Merge remote-tracking branch 'origin/topic/bernhard/base64'

* origin/topic/bernhard/base64: and re-enable caching of extracted certs and add bae64 bif tests. re-unify classes and modernize script. add base64-encode functionality and bif. Closes #965.
2025-10-06 16:48:19 +00:00 · 2013-03-17 12:58:39 -07:00 · 2013-03-17 12:58:39 -07:00 · d58a02aa01
commit d58a02aa01
parent 788c0d547d 457ce10e99
9 changed files with 182 additions and 28 deletions
--- a/scripts/policy/protocols/ssl/extract-certs-pem.bro
+++ b/scripts/policy/protocols/ssl/extract-certs-pem.bro
@ -4,14 +4,10 @@
 ##!
 ##! ..note::
 ##!
-##!     - It doesn't work well on a cluster because each worker will write its 
+##!     - It doesn't work well on a cluster because each worker will write its
 ##!       own certificate files and no duplicate checking is done across
 ##!       clusters so each node would log each certificate.
 ##!
-##!     - If there is a certificate input based vulnerability found in the
-##!       openssl command line utility, you could be in trouble because this
-##!       script uses that utility to convert from DER to PEM certificates.
-##!

@load base/protocols/ssl
@load base/utils/directions-and-hosts
@ -20,7 +16,7 @@
 module SSL;

 export {
-	## Control if host certificates offered by the defined hosts 
+	## Control if host certificates offered by the defined hosts
 	## will be written to the PEM certificates file.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS
 	const extract_certs_pem = LOCAL_HOSTS &redef;
@ -35,15 +31,33 @@ event ssl_established(c: connection) &priority=5
 	{
 	if ( ! c$ssl?$cert )
 		return;
+
 	if ( ! addr_matches_host(c$id$resp_h, extract_certs_pem) )
 		return;
-	
+
 	if ( c$ssl$cert_hash in extracted_certs )
 		# If we already extracted this cert, don't do it again.
 		return;
-	
+
 	add extracted_certs[c$ssl$cert_hash];
-	local side = Site::is_local_addr(c$id$resp_h) ? "local" : "remote";
-	local cmd = fmt("%s x509 -inform DER -outform PEM >> certs-%s.pem", openssl_util, side);
-	piped_exec(cmd, c$ssl$cert);
+	local filename = Site::is_local_addr(c$id$resp_h) ? "certs-local.pem" : "certs-remote.pem";
+	local outfile = open_for_append(filename);
+
+	print outfile, "-----BEGIN CERTIFICATE-----";
+
+	# Encode to base64 and format to fit 50 lines. Otherwise openssl won't like it later.
+	local lines = split_all(encode_base64(c$ssl$cert), /.{50}/);
+	local i = 1;
+	for ( line in lines )
+		{
+		if ( |lines[i]| > 0 )
+			{
+			print outfile, lines[i];
+			}
+		i+=1;
+		}
+
+	print outfile, "-----END CERTIFICATE-----";
+	print outfile, "";
+	close(outfile);
 	}