base/bif/plugins/Zeek_X509.ocsp_events.bif.zeek

GLOBAL
Namespace

GLOBAL

Summary

Events

ocsp_extension: event

This event is raised when an OCSP extension is encountered in an OCSP response.

ocsp_request: event

Event that is raised when encountering an OCSP request, e.g.

ocsp_request_certificate: event

Event that is raised when encountering an OCSP request for a certificate, e.g.

ocsp_response_bytes: event

This event is raised when encountering an OCSP response that contains response information.

ocsp_response_certificate: event

This event is raised for each SingleResponse contained in an OCSP response.

ocsp_response_status: event

This event is raised when encountering an OCSP reply, e.g.

Detailed Interface

Events

ocsp_extension
Type

event (f: fa_file, ext: X509::Extension, global_resp: bool)

This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

Ext

The parsed extension (same format as X.509 extensions).

Global_resp

T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request
Type

event (f: fa_file, version: count)

Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.

This event is raised exactly once for each OCSP Request.

F

The file.

Req

version: the version of the OCSP request. Typically 0 (Version 1).

See also: ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.

Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.

F

The file.

HashAlgorithm

The hash algorithm used for the issuerKeyHash.

IssuerKeyHash

Hash of the issuers public key.

SerialNumber

Serial number of the certificate for which the status is requested.

See also: ocsp_request, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_bytes
Type

event (f: fa_file, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)

This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

Version

Version of the OCSP response (typically - for version 1).

ResponderId

The id of the OCSP responder; either a public key hash or a distinguished name.

ProducedAt

Time at which the reply was produced.

SignatureAlgorithm

Algorithm used for the OCSP signature.

Certs

Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_certificate
Type

event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time)

This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.

F

The file.

HashAlgorithm

The hash algorithm used for issuerNameHash and issuerKeyHash.

IssuerNameHash

Hash of the issuer’s distinguished name.

IssuerKeyHash

Hash of the issuer’s public key.

SerialNumber

Serial number of the affected certificate.

CertStatus

Status of the certificate.

RevokeTime

Time the certificate was revoked, 0 if not revoked.

RevokeTeason

Reason certificate was revoked; empty string if not revoked or not specified.

ThisUpdate

Time this response was generated.

NextUpdate

Time next response will be ready; 0 if not supploed.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_status
Type

event (f: fa_file, status: string)

This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.

This event is raised exactly once for each OCSP reply.

F

The file.

Status

The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

See also: ocsp_request, ocsp_request_certificate, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp