Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 13:38:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

OCSP: re-enable logging, fix tests, fix x509 issue

Browse source 
Re-enable logging, now in policy because it probably is interesting to
no-one. We also only log ocsp replies.

Fix all tests.

Fix an issue where ocsp replies were added to the x.509 certificate
list.
This commit is contained in:
Johanna Amann 2017-02-10 16:01:13 -08:00
parent c550521221
commit c431d14eed
21 changed files with 323 additions and 571 deletions
Download patch file Download diff file Expand all files Collapse all files

6
scripts/base/files/x509/main.bro
View file

@ -41,12 +41,15 @@ event bro_init() &priority=5
Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-user-cert");
Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_X509, "application/x-x509-ca-cert");
Files::register_for_mime_type(Files::ANALYZER_X509, "application/pkix-cert");
# Always calculate hashes. They are not necessary for base scripts # Always calculate hashes. They are not necessary for base scripts
# but very useful for identification, and required for policy scripts # but very useful for identification, and required for policy scripts
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-user-cert");
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_MD5, "application/x-x509-ca-cert");
Files::register_for_mime_type(Files::ANALYZER_MD5, "application/pkix-cert");
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-user-cert");
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert"); Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/x-x509-ca-cert");
Files::register_for_mime_type(Files::ANALYZER_SHA1, "application/pkix-cert");
} }
redef record Files::Info += { redef record Files::Info += {
@ -57,9 +60,6 @@ redef record Files::Info += {
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5 event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
{ {
if ( ! f$info?$mime_type )
f$info$mime_type = "application/pkix-cert";
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref]; f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
} }

515
scripts/base/files/x509/ocsp.bro
View file

@ -1,515 +0,0 @@
@load base/protocols/http
@load base/frameworks/files
@load base/utils/paths
@load base/utils/queue
# Note - this needs some cleaning up and is currently not loaded by default.
module OCSP;
export {
## add one more argument to tell ocsp response or request
redef record Files::AnalyzerArgs += {
ocsp_type: string &optional;
};
## ocsp logging
redef enum Log::ID += { LOG };
## type for pending ocsp request
type PendingQueue: table[OCSP::CertId] of Queue::Queue;
## NOTE: one file could contain several requests
## one ocsp request record
type Info_req: record {
## time for the request
ts: time;
## file id for this request or
## hash of the GET url if it's GET request
id: string &log &optional;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## version
version: count &log &optional;
## requestor name
requestorName: string &log &optional;
## NOTE: the above are for one file which may contain
## several ocsp requests
## one OCSP request may contain several OCSP requests
## with different cert id; this is the index of the
## OCSP request with cert_id in the big OCSP request
index: count &log &optional;
## request cert id
certId: OCSP::CertId &optional;
## HTTP method
method: string &optional;
};
## NOTE: one file could contain several response
## one ocsp response record
type Info_resp: record {
## time for the response
ts: time;
## file id for this response
id: string &log;
## connection id
cid: conn_id &optional;
## connection uid
cuid: string &optional;
## responseStatus (different from cert status?)
responseStatus: string &log &optional;
## responseType
responseType: string &log &optional;
## version
version: count &log &optional;
## responderID
responderID: string &log &optional;
## producedAt
producedAt: time &log &optional;
## certificates
certs: vector of opaque of x509 &optional;
## NOTE: the following are specific to one cert id
## the above are for one file which may contain
## several responses
## one OCSP response may contain several OCSP responses
## with different cert id; this is the index of the
## OCSP response with cert_id in the big OCSP response
index: count &log &optional;
##cert id
certId: OCSP::CertId &optional;
## certStatus (this is the response to look at)
certStatus: string &log &optional;
## thisUpdate
thisUpdate: time &log &optional;
## nextUpdate
nextUpdate: time &log &optional;
};
type Info: record {
## timestamp for request if a corresponding request is present
## OR timestamp for response if a corresponding request is not found
ts: time &log;
## connection id
cid: conn_id &log;
## connection uid
cuid: string &log;
## cert id
certId: OCSP::CertId &log &optional;
## request
req: Info_req &log &optional;
## response timestamp
resp_ts: time &log &optional;
## response
resp: Info_resp &log &optional;
## HTTP method
method: string &log &optional;
## HTTP record
http: HTTP::Info &optional;
};
## Event for accessing logged OCSP records.
global log_ocsp: event(rec: Info);
global get_uri_prefix: function(s: string): string;
}
redef record HTTP::Info += {
# there should be one request and response but use Queue here
# just in case
ocsp_requests: PendingQueue &optional;
ocsp_responses: PendingQueue &optional;
current_content_type: string &optional &default="";
original_uri: string &optional;
# flag for checking get uri
checked_get: bool &optional &default=F;
# uri prefix: this the GET url without ocsp request
uri_prefix: string &optional;
};
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
c$http$original_uri = original_URI;
}
event http_content_type(c: connection, is_orig: bool, ty: string, subty: string)
{
c$http$current_content_type = to_lower(ty + "/" + subty);
}
function check_ocsp_file(f: fa_file, meta: fa_metadata)
{
if ( f$source != "HTTP" || ! f?$http )
return;
# call OCSP file analyzer
if ( (meta?$mime_type && meta$mime_type == "application/ocsp-request") || f$http$current_content_type == "application/ocsp-request")
{
Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "request"]);
}
else if ( (meta?$mime_type && meta$mime_type == "application/ocsp-response") || f$http$current_content_type == "application/ocsp-response")
{
Files::add_analyzer(f, Files::ANALYZER_OCSP, [$ocsp_type = "response"]);
}
}
event file_sniff(f: fa_file, meta: fa_metadata) &priority = 5
{
if (f$source == "HTTP")
check_ocsp_file(f, meta);
}
function update_http_info(http: HTTP::Info, req_rec: OCSP::Info_req)
{
if ( http?$method )
req_rec$method = http$method;
}
function update_request_info(rec: Info_req, req: OCSP::Request)
{
if ( req?$version )
rec$version = req$version;
if ( req?$requestorName )
rec$requestorName = req$requestorName;
}
function cert_id_from_request(one_req: OCSP::OneReq): OCSP::CertId
{
local cert_id: OCSP::CertId = [];
if ( one_req?$hashAlgorithm )
cert_id$hashAlgorithm = one_req$hashAlgorithm;
if ( one_req?$issuerNameHash )
cert_id$issuerNameHash = one_req$issuerNameHash;
if ( one_req?$issuerKeyHash )
cert_id$issuerKeyHash = one_req$issuerKeyHash;
if ( one_req?$serialNumber )
cert_id$serialNumber = one_req$serialNumber;
return cert_id;
}
function enq_request(http: HTTP::Info, req: OCSP::Request, req_id: string, req_ts: time)
{
local index: count = 0;
if ( req?$requestList && |req$requestList| > 0 )
{
index += 1;
for (x in req$requestList)
{
local one_req = req$requestList[x];
local cert_id: OCSP::CertId = cert_id_from_request(one_req);
local req_rec: OCSP::Info_req = [$ts = req_ts,
$certId = cert_id,
$cid = http$id,
$cuid = http$uid,
$index = index,
$id = req_id];
update_request_info(req_rec, req);
if ( ! http?$ocsp_requests )
http$ocsp_requests = table();
if ( cert_id !in http$ocsp_requests )
http$ocsp_requests[cert_id] = Queue::init();
update_http_info(http, req_rec);
Queue::put(http$ocsp_requests[cert_id], req_rec);
}
}
else if ( req?$version )
{
# it's ocsp request but has no request content
# this is weird but log it anyway
local req_rec_empty: OCSP::Info_req = [$ts = req_ts,
$cid = http$id,
$cuid = http$uid,
$id = req_id];
update_request_info(req_rec_empty, req);
update_http_info(http, req_rec_empty);
Log::write(LOG, [$ts=req_rec_empty$ts, $req=req_rec_empty, $cid=http$id, $cuid=http$uid, $method=http$method, $http=http]);
}
}
event ocsp_request(f: fa_file, req_ref: opaque of ocsp_req, req: OCSP::Request) &priority = 5
{
if ( ! f?$http )
return;
enq_request(f$http, req, f$id, network_time());
}
function get_first_slash(s: string): string
{
local s_len = |s|;
if (s[0] == "/")
return "/" + get_first_slash(s[1:s_len]);
else
return "";
}
function remove_first_slash(s: string): string
{
local s_len = |s|;
if (s[0] == "/")
return remove_first_slash(s[1:s_len]);
else
return s;
}
function get_uri_prefix(s: string): string
{
local uri_prefix = get_first_slash(s);
local w = split_string(s[|uri_prefix|:], /\//);
local i = 0;
while ( i < (|w| - 1) )
{
uri_prefix += w[i] + "/";
i += 1;
}
return uri_prefix;
}
function check_ocsp_request_uri(http: HTTP::Info): OCSP::Request
{
local parsed_req: OCSP::Request;
if ( ! http?$original_uri )
return parsed_req;;
local uri_prefix: string = get_uri_prefix(http$original_uri);
http$uri_prefix = uri_prefix;
local ocsp_req_str: string = http$uri[|uri_prefix|:];
parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
if ( ! parsed_req?$requestList || |parsed_req$requestList| == 0 )
{
# normal parse fails, bug url, naively try each part
local w = split_string(http$original_uri, /\//);
local s = "";
for ( i in w )
{
s += w[i] + "/";
ocsp_req_str = http$uri[|s|:];
parsed_req = ocsp_parse_request(decode_base64(ocsp_req_str));
if ( parsed_req?$requestList && |parsed_req$requestList| > 0 )
{
http$uri_prefix = s;
break;
}
}
}
return parsed_req;
}
function update_response_info_single(rec: Info_resp, single_resp: OCSP::SingleResp)
{
if ( single_resp?$certStatus )
rec$certStatus = single_resp$certStatus;
if ( single_resp?$thisUpdate )
rec$thisUpdate = single_resp$thisUpdate;
if ( single_resp?$nextUpdate )
rec$nextUpdate = single_resp$nextUpdate;
}
function update_response_info(rec: Info_resp, resp: OCSP::Response)
{
if ( resp?$responseStatus )
rec$responseStatus = resp$responseStatus;
if ( resp?$responseType )
rec$responseType = resp$responseType;
if ( resp?$version )
rec$version = resp$version;
if ( resp?$responderID )
rec$responderID = resp$responderID;
if ( resp?$producedAt )
rec$producedAt = resp$producedAt;
if ( resp?$certs )
rec$certs = resp$certs;
}
function update_response_info_with_single(rec: Info_resp, resp: OCSP::Response, single_resp: OCSP::SingleResp)
{
update_response_info(rec, resp);
update_response_info_single(rec, single_resp);
}
function cert_id_from_response(single_resp: OCSP::SingleResp): OCSP::CertId
{
local cert_id: OCSP::CertId = [];
if ( single_resp?$hashAlgorithm )
cert_id$hashAlgorithm = single_resp$hashAlgorithm;
if ( single_resp?$issuerNameHash )
cert_id$issuerNameHash = single_resp$issuerNameHash;
if ( single_resp?$issuerKeyHash )
cert_id$issuerKeyHash = single_resp$issuerKeyHash;
if ( single_resp?$serialNumber )
cert_id$serialNumber = single_resp$serialNumber;
return cert_id;
}
event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response) &priority = 5
{
if ( ! f?$http )
return;
if ( resp?$responses && |resp$responses| > 0 )
{
local index: count = 0;
for (x in resp$responses)
{
index += 1;
local single_resp: OCSP::SingleResp = resp$responses[x];
local cert_id: OCSP::CertId = cert_id_from_response(single_resp);
local resp_rec: Info_resp = [$ts = network_time(),
$id = f$id,
$cid = f$http$id,
$cuid = f$http$uid,
$index = index,
$certId = cert_id];
update_response_info_with_single(resp_rec, resp, single_resp);
if ( ! f$http?$ocsp_responses )
f$http$ocsp_responses = table();
if ( cert_id !in f$http$ocsp_responses )
f$http$ocsp_responses[cert_id] = Queue::init();
Queue::put(f$http$ocsp_responses[cert_id], resp_rec);
}
}
else
{
# no response content? this is weird but log it anyway
local resp_rec_empty: Info_resp = [$ts = network_time(),
$id = f$id,
$cid = f$http$id,
$cuid = f$http$uid];
update_response_info(resp_rec_empty, resp);
local info_rec: Info = [$ts = resp_rec_empty$ts,
$resp_ts = resp_rec_empty$ts,
$resp = resp_rec_empty,
$cid = f$http$id,
$cuid = f$http$uid,
$http = f$http];
if ( f$http?$method )
info_rec$method = f$http$method;
Log::write(LOG, info_rec);
}
# check if there is a OCSP GET request
if ( f$http?$method && f$http$method == "GET" && ! f$http$checked_get )
{
f$http$checked_get = T;
local req_get: OCSP::Request = check_ocsp_request_uri(f$http);
enq_request(f$http, req_get, "H" + sha1_hash(f$http$original_uri), f$http$ts);
}
}
function log_unmatched_reqs_queue(q: Queue::Queue, http: HTTP::Info)
{
local reqs: vector of Info_req;
Queue::get_vector(q, reqs);
for ( i in reqs )
{
local info_rec: Info = [$ts = reqs[i]$ts,
$certId = reqs[i]$certId,
$req = reqs[i],
$cid = reqs[i]$cid,
$cuid = reqs[i]$cuid,
$http = http];
if ( reqs[i]?$method )
info_rec$method = reqs[i]$method;
Log::write(LOG, info_rec);
}
}
function log_unmatched_reqs(http: HTTP::Info)
{
local reqs: PendingQueue = http$ocsp_requests;
for ( cert_id in reqs )
log_unmatched_reqs_queue(reqs[cert_id], http);
clear_table(reqs);
}
function start_log_ocsp(http: HTTP::Info)
{
if ( ! http?$ocsp_requests && ! http?$ocsp_responses )
return;
if ( ! http?$ocsp_responses )
{
log_unmatched_reqs(http);
return;
}
for ( cert_id in http$ocsp_responses )
{
while ( Queue::len(http$ocsp_responses[cert_id]) != 0 )
{
# have unmatched responses
local resp_rec: Info_resp = Queue::get(http$ocsp_responses[cert_id]);
local info_rec: Info = [$ts = resp_rec$ts,
$certId = resp_rec$certId,
$resp_ts = resp_rec$ts,
$resp = resp_rec,
$cid = http$id,
$cuid = http$uid,
$http = http];
if ( http?$ocsp_requests && cert_id in http$ocsp_requests )
{
# find a match
local req_rec: Info_req = Queue::get(http$ocsp_requests[cert_id]);
info_rec$req = req_rec;
info_rec$ts = req_rec$ts;
if (Queue::len(http$ocsp_requests[cert_id]) == 0)
delete http$ocsp_requests[cert_id];
}
if ( http?$method )
info_rec$method = http$method;
Log::write(LOG, info_rec);
}
if ( Queue::len(http$ocsp_responses[cert_id]) == 0 )
delete http$ocsp_responses[cert_id];
}
if ( http?$ocsp_requests && |http$ocsp_requests| != 0 )
log_unmatched_reqs(http);
}
# log OCSP information
event HTTP::log_http(rec: HTTP::Info)
{
start_log_ocsp(rec);
}
event bro_init() &priority=5
{
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
}

18
scripts/base/protocols/ssl/files.bro
View file

@ -91,11 +91,23 @@ event bro_init() &priority=5
$describe = SSL::describe_file]); $describe = SSL::describe_file]);
} }
event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5 event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
{ {
if ( ! c?$ssl ) if ( |f$conns| != 1 )
return; return;
if ( ! ( f$info$mime_type == "application/x-x509-ca-cert" || f$info$mime_type == "application/x-x509-user-cert"
|| f$info$mime_type == "application/pkix-cert" ) )
return;
for ( cid in f$conns )
{
if ( ! f$conns[cid]?$ssl )
return;
local c = f$conns[cid];
}
if ( ! c$ssl?$cert_chain ) if ( ! c$ssl?$cert_chain )
{ {
c$ssl$cert_chain = vector(); c$ssl$cert_chain = vector();
@ -104,7 +116,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
c$ssl$client_cert_chain_fuids = string_vec(); c$ssl$client_cert_chain_fuids = string_vec();
} }
if ( is_orig ) if ( f$is_orig )
{ {
c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info; c$ssl$client_cert_chain[|c$ssl$client_cert_chain|] = f$info;
c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id; c$ssl$client_cert_chain_fuids[|c$ssl$client_cert_chain_fuids|] = f$id;

54
scripts/policy/files/x509/log-ocsp.bro Normal file
View file

@ -0,0 +1,54 @@
##! Enable basic OCSP logging.
# This is in policy because probably just about no one is interested
# in logging OCSP responses.
module OCSP;
export {
redef enum Log::ID += { LOG };
type Info: record {
## Current timestamp.
ts: time &log;
## File id of the ocsp reply.
id: string &log;
hashAlgorithm: string &log;
issuerNameHash: string &log;
issuerKeyHash: string &log;
serialNumber: string &log;
certStatus: string &log;
revoketime: time &log &optional;
revokereason: string &log &optional;
thisUpdate: time &log;
nextUpdate: time &log &optional;
};
global log_ocsp: event(rec: Info);
}
event bro_init()
{
Log::create_stream(LOG, [$columns=Info, $ev=log_ocsp, $path="ocsp"]);
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
local wr = OCSP::Info($ts=f$info$ts, $id=f$id, $hashAlgorithm=hashAlgorithm, $issuerNameHash=issuerNameHash,
$issuerKeyHash=issuerKeyHash, $serialNumber=serialNumber, $certStatus=certStatus,
$thisUpdate=thisUpdate);
if ( revokereason != "" )
wr$revokereason = revokereason;
if ( time_to_double(revoketime) != 0 )
wr$revoketime = revoketime;
if ( time_to_double(nextUpdate) != 0 )
wr$nextUpdate = nextUpdate;
Log::write(LOG, wr);
}

3
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/.stdout Normal file
View file

@ -0,0 +1,3 @@
ocsp_response_status, successful
ocsp_response_certificate, sha1, F2E06AF9858A1D8D709B4919237AA9B51A287E64, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, good, 0.0, , 1436577056.0, 1437181856.0
ocsp_response_bytes, successful, 0, 4ADD06161BBCF668B576F581B6BB621ABA5A812F, 1436577056.0, sha1WithRSAEncryption

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-http-get/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2017-02-09-00-23-43 #open 2017-02-10-23-35-49
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string #types time string string string string string string time string time time
1436909712.307162 192.168.6.109 54690 216.58.192.46 80 CHhAvVGS1DHFjwGM9 sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F H4c4c3b287beafd8d7f4806a0b14d2ee1de88e4be 0 - 1 1436909712.329517 Ft368Gc1ce0Juvj0d successful Basic OCSP Response 0 4ADD06161BBCF668B576F581B6BB621ABA5A812F 1436577056.000000 1 good 1436577056.000000 1437181856.000000 GET 1436909712.329517 Ft368Gc1ce0Juvj0d sha1 F2E06AF9858A1D8D709B4919237AA9B51A287E64 4ADD06161BBCF668B576F581B6BB621ABA5A812F 4ADD06161BBCF668B576F581B6BB621ABA5A812F good - - 1436577056.000000 1437181856.000000
#close 2017-02-09-00-23-43 #close 2017-02-10-23-35-50

2
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/.stdout Normal file
View file

@ -0,0 +1,2 @@
request, 0,
request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-only/ocsp.log
View file

@ -1,10 +0,0 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ocsp
#open 2017-02-09-00-24-29
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 - - - - - - - - - - - POST
#close 2017-02-09-00-24-29

5
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/.stdout Normal file
View file

@ -0,0 +1,5 @@
request, 0,
request cert, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE
ocsp_response_status, successful
ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-request-response/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2017-02-09-00-24-32 #open 2017-02-11-00-00-41
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string #types time string string string string string string time string time time
1434666864.046145 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE FMbJOe2y5n1E7iSVsg 0 - 1 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 POST 1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000
#close 2017-02-09-00-24-32 #close 2017-02-11-00-00-41

1
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-cert/.stdout
View file

@ -1 +0,0 @@
[version=3, serial=2CA87AF0486CD01E, subject=CN=Go Daddy Validation Authority - G2,O=GoDaddy Inc.,L=Scottsdale,ST=Arizona,C=US, issuer=CN=Go Daddy Secure Certificate Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, Inc.,L=Scottsdale,ST=Arizona,C=US, cn=Go Daddy Validation Authority - G2, not_valid_before=1426489200.0, not_valid_after=1458111600.0, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]

3
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/.stdout Normal file
View file

@ -0,0 +1,3 @@
ocsp_response_status, successful
ocsp_response_certificate, sha1, B6080D5F6C6B76EB13E438A5F8660BA85233344E, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE, good, 0.0, , 1434665014.0, 1434794614.0
ocsp_response_bytes, successful, 0, C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2, 1434665014.0, sha1WithRSAEncryption

10
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-response-only/ocsp.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2017-02-09-00-24-34 #open 2017-02-11-00-00-52
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string #types time string string string string string string time string time time
1434666864.070748 192.168.6.109 34334 72.167.18.239 80 CHhAvVGS1DHFjwGM9 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE - - - - 1434666864.070748 Fb215u2y5byABaV747 successful Basic OCSP Response 0 C = US, ST = Arizona, L = Scottsdale, O = GoDaddy Inc., CN = Go Daddy Validation Authority - G2 1434665014.000000 1 good 1434665014.000000 1434794614.000000 - 1434666864.070748 Fb215u2y5byABaV747 sha1 B6080D5F6C6B76EB13E438A5F8660BA85233344E 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE 40C2BD278ECC348330A233D7FB6CB3F0B42C80CE good - - 1434665014.000000 1434794614.000000
#close 2017-02-09-00-24-34 #close 2017-02-11-00-00-52

20
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/.stdout Normal file
View file

@ -0,0 +1,20 @@
request, 0,
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
ocsp_response_status, successful
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1431615529.0, superseded, 1436286514.0, 1443489162.0
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436286514.0, sha1WithRSAEncryption
request, 0,
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
ocsp_response_status, successful
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1422391081.0, unspecified, 1436304214.0, 1443597239.0
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436304214.0, sha1WithRSAEncryption
request, 0,
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
ocsp_response_status, successful
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1432792428.0, (UNKNOWN), 1436238224.0, 1443473859.0
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436238224.0, sha1WithRSAEncryption
request, 0,
request cert, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A
ocsp_response_status, successful
ocsp_response_certificate, sha1, 74241467069FF5E0983F5E3E1A6BA0652A541575, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, 0159ABE7DD3A0B59A66463D6CF200757D591E76A, revoked, 1421494379.0, keyCompromise, 1436321024.0, 1443459307.0
ocsp_response_bytes, successful, 0, F6215E926EB3EC41FE08FC25F09FB1B9A0344A10, 1436321024.0, sha1WithRSAEncryption

16
testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-revoked/ocsp.log
View file

@ -3,11 +3,11 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path ocsp #path ocsp
#open 2017-02-09-00-24-36 #open 2017-02-11-00-00-56
#fields ts cid.orig_h cid.orig_p cid.resp_h cid.resp_p cuid certId.hashAlgorithm certId.issuerNameHash certId.issuerKeyHash certId.serialNumber req.id req.version req.requestorName req.index resp_ts resp.id resp.responseStatus resp.responseType resp.version resp.responderID resp.producedAt resp.index resp.certStatus resp.thisUpdate resp.nextUpdate method #fields ts id hashAlgorithm issuerNameHash issuerKeyHash serialNumber certStatus revoketime revokereason thisUpdate nextUpdate
#types time addr port addr port string string string string string string count string count time string string string count string time count string time time string #types time string string string string string string time string time time
1438374032.518621 192.168.6.109 41812 23.5.251.27 80 CHhAvVGS1DHFjwGM9 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FDsgjS1bTYOzDpRJT4 0 - 1 1438374032.607628 Ftl4F41OsGtUDrOTWc successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436286514.000000 1 revoked 1436286514.000000 1443489162.000000 POST 1438374032.607476 Ftl4F41OsGtUDrOTWc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1431615529.000000 superseded 1436286514.000000 1443489162.000000
1438374032.650255 192.168.6.109 41813 23.5.251.27 80 ClEkJM2Vm5giqnMf4h sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A F5Tv7Z16QkNApNg0yl 0 - 1 1438374032.732035 FXISxH2UuTiDn0qCa1 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436304214.000000 1 revoked 1436304214.000000 1443597239.000000 POST 1438374032.731983 FXISxH2UuTiDn0qCa1 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1422391081.000000 unspecified 1436304214.000000 1443597239.000000
1438374032.759133 192.168.6.109 41814 23.5.251.27 80 C4J4Th3PJpwUYZZ6gc sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FGzVem3KYelVVdAze 0 - 1 1438374032.848522 F3OYfx3A0JvMX787V3 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436238224.000000 1 revoked 1436238224.000000 1443473859.000000 POST 1438374032.848476 F3OYfx3A0JvMX787V3 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1432792428.000000 (UNKNOWN) 1436238224.000000 1443473859.000000
1438374032.875001 192.168.6.109 41815 23.5.251.27 80 CtPZjS20MLrsMUOJi2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A FbmX4PpDIRU82YGK8 0 - 1 1438374033.033504 FVty9v3KTnCvbg0Xf2 successful Basic OCSP Response 0 F6215E926EB3EC41FE08FC25F09FB1B9A0344A10 1436321024.000000 1 revoked 1436321024.000000 1443459307.000000 POST 1438374033.033189 FVty9v3KTnCvbg0Xf2 sha1 74241467069FF5E0983F5E3E1A6BA0652A541575 0159ABE7DD3A0B59A66463D6CF200757D591E76A 0159ABE7DD3A0B59A66463D6CF200757D591E76A revoked 1421494379.000000 keyCompromise 1436321024.000000 1443459307.000000
#close 2017-02-09-00-24-36 #close 2017-02-11-00-00-56

39
testing/btest/scripts/base/protocols/ssl/ocsp-http-get.test
View file

@ -2,3 +2,42 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-http-get.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log # @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event bro_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count, requestorName: string)
{
print "request", version, requestorName;
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}

40
testing/btest/scripts/base/protocols/ssl/ocsp-request-only.test
View file

@ -1,4 +1,42 @@
# This tests a OCSP request missing response # This tests a OCSP request missing response
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log # @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event bro_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count, requestorName: string)
{
print "request", version, requestorName;
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}

39
testing/btest/scripts/base/protocols/ssl/ocsp-request-response.test
View file

@ -2,3 +2,42 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-request-response.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log # @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event bro_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count, requestorName: string)
{
print "request", version, requestorName;
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}

15
testing/btest/scripts/base/protocols/ssl/ocsp-response-cert.test
View file

@ -1,15 +0,0 @@
# This tests OCSP response containing a certificate
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
# @TEST-EXEC: btest-diff .stdout
event ocsp_response(f: fa_file, resp_ref: opaque of ocsp_resp, resp: OCSP::Response)
{
if (resp?$certs)
{
for (x in resp$certs)
{
print x509_parse(resp$certs[x]);
}
}
}

39
testing/btest/scripts/base/protocols/ssl/ocsp-response-only.test
View file

@ -2,3 +2,42 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-response-only.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log # @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event bro_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count, requestorName: string)
{
print "request", version, requestorName;
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}

39
testing/btest/scripts/base/protocols/ssl/ocsp-revoked.test
View file

@ -2,3 +2,42 @@
# @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-revoked.pcap %INPUT
# @TEST-EXEC: btest-diff ocsp.log # @TEST-EXEC: btest-diff ocsp.log
# @TEST-EXEC: btest-diff .stdout
@load files/x509/log-ocsp
event bro_init()
{
Files::register_for_mime_type(Files::ANALYZER_OCSP_REQUEST, "application/ocsp-request");
Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, "application/ocsp-response");
}
event ocsp_extension(f: fa_file, ext: X509::Extension, global_resp: bool)
{
print "extension: ", ext, global_resp;
}
event ocsp_request(f: fa_file, version: count, requestorName: string)
{
print "request", version, requestorName;
}
event ocsp_request_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)
{
print "request cert", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber;
}
event ocsp_response_status(f: fa_file, status: string)
{
print "ocsp_response_status", status;
}
event ocsp_response_bytes(f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)
{
print "ocsp_response_bytes", status, version, responderId, producedAt, signatureAlgorithm;
}
event ocsp_response_certificate(f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revoketime: time, revokereason: string, thisUpdate: time, nextUpdate: time)
{
print "ocsp_response_certificate", hashAlgorithm, issuerNameHash, issuerKeyHash, serialNumber, certStatus, revoketime, revokereason, thisUpdate, nextUpdate;
}