base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek¶
-
GLOBAL
¶
Namespace: | GLOBAL |
---|
Summary¶
Events¶
ocsp_extension : event |
This event is raised when an OCSP extension is encountered in an OCSP response. |
ocsp_request : event |
Event that is raised when encountering an OCSP request, e.g. |
ocsp_request_certificate : event |
Event that is raised when encountering an OCSP request for a certificate, e.g. |
ocsp_response_bytes : event |
This event is raised when encountering an OCSP response that contains response information. |
ocsp_response_certificate : event |
This event is raised for each SingleResponse contained in an OCSP response. |
ocsp_response_status : event |
This event is raised when encountering an OCSP reply, e.g. |
Detailed Interface¶
Events¶
-
ocsp_extension
¶ Type: event
(f:fa_file
, ext:X509::Extension
, global_resp:bool
)This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.
F: The file. Ext: The parsed extension (same format as X.509 extensions). Global_resp: T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse. See also:
ocsp_request
,ocsp_request_certificate
,ocsp_response_status
,ocsp_response_bytes
,ocsp_response_certificate
,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_request
¶ Type: event
(f:fa_file
, version:count
)Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.
This event is raised exactly once for each OCSP Request.
F: The file. Req: version: the version of the OCSP request. Typically 0 (Version 1). See also:
ocsp_request_certificate
,ocsp_response_status
,ocsp_response_bytes
,ocsp_response_certificate
,ocsp_extension
,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_request_certificate
¶ Type: event
(f:fa_file
, hashAlgorithm:string
, issuerNameHash:string
, issuerKeyHash:string
, serialNumber:string
)Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.
Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.
F: The file. HashAlgorithm: The hash algorithm used for the issuerKeyHash. IssuerKeyHash: Hash of the issuers public key. SerialNumber: Serial number of the certificate for which the status is requested. See also:
ocsp_request
,ocsp_response_status
,ocsp_response_bytes
,ocsp_response_certificate
,ocsp_extension
,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_bytes
¶ Type: event
(f:fa_file
, status:string
, version:count
, responderId:string
, producedAt:time
, signatureAlgorithm:string
, certs:x509_opaque_vector
)This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.
F: The file. Status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). Version: Version of the OCSP response (typically - for version 1). ResponderId: The id of the OCSP responder; either a public key hash or a distinguished name. ProducedAt: Time at which the reply was produced. SignatureAlgorithm: Algorithm used for the OCSP signature. Certs: Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply. See also:
ocsp_request
,ocsp_request_certificate
,ocsp_response_status
,ocsp_response_certificate
,ocsp_extension
,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_certificate
¶ Type: event
(f:fa_file
, hashAlgorithm:string
, issuerNameHash:string
, issuerKeyHash:string
, serialNumber:string
, certStatus:string
, revokeTime:time
, revokeReason:string
, thisUpdate:time
, nextUpdate:time
)This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.
F: The file. HashAlgorithm: The hash algorithm used for issuerNameHash and issuerKeyHash. IssuerNameHash: Hash of the issuer’s distinguished name. IssuerKeyHash: Hash of the issuer’s public key. SerialNumber: Serial number of the affected certificate. CertStatus: Status of the certificate. RevokeTime: Time the certificate was revoked, 0 if not revoked. RevokeTeason: Reason certificate was revoked; empty string if not revoked or not specified. ThisUpdate: Time this response was generated. NextUpdate: Time next response will be ready; 0 if not supploed. See also:
ocsp_request
,ocsp_request_certificate
,ocsp_response_status
,ocsp_response_bytes
,ocsp_extension
,x509_ocsp_ext_signed_certificate_timestamp
-
ocsp_response_status
¶ Type: event
(f:fa_file
, status:string
)This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.
This event is raised exactly once for each OCSP reply.
F: The file. Status: The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). See also:
ocsp_request
,ocsp_request_certificate
,ocsp_response_bytes
,ocsp_response_certificate
,ocsp_extension
,x509_ocsp_ext_signed_certificate_timestamp