[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Second try on the event interface. (7ba6bcf)

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Fri Feb 28 09:02:53 PST 2014

On Feb 28, 2014, at 8:01 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:

> On Feb 28, 2014, at 6:37 AM, Seth Hall <seth at icir.org> wrote:
>> On Feb 28, 2014, at 6:04 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
>>> -event x509_extension(f: fa_file, ext: X509::Extension)
>>> +event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension)
>> Would it make more sense to leave the cert out?  Seems like state we should collect in script land instead of passing it through from the core each time.
> The “cert” only is a record in the events. So - the only thing that is passed around is a ref-counted
> pointer. The actual certificate string is not passed to script land anymore (when I am finished you
> will be able to get it if you really want to, but it will not be exposed by default).
> An opaque type is passed around - this makes certificate verification possible without having to re-parse
> them with OpenSSL.
> I thought that that is ok. Or are you meaning something else?

Followup - Seth convinced me that I am doing it wrong :) The record will disappear from the extension


More information about the bro-dev mailing list