mirror of
https://github.com/zeek/zeek.git
synced 2025-10-06 00:28:21 +00:00
39 lines
1.2 KiB
JavaScript
39 lines
1.2 KiB
JavaScript
function proc_certificate(is_orig: bool, certificates : bytestring[]) : bool
|
|
%{
|
|
if ( certificates->size() == 0 )
|
|
return true;
|
|
|
|
zeek::ODesc common;
|
|
common.AddRaw("Analyzer::ANALYZER_SSL");
|
|
common.Add(zeek_analyzer()->Conn()->StartTime());
|
|
common.AddRaw(is_orig ? "T" : "F", 1);
|
|
zeek_analyzer()->Conn()->IDString(&common);
|
|
|
|
static const string user_mime = "application/x-x509-user-cert";
|
|
static const string ca_mime = "application/x-x509-ca-cert";
|
|
|
|
for ( unsigned int i = 0; i < certificates->size(); ++i )
|
|
{
|
|
const bytestring& cert = (*certificates)[i];
|
|
|
|
if ( cert.length() <= 0 )
|
|
{
|
|
zeek::reporter->Weird(zeek_analyzer()->Conn(), "zero_length_certificate", "",
|
|
zeek_analyzer()->GetAnalyzerName());
|
|
continue;
|
|
}
|
|
|
|
zeek::ODesc file_handle;
|
|
file_handle.Add(common.Description());
|
|
file_handle.Add(i);
|
|
|
|
string file_id = zeek::file_mgr->HashHandle(file_handle.Description());
|
|
|
|
zeek::file_mgr->DataIn(reinterpret_cast<const u_char*>(cert.data()),
|
|
cert.length(), zeek_analyzer()->GetAnalyzerTag(),
|
|
zeek_analyzer()->Conn(), is_orig,
|
|
file_id, i == 0 ? user_mime : ca_mime);
|
|
zeek::file_mgr->EndOfFile(file_id);
|
|
}
|
|
return true;
|
|
%}
|