[Bro] X509 verify example
Johanna Amann
johanna at icir.org
Thu Jun 21 11:22:29 PDT 2018
Hi Reinhard,
is there a reason you want to write this yourself?
policy/protocols/ssl/validate-certs.bro implements certificate
validation and you should just have to @load it.
It also shows how the function is called - the vector is really just
populated with all the certificates in the chain.
As for question 2: you have to redef the root_certs record and add it
there.
http://mailman.icsi.berkeley.edu/pipermail/bro/2012-February/004566.html
has a small script that generates the correct format that still should
work.
I hope this helps - let me know if now :)
Johanna
On 21 Jun 2018, at 10:15, Reinhard Gentz wrote:
> Hi I am trying to verify a X509 certificate captured with bro, but I
> am
> having trouble using the verify function.
>
> What i have is the event
>
> event x509_certificate(f: fa_file, cert_ref: opaque, cert:
> X509::Certificate)
>
> how do I feed this information in this function to verify it?
>
> function x509_verify(certs: x509_opaque_vector, root_certs:
> table_string_of_string, verify_time: time &default=network_time()):
> X509::Result
>
> https://www.bro.org/sphinx-git/scripts/base/bif/plugins/Bro_X509.functions.bif.bro.html#id-x509_verify
>
>
> Question 1: How do i convert cert_ref: opaque to certs:
> x509_opaque_vector?
> Question 2: root_certs: table_string_of string: How can I input my own
> CA
> root certificate here? In which folder does it go and how do I make
> bro
> aware of it?
>
> Thank you
> Reinhard
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list