base/bif/plugins/Bro_X509.ocsp_events.bif.bro

GLOBAL
Namespace:GLOBAL
Source File:/scripts/base/bif/plugins/Bro_X509.ocsp_events.bif.bro

Summary

Events

ocsp_extension: event This event is raised when an OCSP extension is encountered in an OCSP response.
ocsp_request: event Event that is raised when encountering an OCSP request, e.g.
ocsp_request_certificate: event Event that is raised when encountering an OCSP request for a certificate, e.g.
ocsp_response_bytes: event This event is raised when encountering an OCSP response that contains response information.
ocsp_response_certificate: event This event is raised for each SingleResponse contained in an OCSP response.
ocsp_response_status: event This event is raised when encountering an OCSP reply, e.g.

Detailed Interface

Events

ocsp_extension
Type:event (f: fa_file, ext: X509::Extension, global_resp: bool)

This event is raised when an OCSP extension is encountered in an OCSP response. See RFC 6960 for more details on OCSP.

F:The file.
Ext:The parsed extension (same format as X.509 extensions).
Global_resp:T if extension encountered in the global response (in ResponseData), F when encountered in a SingleResponse.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request
Type:event (f: fa_file, version: count, requestorName: string)

Event that is raised when encountering an OCSP request, e.g. in an HTTP connection. See RFC 6960 for more details.

This event is raised exactly once for each OCSP Request.

F:The file.
Req:version: the version of the OCSP request. Typically 0 (Version 1).
RequestorName:name of the OCSP requestor. This attribute is optional; if it is not set, an empty string is returned here.

See also: ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_request_certificate
Type:event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string)

Event that is raised when encountering an OCSP request for a certificate, e.g. in an HTTP connection. See RFC 6960 for more details.

Note that a single OCSP request can contain requests for several certificates. Thus this event can fire several times for one OCSP request, each time requesting information for a different (or in theory even the same) certificate.

F:The file.
HashAlgorithm:The hash algorithm used for the issuerKeyHash.
IssuerKeyHash:Hash of the issuers public key.
SerialNumber:Serial number of the certificate for which the status is requested.

See also: ocsp_request, ocsp_response_status, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_bytes
Type:event (f: fa_file, resp_ref: opaque of ocsp_resp, status: string, version: count, responderId: string, producedAt: time, signatureAlgorithm: string, certs: x509_opaque_vector)

This event is raised when encountering an OCSP response that contains response information. An OCSP reply can be encountered, for example, in an HTTP connection or a TLS extension. See RFC 6960 for more details on OCSP.

F:The file.
Req_ref:An opaque pointer to the underlying OpenSSL data structure of the OCSP response.
Status:The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).
Version:Version of the OCSP response (typically - for version 1).
ResponderId:The id of the OCSP responder; either a public key hash or a distinguished name.
ProducedAt:Time at which the reply was produced.
SignatureAlgorithm:
 Algorithm used for the OCSP signature.
Certs:Optional list of certificates that are sent with the OCSP response; these typically are needed to perform validation of the reply.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_certificate
Type:event (f: fa_file, hashAlgorithm: string, issuerNameHash: string, issuerKeyHash: string, serialNumber: string, certStatus: string, revokeTime: time, revokeReason: string, thisUpdate: time, nextUpdate: time)

This event is raised for each SingleResponse contained in an OCSP response. See RFC 6960 for more details on OCSP.

F:The file.
HashAlgorithm:The hash algorithm used for issuerNameHash and issuerKeyHash.
IssuerNameHash:Hash of the issuer’s distinguished name.
IssuerKeyHash:Hash of the issuer’s public key.
SerialNumber:Serial number of the affected certificate.
CertStatus:Status of the certificate.
RevokeTime:Time the certificate was revoked, 0 if not revoked.
RevokeTeason:Reason certificate was revoked; empty string if not revoked or not specified.
ThisUpdate:Time this response was generated.
NextUpdate:Time next response will be ready; 0 if not supploed.

See also: ocsp_request, ocsp_request_certificate, ocsp_response_status, ocsp_response_bytes, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

ocsp_response_status
Type:event (f: fa_file, status: string)

This event is raised when encountering an OCSP reply, e.g. in an HTTP connection or a TLS extension. See RFC 6960 for more details.

This event is raised exactly once for each OCSP reply.

F:The file.
Status:The status of the OCSP response (e.g. succesful, malformedRequest, tryLater).

See also: ocsp_request, ocsp_request_certificate, ocsp_response_bytes, ocsp_response_certificate, ocsp_extension, x509_ocsp_ext_signed_certificate_timestamp

Copyright 2016, The Bro Project. Last updated on October 21, 2017. Created using Sphinx 1.5.2.