mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 22:58:20 +00:00
e8339d5c63
* origin/topic/bernhard/file-analysis-x509: Forgot the preamble for the new leak test (hopefully) last change -> return real opaque vec instead of any_vec Fix dump-events - it cannot be used with ssl anymore, because openssl does not give the same string results in all versions. Finishing touches of the x509 file analyzer. Revert change to only log certificates once per hour. Change x509 log - now certificates are only logged once per hour. Fix circular reference problem and a few other small things. X509 file analyzer nearly done. Verification and most other policy scripts work fine now. Add verify functionality, including the ability to get the validated chain. This means that it is now possible to get information about the root-certificates that were used to secure a connection. Second try on the event interface. Backport crash fix that made it into master with the x509_extension backport from here. Make x509 certificates an opaque type rip out x509 code from ssl analyzer. Note that since at the moment the file analyzer does not yet re-populate the info record that means quite a lot of information is simply not available. parse out extension. One event for general extensions (just returns the openssl-parsed string-value), one event for basicconstraints (is a certificate a CA or not) and one event for subject-alternative-names (only DNS parts). Very basic file-analyzer for x509 certificates. Mostly ripped from the ssl-analyzer and the topic/bernhard/x509 branch.
77 lines
1.9 KiB
Text
77 lines
1.9 KiB
Text
@load base/frameworks/files
|
|
@load base/files/hash
|
|
|
|
module X509;
|
|
|
|
export {
|
|
redef enum Log::ID += { LOG };
|
|
|
|
type Info: record {
|
|
## Current timestamp.
|
|
ts: time &log;
|
|
|
|
## File id of this certificate.
|
|
id: string &log;
|
|
|
|
## Basic information about the certificate.
|
|
certificate: X509::Certificate &log;
|
|
|
|
## The opaque wrapping the certificate. Mainly used
|
|
## for the verify operations.
|
|
handle: opaque of x509;
|
|
|
|
## All extensions that were encountered in the certificate.
|
|
extensions: vector of X509::Extension &default=vector();
|
|
|
|
## Subject alternative name extension of the certificate.
|
|
san: X509::SubjectAlternativeName &optional &log;
|
|
|
|
## Basic constraints extension of the certificate.
|
|
basic_constraints: X509::BasicConstraints &optional &log;
|
|
};
|
|
|
|
## Event for accessing logged records.
|
|
global log_x509: event(rec: Info);
|
|
}
|
|
|
|
event bro_init() &priority=5
|
|
{
|
|
Log::create_stream(X509::LOG, [$columns=Info, $ev=log_x509]);
|
|
}
|
|
|
|
redef record Files::Info += {
|
|
## Information about X509 certificates. This is used to keep
|
|
## certificate information until all events have been received.
|
|
x509: X509::Info &optional;
|
|
};
|
|
|
|
event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate) &priority=5
|
|
{
|
|
f$info$x509 = [$ts=f$info$ts, $id=f$id, $certificate=cert, $handle=cert_ref];
|
|
}
|
|
|
|
event x509_extension(f: fa_file, ext: X509::Extension) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$extensions[|f$info$x509$extensions|] = ext;
|
|
}
|
|
|
|
event x509_ext_basic_constraints(f: fa_file, ext: X509::BasicConstraints) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$basic_constraints = ext;
|
|
}
|
|
|
|
event x509_ext_subject_alternative_name(f: fa_file, ext: X509::SubjectAlternativeName) &priority=5
|
|
{
|
|
if ( f$info?$x509 )
|
|
f$info$x509$san = ext;
|
|
}
|
|
|
|
event file_state_remove(f: fa_file) &priority=5
|
|
{
|
|
if ( ! f$info?$x509 )
|
|
return;
|
|
|
|
Log::write(LOG, f$info$x509);
|
|
}
|