module CVE_2020_0601;

export {
        ## set to yes, to log suspicious certificates.
        option log_certs = F;

        ## The logging stream identifier.
        redef enum Log::ID += { LOG };

        ## The record type which contains column fields of the certificate log.
        type Info: record {
                ## Timestamp when this record is written.
                ts:          time   &log;
                ## File-id of the cerfificate
                fuid:        string &log;
                ## Certificate encoded as base64
                certificate: string &log;
        };

        redef enum Notice::Type += {
                ## An ECC certificate with an unknown curve was encountered
                Unknown_X509_Curve
        };
}

event zeek_init()
        {
        Log::create_stream(CVE_2020_0601::LOG, [$columns=Info, $path="cve-2020-0601-certs"]);
        }

event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
        {
        if ( cert?$key_alg && cert$key_alg == "id-ecPublicKey" && ! cert?$curve )
                {
                NOTICE([$note=Unknown_X509_Curve, $f=f, $msg="ECC certificate with unknown curve; potential CVE-2020-0601 exploit attempt"]);

                if ( log_certs )
                        Log::write(CVE_2020_0601::LOG, Info($ts=network_time(), $fuid=f$id, $certificate=encode_base64(x509_get_certificate_string(cert_ref, F))));
                }
        }