Fix x509_extension event.

The event now really returns the extension. If openssl supports printing it, it is converted into the openssl ascii output. The output does not always look pretty because it can contain newlines. New event syntax: event x509_extension(c: connection, is_orig: bool, cert:X509, extension: X509_extension_info) Example output for extension: [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication] [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4^J CPS: https://secure.comodo.com/CPS^J]
2025-10-02 14:48:21 +00:00 · 2014-01-27 10:22:06 -08:00 · 2014-01-27 10:22:06 -08:00 · 6d73b8c57e
commit 6d73b8c57e
parent 392d1cb759
7 changed files with 90 additions and 19 deletions
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@ -2432,6 +2432,18 @@ type X509: record {
 	not_valid_after: time;	##< Timestamp after when certificate is not valid.
 };

+## An X509 extension.
+##
+##
+## .. bro:see:: x509_extension
+type X509_extension_info: record {
+	name: string; ##< long name of extension. oid if name not known
+	short_name: string &optional; ##< short name of extension if known.
+	oid: string; ##< oid of extension
+	critical: bool; ##< true if extension is critical
+	value: string; ##< extension content parsed to string for known extensions. Raw data otherwise.
+};
+
 ## HTTP session statistics.
 ##
 ## .. bro:see:: http_stats