add base64-encode functionality and bif.

This allows replacing an ugly openssl-call from one of
the policy scripts. The openssl call is now replaced with
a still-but-less-ugly call to base64_encode.

I do not know if I split the Base64 classes in a "smart" way... :)

scripts/policy/protocols/ssl/extract-certs-pem.bro

@@ -8,10 +8,6 @@
 ##!       own certificate files and no duplicate checking is done across
 ##!       clusters so each node would log each certificate.
 ##!
-##!     - If there is a certificate input based vulnerability found in the
-##!       openssl command line utility, you could be in trouble because this
-##!       script uses that utility to convert from DER to PEM certificates.
-##!
 
 @load base/protocols/ssl
 @load base/utils/directions-and-hosts
@@ -35,15 +31,32 @@ event ssl_established(c: connection) &priority=5
 	{
 	if ( ! c$ssl?$cert )
 		return;
+
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
 		return;
-	
+
 	if ( c$ssl$cert_hash in extracted_certs )
 		# If we already extracted this cert, don't do it again.
 		return;
-	
-	add extracted_certs[c$ssl$cert_hash];
-	local side = Site::is_local_addr(c$id$resp_h) ? "local" : "remote";
-	local cmd = fmt("%s x509 -inform DER -outform PEM >> certs-%s.pem", openssl_util, side);
-	piped_exec(cmd, c$ssl$cert);
+
+	local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
+	local outfile = open_for_append(filename);
+
+	print outfile, "-----BEGIN CERTIFICATE-----";
+
+	# encode to base64 and format to fit 50 lines. Otherwise openssl won't like it later.
+	local lines = split_all(encode_base64(c$ssl$cert), /.{50}/);
+	local i = 1;
+	for ( line in lines ) 
+		{
+		if ( byte_len(lines[i]) > 0 )
+			{
+			print outfile, lines[i];
+			}
+		i+=1;
+		}
+
+	print outfile, "-----END CERTIFICATE-----";
+	print outfile, "";
+	close(outfile);
 	}