[Bro-Dev] [Bro-Commits] [git/bro] topic/bernhard/file-analysis-x509: Second try on the event interface. (7ba6bcf)
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Fri Feb 28 09:02:53 PST 2014
On Feb 28, 2014, at 8:01 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
>
> On Feb 28, 2014, at 6:37 AM, Seth Hall <seth at icir.org> wrote:
>
>>
>> On Feb 28, 2014, at 6:04 AM, Bernhard Amann <bernhard at ICSI.Berkeley.EDU> wrote:
>>
>>> -event x509_extension(f: fa_file, ext: X509::Extension)
>>> +event x509_extension(f: fa_file, cert: X509::Certificate, ext: X509::Extension)
>>
>> Would it make more sense to leave the cert out? Seems like state we should collect in script land instead of passing it through from the core each time.
>
> The “cert” only is a record in the events. So - the only thing that is passed around is a ref-counted
> pointer. The actual certificate string is not passed to script land anymore (when I am finished you
> will be able to get it if you really want to, but it will not be exposed by default).
>
> An opaque type is passed around - this makes certificate verification possible without having to re-parse
> them with OpenSSL.
>
> I thought that that is ok. Or are you meaning something else?
Followup - Seth convinced me that I am doing it wrong :) The record will disappear from the extension
events.
Bernhard
More information about the bro-dev
mailing list