base/bif/plugins/Zeek_X509.events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

x509_certificate: event

Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.

x509_ext_basic_constraints: event

Generated for the X509 basic constraints extension seen in a certificate.

x509_ext_subject_alternative_name: event

Generated for the X509 subject alternative name extension seen in a certificate.

x509_extension: event

Generated for X509 extensions seen in a certificate.

x509_ocsp_ext_signed_certificate_timestamp: event

Generated for the signed_certificate_timestamp X509 extension as defined in RFC 6962.

Detailed Interface

Events

x509_certificate
Type

event (f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)

Generated for encountered X509 certificates, e.g., in the clear SSL/TLS connection handshake.

See Wikipedia for more information about the X.509 format.

Parameters
  • f – The file.

  • cert_ref – An opaque pointer to the underlying OpenSSL data structure of the certificate.

  • cert – The parsed certificate information.

See also: x509_extension, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string, x509_ocsp_ext_signed_certificate_timestamp

x509_ext_basic_constraints
Type

event (f: fa_file, ext: X509::BasicConstraints)

Generated for the X509 basic constraints extension seen in a certificate. This extension can be used to identify the subject of a certificate as a CA.

Parameters
  • f – The file.

  • ext – The parsed basic constraints extension.

See also: x509_certificate, x509_extension, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string, x509_ocsp_ext_signed_certificate_timestamp

x509_ext_subject_alternative_name
Type

event (f: fa_file, ext: X509::SubjectAlternativeName)

Generated for the X509 subject alternative name extension seen in a certificate. This extension can be used to allow additional entities to be bound to the subject of the certificate. Usually it is used to specify one or multiple DNS names for which a certificate is valid.

Parameters
  • f – The file.

  • ext – The parsed subject alternative name extension.

See also: x509_certificate, x509_extension, x509_ext_basic_constraints, x509_parse, x509_verify, x509_ocsp_ext_signed_certificate_timestamp, x509_get_certificate_string

x509_extension
Type

event (f: fa_file, ext: X509::Extension)

Generated for X509 extensions seen in a certificate.

See Wikipedia for more information about the X.509 format.

Parameters
  • f – The file.

  • ext – The parsed extension.

See also: x509_certificate, x509_ext_basic_constraints, x509_ext_subject_alternative_name, x509_parse, x509_verify, x509_get_certificate_string, x509_ocsp_ext_signed_certificate_timestamp

x509_ocsp_ext_signed_certificate_timestamp
Type

event (f: fa_file, version: count, logid: string, timestamp: count, hash_algorithm: count, signature_algorithm: count, signature: string)

Generated for the signed_certificate_timestamp X509 extension as defined in RFC 6962. The extension is used to transmit signed proofs that are used for Certificate Transparency. Raised when the extension is encountered in an X.509 certificate or in an OCSP reply.

Parameters
  • f – The file.

  • version – the version of the protocol to which the SCT conforms. Always should be 0 (representing version 1)

  • logid – 32 bit key id

  • timestamp – the NTP Time when the entry was logged measured since the epoch, ignoring leap seconds, in milliseconds.

  • signature_and_hashalgorithm – signature and hash algorithm used for the digitally_signed struct

  • signature – signature part of the digitally_signed struct

See also: ssl_extension_signed_certificate_timestamp, x509_extension, x509_ext_basic_constraints, x509_parse, x509_verify, x509_ext_subject_alternative_name, x509_get_certificate_string ssl_extension_signed_certificate_timestamp, sct_verify, ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, x509_ocsp_ext_signed_certificate_timestamp