbeat/common"
@@ -312,7 +312,7 @@ func TestOCSPStatus(t *testing.T) {
 						"not_after":            time.Date(2035, 3, 4, 9, 0, 0, 0, time.UTC),
 						"public_key_algorithm": "RSA",
 						"public_key_size":      4096,
-						"serial_number":        "1492448539999078269498416841973088004758827",
+						"serial_number":        "1121E97D5D37348C572C555A3A59B7B65D2B",
 						"signature_algorithm":  "SHA256-RSA",
 						"subject": mapstr.M{
 							"common_name":         "Orange Devices PKI TV LAB CA",
@@ -335,7 +335,7 @@ func TestOCSPStatus(t *testing.T) {
 						"not_before":           time.Date(2020, 3, 2, 17, 0, 0, 0, time.UTC),
 						"public_key_algorithm": "RSA",
 						"public_key_size":      4096,
-						"serial_number":        "1492246295378596931754418352553114016724120",
+						"serial_number":        "112151567790FB40C755010CA9169CF4B498",
 						"signature_algorithm":  "SHA256-RSA",
 						"subject": mapstr.M{
 							"common_name":         "Orange Devices Root LAB CA",
@@ -402,7 +402,7 @@ func TestOCSPStatus(t *testing.T) {
 					"not_before":           time.Date(2021, 6, 3, 13, 38, 16, 0, time.UTC),
 					"public_key_algorithm": "ECDSA",
 					"public_key_size":      256,
-					"serial_number":        "189790697042017246339292011338547986350262673379",
+					"serial_number":        "213E825A875EB349390D11117C6C14F894135FE3",
 					"signature_algorithm":  "SHA256-RSA",
 					"subject": mapstr.M{
 						"common_name":         "server2 test PKI TV LAB",
@@ -421,9 +421,7 @@ func TestOCSPStatus(t *testing.T) {
 	}
 
 	got := results.events[0].Fields
-	if !cmp.Equal(got, want) {
-		t.Errorf("unexpected result: %s", cmp.Diff(got, want))
-	}
+	require.Equal(t, want, got)
 }
 
 func TestFragmentedHandshake(t *testing.T) {

packetbeat/tests/system/golden/established_tls-expected.json

@@ -127,7 +127,7 @@
                 "not_before": "2013-03-08T12:00:00.000Z",
                 "public_key_algorithm": "RSA",
                 "public_key_size": 2048,
-                "serial_number": "2646203786665923649276728595390119057",
+                "serial_number": "1FDA3EB6ECA75C888438B724BCFBC91",
                 "signature_algorithm": "SHA256-RSA",
                 "subject": {
                     "common_name": "DigiCert SHA2 Secure Server CA",
@@ -149,7 +149,7 @@
                 "not_before": "2006-11-10T00:00:00.000Z",
                 "public_key_algorithm": "RSA",
                 "public_key_size": 2048,
-                "serial_number": "10944719598952040374951832963794454346",
+                "serial_number": "83BE056904246B1A1756AC95991C74A",
                 "signature_algorithm": "SHA1-RSA",
                 "subject": {
                     "common_name": "DigiCert Global Root CA",
@@ -204,7 +204,7 @@
         "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z",
         "tls.server.x509.public_key_algorithm": "RSA",
         "tls.server.x509.public_key_size": 2048,
-        "tls.server.x509.serial_number": "21020869104500376438182461249190639870",
+        "tls.server.x509.serial_number": "FD078DD48F1A2BD4D0F2BA96B6038FE",
         "tls.server.x509.signature_algorithm": "SHA256-RSA",
         "tls.server.x509.subject.common_name": "www.example.org",
         "tls.server.x509.subject.country": "US",

packetbeat/tests/system/golden/tls_all_options-expected.json

@@ -127,7 +127,7 @@
                 "not_before": "2013-03-08T12:00:00.000Z",
                 "public_key_algorithm": "RSA",
                 "public_key_size": 2048,
-                "serial_number": "2646203786665923649276728595390119057",
+                "serial_number": "1FDA3EB6ECA75C888438B724BCFBC91",
                 "signature_algorithm": "SHA256-RSA",
                 "subject": {
                     "common_name": "DigiCert SHA2 Secure Server CA",
@@ -149,7 +149,7 @@
                 "not_before": "2006-11-10T00:00:00.000Z",
                 "public_key_algorithm": "RSA",
                 "public_key_size": 2048,
-                "serial_number": "10944719598952040374951832963794454346",
+                "serial_number": "83BE056904246B1A1756AC95991C74A",
                 "signature_algorithm": "SHA1-RSA",
                 "subject": {
                     "common_name": "DigiCert Global Root CA",
@@ -211,7 +211,7 @@
         "tls.server.x509.not_before": "2018-11-28T00:00:00.000Z",
         "tls.server.x509.public_key_algorithm": "RSA",
         "tls.server.x509.public_key_size": 2048,
-        "tls.server.x509.serial_number": "21020869104500376438182461249190639870",
+        "tls.server.x509.serial_number": "FD078DD48F1A2BD4D0F2BA96B6038FE",
         "tls.server.x509.signature_algorithm": "SHA256-RSA",
         "tls.server.x509.subject.common_name": "www.example.org",
         "tls.server.x509.subject.country": "US",