base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek

GLOBAL

Namespace:GLOBAL

Summary

Events

ocsp_extension: event	This event is raised when an OCSP extension is encountered in an OCSP response.
ocsp_request: event	Event that is raised when encountering an OCSP request, e.g.
ocsp_request_certificate: event	Event that is raised when encountering an OCSP request for a certificate, e.g.
ocsp_response_bytes: event	This event is raised when encountering an OCSP response that contains response information.
ocsp_response_certificate: event	This event is raised for each SingleResponse contained in an OCSP response.
ocsp_response_status: event	This event is raised when encountering an OCSP reply, e.g.

Detailed Interface

Events

ocsp_extension

Type:event (f: fa_file, ext: X509::Extension, global_resp: bool)

This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.

F:The file. Ext:The parsed extension (same format as X.509 extensions). Global_resp:T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request

Type:event (f: fa_file, version: count)

Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.

This event is raised exactly once for each OCSP Request.

F:The file. Req:version: the version of the OCSP request. Typically 0 (Version 1).

See also: ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request_certificate

Type:event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.

Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.

F:The file. HashAlgorithm:The hash algorithm used for the issuerKeyHash. IssuerKeyHash:Hash of the issuers public key. SerialNumber:Serial number of the certificate for which the status is requested.

See also: ocsp_request, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_bytes

Type:event (f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)

This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.

F:The file. Status:The status of the OCSP response (e.g. succesful, malformedRequest, tryLater). Version:Version of the OCSP response (typically - for version 1). ResponderId:The id of the OCSP responder; either a public key hash or a distinguished name. ProducedAt:Time at which the reply was produced. SignatureAlgorithm:  Algorithm used for the OCSP signature. Certs:Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_certificate

Type:event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time)

This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.

F:The file. HashAlgorithm:The hash algorithm used for issuerNameHash and issuerKeyHash. IssuerNameHash:Hash of the issuer’s distinguished name. IssuerKeyHash:Hash of the issuer’s public key. SerialNumber:Serial number of the affected certificate. CertStatus:Status of the certificate. RevokeTime:Time the certificate was revoked, 0 if not revoked. RevokeTeason:Reason certificate was revoked; empty string if not revoked or not specified. ThisUpdate:Time this response was generated. NextUpdate:Time next response will be ready; 0 if not supploed.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_status

Type:event (f: fa_file, status: string)

This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.

This event is raised exactly once for each OCSP reply.

F:The file. Status:The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

See also: ocsp_request, ocsp_request_certificate, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp