parse out extension. One event for general extensions (just returns the

openssl-parsed string-value), one event for basicconstraints (is a certificate
a CA or not) and one event for subject-alternative-names (only DNS parts).

scripts/base/files/x509/main.bro

@@ -12,3 +12,18 @@ event x509_cert(f: fa_file, cert: X509::Certificate)
 	print cert;
 	}
 
+event x509_extension(f: fa_file, ext: X509::Extension)
+{
+print ext;
+}
+
+event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints)
+{
+print ext;
+}
+
+event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) 
+{
+print ext;
+}
+

scripts/base/init-bare.bro

@@ -2736,9 +2736,27 @@ export {
 		key_length: count &optional; ##< key-length in bits  
 		exponent: string &optional; ##< exponent, if RSA-certificate
 		curve: string &optional; ##< curve, if EC-certificate
-		ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
-		path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
+		#ca: bool &optional; ##< indicates the CA value in the X509v3 BasicConstraints extension
+		#path_len: count &optional; ##< indicates the path_length value in the X509v3 BasicConstraints extension
 	};
+
+	type X509::Extension: record {
+		name: string; ##< long name of extension. oid if name not known
+		short_name: string &optional; ##< short name of extension if known.
+		oid: string; ##< oid of extension
+		critical: bool; ##< true if extension is critical
+		value: string; ##< extension content parsed to string for known extensions. Raw data otherwise.
+	};
+
+	type X509::BasicConstraints: record {
+		ca: bool; ##< CA flag set?
+		path_len: count &optional;
+	};
+	
+	type X509::SubjectAlternativeName: record {
+		names: vector of string;
+	};
+
 }
 		
 module SOCKS;