|
 |
2413b1 |
From 73fe8961f585f2948c796fe0cf94aac25982b75a Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
2413b1 |
Date: Thu, 1 Feb 2018 22:31:42 +0100
|
|
|
2413b1 |
Subject: [PATCH 1/9] Refactored SecurityDataArchivalProcessedEvent.
|
|
|
2413b1 |
|
|
|
2413b1 |
The SecurityDataArchivalProcessedEvent has been modified to provide
|
|
|
2413b1 |
separate factory methods for SUCCESS and FAILURE events.
|
|
|
2413b1 |
|
|
|
2413b1 |
https://pagure.io/dogtagpki/issue/2848
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: Ie102aabaa81553ac1ea6963841a0568f1b6e04a5
|
|
|
2413b1 |
(cherry picked from commit c1f607dc515f1b37a848a8b013d02f9d366e5402)
|
|
|
2413b1 |
(cherry picked from commit f2d828681d8b40e4d801af8d3bd5a6d6aaf71391)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../event/SecurityDataArchivalProcessedEvent.java | 49 +++++++---
|
|
|
2413b1 |
.../src/com/netscape/kra/EnrollmentService.java | 4 +-
|
|
|
2413b1 |
.../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +--
|
|
|
2413b1 |
.../src/com/netscape/kra/NetkeyKeygenService.java | 6 +-
|
|
|
2413b1 |
.../com/netscape/kra/SecurityDataProcessor.java | 102 +++++++++++++--------
|
|
|
2413b1 |
5 files changed, 112 insertions(+), 60 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
|
|
|
2413b1 |
index dd88b45..2d87ece 100644
|
|
|
2413b1 |
--- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
|
|
|
2413b1 |
+++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java
|
|
|
2413b1 |
@@ -18,6 +18,7 @@
|
|
|
2413b1 |
package com.netscape.certsrv.logging.event;
|
|
|
2413b1 |
|
|
|
2413b1 |
import com.netscape.certsrv.dbs.keydb.KeyId;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.SignedAuditEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.request.RequestId;
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -28,9 +29,33 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent {
|
|
|
2413b1 |
private static final String LOGGING_PROPERTY =
|
|
|
2413b1 |
"LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED";
|
|
|
2413b1 |
|
|
|
2413b1 |
- public SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
+ public SecurityDataArchivalProcessedEvent() {
|
|
|
2413b1 |
+ super(LOGGING_PROPERTY);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ public static SecurityDataArchivalProcessedEvent createSuccessEvent(
|
|
|
2413b1 |
+ String subjectID,
|
|
|
2413b1 |
+ String archivalRequestId,
|
|
|
2413b1 |
+ RequestId requestID,
|
|
|
2413b1 |
+ String clientKeyID,
|
|
|
2413b1 |
+ KeyId keyID,
|
|
|
2413b1 |
+ String pubkey) {
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent();
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ event.setAttribute("SubjectID", subjectID);
|
|
|
2413b1 |
+ event.setAttribute("Outcome", ILogger.SUCCESS);
|
|
|
2413b1 |
+ event.setAttribute("ArchivalRequestID", archivalRequestId);
|
|
|
2413b1 |
+ event.setAttribute("RequestId", requestID);
|
|
|
2413b1 |
+ event.setAttribute("ClientKeyID", clientKeyID);
|
|
|
2413b1 |
+ event.setAttribute("KeyID", keyID);
|
|
|
2413b1 |
+ event.setAttribute("PubKey", pubkey);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ return event;
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ public static SecurityDataArchivalProcessedEvent createFailureEvent(
|
|
|
2413b1 |
String subjectID,
|
|
|
2413b1 |
- String outcome,
|
|
|
2413b1 |
String archivalRequestId,
|
|
|
2413b1 |
RequestId requestID,
|
|
|
2413b1 |
String clientKeyID,
|
|
|
2413b1 |
@@ -38,15 +63,17 @@ public class SecurityDataArchivalProcessedEvent extends SignedAuditEvent {
|
|
|
2413b1 |
String failureReason,
|
|
|
2413b1 |
String pubkey) {
|
|
|
2413b1 |
|
|
|
2413b1 |
- super(LOGGING_PROPERTY);
|
|
|
2413b1 |
+ SecurityDataArchivalProcessedEvent event = new SecurityDataArchivalProcessedEvent();
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ event.setAttribute("SubjectID", subjectID);
|
|
|
2413b1 |
+ event.setAttribute("Outcome", ILogger.FAILURE);
|
|
|
2413b1 |
+ event.setAttribute("ArchivalRequestID", archivalRequestId);
|
|
|
2413b1 |
+ event.setAttribute("RequestId", requestID);
|
|
|
2413b1 |
+ event.setAttribute("ClientKeyID", clientKeyID);
|
|
|
2413b1 |
+ event.setAttribute("KeyID", keyID);
|
|
|
2413b1 |
+ event.setAttribute("FailureReason", failureReason);
|
|
|
2413b1 |
+ event.setAttribute("PubKey", pubkey);
|
|
|
2413b1 |
|
|
|
2413b1 |
- setAttribute("SubjectID", subjectID);
|
|
|
2413b1 |
- setAttribute("Outcome", outcome);
|
|
|
2413b1 |
- setAttribute("ArchivalRequestID", archivalRequestId);
|
|
|
2413b1 |
- setAttribute("RequestId", requestID);
|
|
|
2413b1 |
- setAttribute("ClientKeyID", clientKeyID);
|
|
|
2413b1 |
- setAttribute("KeyID", keyID);
|
|
|
2413b1 |
- setAttribute("FailureReason", failureReason);
|
|
|
2413b1 |
- setAttribute("PubKey", pubkey);
|
|
|
2413b1 |
+ return event;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
index 93493fe..ee8a754 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
@@ -602,14 +602,12 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
|
|
|
2413b1 |
// store a message in the signed audit log file
|
|
|
2413b1 |
auditPublicKey = auditPublicKey(rec);
|
|
|
2413b1 |
- signedAuditLogger.log(new SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
- ILogger.SUCCESS,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
new KeyId(rec.getSerialNumber()),
|
|
|
2413b1 |
- null,
|
|
|
2413b1 |
auditPublicKey));
|
|
|
2413b1 |
|
|
|
2413b1 |
// Xxx - should sign this proof of archival
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
2413b1 |
index 964a73c..05c7e71 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
|
|
|
2413b1 |
@@ -59,8 +59,8 @@ import com.netscape.certsrv.kra.IKeyService;
|
|
|
2413b1 |
import com.netscape.certsrv.listeners.EListenersException;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogEvent;
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.request.ARequestNotifier;
|
|
|
2413b1 |
@@ -783,19 +783,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
|
|
|
2413b1 |
queue.processRequest(r);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
- audit(new SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
+ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
- ILogger.SUCCESS,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
r.getRequestId(),
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
new KeyId(rec.getSerialNumber()),
|
|
|
2413b1 |
- null,
|
|
|
2413b1 |
auditPublicKey));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} catch (EBaseException eAudit1) {
|
|
|
2413b1 |
- audit(new SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ audit(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
- ILogger.FAILURE,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
r.getRequestId(),
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
index 1cd827f..052c289 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
@@ -50,8 +50,8 @@ import com.netscape.certsrv.dbs.keydb.KeyId;
|
|
|
2413b1 |
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogEvent;
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent;
|
|
|
2413b1 |
@@ -495,14 +495,12 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
storage.addKeyRecord(rec);
|
|
|
2413b1 |
CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid);
|
|
|
2413b1 |
|
|
|
2413b1 |
- audit(new SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
+ audit(SecurityDataArchivalProcessedEvent.createSuccessEvent(
|
|
|
2413b1 |
agentId,
|
|
|
2413b1 |
- ILogger.SUCCESS,
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
request.getRequestId(),
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
new KeyId(serialNo),
|
|
|
2413b1 |
- null,
|
|
|
2413b1 |
PubKey));
|
|
|
2413b1 |
} //if archive
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
2413b1 |
index 8de1311..5a64530 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
|
|
|
2413b1 |
@@ -40,7 +40,6 @@ import com.netscape.certsrv.key.KeyRequestResource;
|
|
|
2413b1 |
import com.netscape.certsrv.kra.EKRAException;
|
|
|
2413b1 |
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.LogEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.profile.IEnrollProfile;
|
|
|
2413b1 |
import com.netscape.certsrv.request.IRequest;
|
|
|
2413b1 |
@@ -121,8 +120,16 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
|
|
|
2413b1 |
//Check here even though restful layer checks for this.
|
|
|
2413b1 |
if (clientKeyId == null || dataType == null) {
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, "Bad data in request");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ "Bad data in request",
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
throw new EBaseException("Bad data in SecurityDataService.serviceRequest");
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -237,14 +244,29 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params);
|
|
|
2413b1 |
doEncrypt = true;
|
|
|
2413b1 |
} else { // We have no data.
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, "Failed to create security data to archive");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ "Failed to create security data to archive",
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
throw new EBaseException("Failed to create security data to archive!");
|
|
|
2413b1 |
}
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
CMS.debug("Failed to create security data to archive: " + e.getMessage());
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
|
|
|
2413b1 |
} finally {
|
|
|
2413b1 |
@@ -269,8 +291,16 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
//Now we need a serial number for our new key.
|
|
|
2413b1 |
|
|
|
2413b1 |
if (rec.getSerialNumber() != null) {
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ CMS.getUserMessage("CMS_KRA_INVALID_STATE"),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -279,8 +309,16 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
if (serialNo == null) {
|
|
|
2413b1 |
kra.log(ILogger.LL_FAILURE,
|
|
|
2413b1 |
CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, "Failed to get next Key ID");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ "Failed to get next Key ID",
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -302,8 +340,16 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
kra.log(ILogger.LL_FAILURE,
|
|
|
2413b1 |
"Failed to store wrapping parameters: " + e);
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
|
|
|
2413b1 |
- clientKeyId, null, "Failed to store wrapping parameters");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ "Failed to store wrapping parameters",
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"), e);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -311,8 +357,13 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
|
|
|
2413b1 |
keyRepository.addKeyRecord(rec);
|
|
|
2413b1 |
|
|
|
2413b1 |
- auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId,
|
|
|
2413b1 |
- clientKeyId, new KeyId(serialNo), "None");
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ requestId,
|
|
|
2413b1 |
+ clientKeyId,
|
|
|
2413b1 |
+ new KeyId(serialNo),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
request.setExtData(ATTR_KEY_RECORD, serialNo);
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS);
|
|
|
2413b1 |
@@ -852,25 +903,4 @@ public class SecurityDataProcessor {
|
|
|
2413b1 |
|
|
|
2413b1 |
return retData;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
-
|
|
|
2413b1 |
- private void audit(String msg) {
|
|
|
2413b1 |
- signedAuditLogger.log(msg);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
-
|
|
|
2413b1 |
- protected void audit(LogEvent event) {
|
|
|
2413b1 |
- signedAuditLogger.log(event);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
-
|
|
|
2413b1 |
- private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
|
|
|
2413b1 |
- KeyId keyID, String reason) {
|
|
|
2413b1 |
- audit(new SecurityDataArchivalProcessedEvent(
|
|
|
2413b1 |
- subjectID,
|
|
|
2413b1 |
- status,
|
|
|
2413b1 |
- null,
|
|
|
2413b1 |
- requestID,
|
|
|
2413b1 |
- clientKeyID,
|
|
|
2413b1 |
- keyID,
|
|
|
2413b1 |
- reason,
|
|
|
2413b1 |
- null));
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
}
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 0347843054e0a977826c4d7b50260e9f711190a9 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
2413b1 |
Date: Thu, 1 Feb 2018 22:48:29 +0100
|
|
|
2413b1 |
Subject: [PATCH 2/9] Changed audit event types in EnrollmentService.
|
|
|
2413b1 |
|
|
|
2413b1 |
The EnrollmentService has been modified to generate
|
|
|
2413b1 |
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED instead of.
|
|
|
2413b1 |
SECURITY_DATA_ARCHIVAL_REQUEST.
|
|
|
2413b1 |
|
|
|
2413b1 |
https://pagure.io/dogtagpki/issue/2848
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: I63017c4d9c058daac92fe606f0096402ca78b6ec
|
|
|
2413b1 |
(cherry picked from commit 3c4770d520d6dab967bdba1b67b638c81a959e48)
|
|
|
2413b1 |
(cherry picked from commit a30eee31512022a1a419bb949f912b08419ddf8d)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../src/com/netscape/kra/EnrollmentService.java | 74 +++++++++++++---------
|
|
|
2413b1 |
1 file changed, 44 insertions(+), 30 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
index ee8a754..20d68ff 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
|
|
|
2413b1 |
@@ -51,7 +51,6 @@ import com.netscape.certsrv.kra.ProofOfArchival;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.AuditFormat;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.event.SecurityDataArchivalRequestEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.profile.IEnrollProfile;
|
|
|
2413b1 |
import com.netscape.certsrv.request.IRequest;
|
|
|
2413b1 |
import com.netscape.certsrv.request.IService;
|
|
|
2413b1 |
@@ -203,12 +202,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
|
|
|
2413b1 |
} catch (IOException e) {
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e);
|
|
|
2413b1 |
@@ -250,12 +251,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e);
|
|
|
2413b1 |
@@ -288,12 +291,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
String message = CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND");
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, message);
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- message));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ message,
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + message);
|
|
|
2413b1 |
@@ -329,12 +334,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
mKRA.log(ILogger.LL_DEBUG, e.getMessage());
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e);
|
|
|
2413b1 |
@@ -357,12 +364,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
jssSubsystem.obscureBytes(unwrapped);
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, e.toString());
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY") + ": " + e, e);
|
|
|
2413b1 |
@@ -383,12 +392,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
String message = CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND");
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, message);
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- message));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ message,
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + message);
|
|
|
2413b1 |
@@ -419,12 +430,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
mKRA.log(ILogger.LL_DEBUG, e.getMessage());
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY") + ": " + e, e);
|
|
|
2413b1 |
@@ -450,12 +463,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
|
|
|
2413b1 |
} catch (InvalidKeyException e) {
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD") + ": " + e, e);
|
|
|
2413b1 |
@@ -499,12 +514,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
String message = CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec.getSerialNumber().toString());
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, message);
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- message));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ message,
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message);
|
|
|
2413b1 |
@@ -521,12 +538,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
|
|
|
2413b1 |
// TODO(alee) Set correct audit message here
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- e));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + e, e);
|
|
|
2413b1 |
@@ -539,12 +558,14 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
String message = CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL");
|
|
|
2413b1 |
mKRA.log(ILogger.LL_FAILURE, message);
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createFailureEvent(
|
|
|
2413b1 |
+ signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
auditRequesterID,
|
|
|
2413b1 |
requestId,
|
|
|
2413b1 |
null,
|
|
|
2413b1 |
- message));
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ message,
|
|
|
2413b1 |
+ null));
|
|
|
2413b1 |
|
|
|
2413b1 |
throw new EKRAException(
|
|
|
2413b1 |
CMS.getUserMessage("CMS_KRA_INVALID_STATE") + ": " + message);
|
|
|
2413b1 |
@@ -594,13 +615,6 @@ public class EnrollmentService implements IService {
|
|
|
2413b1 |
"serial number: 0x" + serialNo.toString(16) }
|
|
|
2413b1 |
);
|
|
|
2413b1 |
|
|
|
2413b1 |
- signedAuditLogger.log(SecurityDataArchivalRequestEvent.createSuccessEvent(
|
|
|
2413b1 |
- auditSubjectID,
|
|
|
2413b1 |
- auditRequesterID,
|
|
|
2413b1 |
- requestId,
|
|
|
2413b1 |
- null));
|
|
|
2413b1 |
-
|
|
|
2413b1 |
- // store a message in the signed audit log file
|
|
|
2413b1 |
auditPublicKey = auditPublicKey(rec);
|
|
|
2413b1 |
signedAuditLogger.log(SecurityDataArchivalProcessedEvent.createSuccessEvent(
|
|
|
2413b1 |
auditSubjectID,
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 138f1464d072690f9efb6f55c6c3ac297fb098d8 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
2413b1 |
Date: Fri, 2 Feb 2018 21:54:01 +0100
|
|
|
2413b1 |
Subject: [PATCH 3/9] Fixed try-catch block in
|
|
|
2413b1 |
NetkeyKeygenService.serviceRequest().
|
|
|
2413b1 |
|
|
|
2413b1 |
The try-catch block in NetkeyKeygenService.serviceRequest() has
|
|
|
2413b1 |
been fixed to return false on exception. It also has been split
|
|
|
2413b1 |
into two blocks.
|
|
|
2413b1 |
|
|
|
2413b1 |
https://pagure.io/dogtagpki/issue/2848
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: Ia78bd5371720dc551c2470898d83597d554183b7
|
|
|
2413b1 |
(cherry picked from commit 4d54490f7fec01a6c5bc113f5f48f1d08e8b47a5)
|
|
|
2413b1 |
(cherry picked from commit 70dff0d5d4b68f17058d30338bfebf81bbf96fa6)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../kra/src/com/netscape/kra/NetkeyKeygenService.java | 19 ++++++++++++++-----
|
|
|
2413b1 |
1 file changed, 14 insertions(+), 5 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
index 052c289..17ac66d 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
@@ -65,7 +65,6 @@ import com.netscape.cms.logging.SignedAuditLogger;
|
|
|
2413b1 |
import com.netscape.cms.servlet.key.KeyRecordParser;
|
|
|
2413b1 |
import com.netscape.cmscore.dbs.KeyRecord;
|
|
|
2413b1 |
import com.netscape.cmscore.security.JssSubsystem;
|
|
|
2413b1 |
-import com.netscape.cmscore.util.Debug;
|
|
|
2413b1 |
import com.netscape.cmsutil.crypto.CryptoUtil;
|
|
|
2413b1 |
import com.netscape.cmsutil.util.Utils;
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -279,8 +278,10 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
|
|
|
2413b1 |
return false;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+
|
|
|
2413b1 |
CMS.debug("NetkeyKeygenService: finished generate key pair for " + rCUID + ":" + rUserid);
|
|
|
2413b1 |
|
|
|
2413b1 |
+ java.security.PrivateKey privKey;
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
publicKeyData = keypair.getPublic().getEncoded();
|
|
|
2413b1 |
if (publicKeyData == null) {
|
|
|
2413b1 |
@@ -309,8 +310,7 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
PubKey));
|
|
|
2413b1 |
|
|
|
2413b1 |
//...extract the private key handle (not privatekeydata)
|
|
|
2413b1 |
- java.security.PrivateKey privKey =
|
|
|
2413b1 |
- keypair.getPrivate();
|
|
|
2413b1 |
+ privKey = keypair.getPrivate();
|
|
|
2413b1 |
|
|
|
2413b1 |
if (privKey == null) {
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
@@ -386,6 +386,13 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
|
|
|
2413b1 |
request.setExtData("iv_s", iv_s);
|
|
|
2413b1 |
|
|
|
2413b1 |
+ } catch (Exception e) {
|
|
|
2413b1 |
+ CMS.debug(e);
|
|
|
2413b1 |
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
+ return false;
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ try {
|
|
|
2413b1 |
/*
|
|
|
2413b1 |
* archival - option flag "archive" controllable by the caller - TPS
|
|
|
2413b1 |
*/
|
|
|
2413b1 |
@@ -505,11 +512,13 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
} //if archive
|
|
|
2413b1 |
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(1));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
- CMS.debug("NetKeyKeygenService: " + e.toString());
|
|
|
2413b1 |
- Debug.printStackTrace(e);
|
|
|
2413b1 |
+ CMS.debug(e);
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
+ return false;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} else
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(2));
|
|
|
2413b1 |
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 625ac01b2f13ef469a3fc05a91b96522db802991 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
2413b1 |
Date: Fri, 2 Feb 2018 16:39:30 -0800
|
|
|
2413b1 |
Subject: [PATCH 4/9] Ticket #2920 CMC: Audit Events needed for failures in
|
|
|
2413b1 |
SharedToken scenarios
|
|
|
2413b1 |
|
|
|
2413b1 |
This patch adds the missing CERT_STATUS_CHANGE_REQUEST_PROCESSED event in case of shared token failure at revocation;
|
|
|
2413b1 |
In addition, a missing validate() call is made for decrypted POP request as well as the failure audit event.
|
|
|
2413b1 |
|
|
|
2413b1 |
fixes: https://pagure.io/dogtagpki/issue/2920
|
|
|
2413b1 |
Change-Id: I45b53f579794c3a5f32cc475a6293240025922c2
|
|
|
2413b1 |
(cherry picked from commit e7ec7d3004354f4a4a98d696833e531fb7a0e41c)
|
|
|
2413b1 |
(cherry picked from commit 4b0816d706ac4c70bd03633a34b07c2ff12f9690)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../CertStatusChangeRequestProcessedEvent.java | 22 ++++++++
|
|
|
2413b1 |
.../cms/servlet/common/CMCOutputTemplate.java | 66 ++++++++++++++++++----
|
|
|
2413b1 |
.../servlet/profile/ProfileSubmitCMCServlet.java | 6 ++
|
|
|
2413b1 |
3 files changed, 82 insertions(+), 12 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
|
|
|
2413b1 |
index 259a395..8c7f9c9 100644
|
|
|
2413b1 |
--- a/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
|
|
|
2413b1 |
+++ b/base/common/src/com/netscape/certsrv/logging/event/CertStatusChangeRequestProcessedEvent.java
|
|
|
2413b1 |
@@ -51,6 +51,28 @@ public class CertStatusChangeRequestProcessedEvent extends SignedAuditEvent {
|
|
|
2413b1 |
public CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
String subjectID,
|
|
|
2413b1 |
String outcome,
|
|
|
2413b1 |
+ String requesterID,
|
|
|
2413b1 |
+ String serialNumber,
|
|
|
2413b1 |
+ String requestType,
|
|
|
2413b1 |
+ String reasonNum,
|
|
|
2413b1 |
+ RequestStatus approvalStatus,
|
|
|
2413b1 |
+ String info) {
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ super(LOGGING_PROPERTY);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ setAttribute("SubjectID", subjectID);
|
|
|
2413b1 |
+ setAttribute("Outcome", outcome);
|
|
|
2413b1 |
+ setAttribute("ReqID", requesterID);
|
|
|
2413b1 |
+ setAttribute("CertSerialNum", serialNumber);
|
|
|
2413b1 |
+ setAttribute("RequestType", requestType);
|
|
|
2413b1 |
+ setAttribute("RevokeReasonNum", reasonNum);
|
|
|
2413b1 |
+ setAttribute("Approval", approvalStatus);
|
|
|
2413b1 |
+ setAttribute("Info", info);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ public CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
+ String subjectID,
|
|
|
2413b1 |
+ String outcome,
|
|
|
2413b1 |
IRequest request,
|
|
|
2413b1 |
String serialNumber,
|
|
|
2413b1 |
String requestType,
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
index 6c40d2d..814a9c2 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
@@ -1094,10 +1094,26 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
ISharedToken tokenClass = (ISharedToken) sharedTokenAuth;
|
|
|
2413b1 |
|
|
|
2413b1 |
- char[] sharedSecret = tokenClass.getSharedToken(revokeSerial);
|
|
|
2413b1 |
+ char[] sharedSecret = null;
|
|
|
2413b1 |
+ try {
|
|
|
2413b1 |
+ sharedSecret = tokenClass.getSharedToken(revokeSerial);
|
|
|
2413b1 |
+ } catch (Exception eShrTok) {
|
|
|
2413b1 |
+ CMS.debug("CMCOutputTemplate: " + eShrTok.toString());
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
|
|
|
2413b1 |
if (sharedSecret == null) {
|
|
|
2413b1 |
- CMS.debug("CMCOutputTemplate: shared secret not found.");
|
|
|
2413b1 |
+ msg = " shared secret not found";
|
|
|
2413b1 |
+ CMS.debug(method + msg);
|
|
|
2413b1 |
+ audit(new CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ ILogger.FAILURE,
|
|
|
2413b1 |
+ auditReqID,
|
|
|
2413b1 |
+ auditSerialNumber,
|
|
|
2413b1 |
+ auditRequestType,
|
|
|
2413b1 |
+ auditReasonNum,
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
|
|
|
2413b1 |
null, null);
|
|
|
2413b1 |
SEQUENCE failed_bpids = new SEQUENCE();
|
|
|
2413b1 |
@@ -1127,8 +1143,8 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
secret1.clear();
|
|
|
2413b1 |
secret2.clear();
|
|
|
2413b1 |
} else {
|
|
|
2413b1 |
- CMS.debug(method
|
|
|
2413b1 |
- + " Client and server shared secret are not the same, cannot revoke certificate.");
|
|
|
2413b1 |
+ msg = " Client and server shared secret are not the same, cannot revoke certificate.";
|
|
|
2413b1 |
+ CMS.debug(method + msg);
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
|
|
|
2413b1 |
null, null);
|
|
|
2413b1 |
SEQUENCE failed_bpids = new SEQUENCE();
|
|
|
2413b1 |
@@ -1146,7 +1162,8 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
auditSerialNumber,
|
|
|
2413b1 |
auditRequestType,
|
|
|
2413b1 |
auditReasonNum,
|
|
|
2413b1 |
- auditApprovalStatus));
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
|
|
|
2413b1 |
secret1.clear();
|
|
|
2413b1 |
secret2.clear();
|
|
|
2413b1 |
@@ -1165,7 +1182,18 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
if (record == null) {
|
|
|
2413b1 |
- CMS.debug(method + " The certificate is not found");
|
|
|
2413b1 |
+ msg = " The certificate is not found";
|
|
|
2413b1 |
+ CMS.debug(method + msg);
|
|
|
2413b1 |
+ audit(new CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ ILogger.FAILURE,
|
|
|
2413b1 |
+ auditReqID,
|
|
|
2413b1 |
+ auditSerialNumber,
|
|
|
2413b1 |
+ auditRequestType,
|
|
|
2413b1 |
+ auditReasonNum,
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_CERT_ID), null, null);
|
|
|
2413b1 |
SEQUENCE failed_bpids = new SEQUENCE();
|
|
|
2413b1 |
failed_bpids.addElement(attrbpid);
|
|
|
2413b1 |
@@ -1178,7 +1206,18 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
if (record.getStatus().equals(ICertRecord.STATUS_REVOKED)) {
|
|
|
2413b1 |
- CMS.debug("CMCOutputTemplate: The certificate is already revoked:" + auditSerialNumber);
|
|
|
2413b1 |
+ msg = " The certificate is already revoked:" + auditSerialNumber;
|
|
|
2413b1 |
+ CMS.debug( method + msg);
|
|
|
2413b1 |
+ audit(new CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ ILogger.FAILURE,
|
|
|
2413b1 |
+ auditReqID,
|
|
|
2413b1 |
+ auditSerialNumber,
|
|
|
2413b1 |
+ auditRequestType,
|
|
|
2413b1 |
+ auditReasonNum,
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
SEQUENCE success_bpids = new SEQUENCE();
|
|
|
2413b1 |
success_bpids.addElement(attrbpid);
|
|
|
2413b1 |
cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.SUCCESS,
|
|
|
2413b1 |
@@ -1198,7 +1237,7 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
// principal matches that of the revoking cert
|
|
|
2413b1 |
if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) {
|
|
|
2413b1 |
if (!certPrincipal.equals(signerPrincipal)) {
|
|
|
2413b1 |
- msg = "certificate principal and signer do not match";
|
|
|
2413b1 |
+ msg = " certificate principal and signer do not match";
|
|
|
2413b1 |
CMS.debug(method + msg);
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
|
|
|
2413b1 |
null, null);
|
|
|
2413b1 |
@@ -1218,7 +1257,8 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
auditSerialNumber,
|
|
|
2413b1 |
auditRequestType,
|
|
|
2413b1 |
auditReasonNum,
|
|
|
2413b1 |
- auditApprovalStatus));
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
|
|
|
2413b1 |
return bpid;
|
|
|
2413b1 |
} else {
|
|
|
2413b1 |
@@ -1260,8 +1300,9 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
Integer result = revReq.getExtDataInInteger(IRequest.RESULT);
|
|
|
2413b1 |
CMS.debug(method + " revReq result = " + result);
|
|
|
2413b1 |
if (result.equals(IRequest.RES_ERROR)) {
|
|
|
2413b1 |
- CMS.debug("CMCOutputTemplate: revReq exception: " +
|
|
|
2413b1 |
- revReq.getExtDataInString(IRequest.ERROR));
|
|
|
2413b1 |
+ msg = " revReq exception: " +
|
|
|
2413b1 |
+ revReq.getExtDataInString(IRequest.ERROR);
|
|
|
2413b1 |
+ CMS.debug(method + msg);
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_REQUEST),
|
|
|
2413b1 |
null, null);
|
|
|
2413b1 |
SEQUENCE failed_bpids = new SEQUENCE();
|
|
|
2413b1 |
@@ -1280,7 +1321,8 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
auditSerialNumber,
|
|
|
2413b1 |
auditRequestType,
|
|
|
2413b1 |
auditReasonNum,
|
|
|
2413b1 |
- auditApprovalStatus));
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
|
|
|
2413b1 |
return bpid;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
index c702624..5509080 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
@@ -909,6 +909,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
|
|
|
2413b1 |
auditRequesterID = auditRequesterID(provedReq);
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
+ profile.validate(provedReq);
|
|
|
2413b1 |
profile.execute(provedReq);
|
|
|
2413b1 |
reqs = new IRequest[1];
|
|
|
2413b1 |
reqs[0] = provedReq;
|
|
|
2413b1 |
@@ -950,6 +951,11 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
error_codes[0] = Integer.parseInt(errorCode);
|
|
|
2413b1 |
profile.getRequestQueue().updateRequest(provedReq);
|
|
|
2413b1 |
CMS.debug("ProfileSubmitCMCServlet: provedReq updateRequest");
|
|
|
2413b1 |
+ audit(CertRequestProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ auditRequesterID,
|
|
|
2413b1 |
+ ILogger.SIGNED_AUDIT_REJECTION,
|
|
|
2413b1 |
+ errorReason));
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 5781a5d47809fb1361a668e29e8fce07ce947303 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
2413b1 |
Date: Fri, 2 Feb 2018 22:32:18 +0100
|
|
|
2413b1 |
Subject: [PATCH 5/9] Added SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED events in
|
|
|
2413b1 |
NetkeyKeygenService.
|
|
|
2413b1 |
|
|
|
2413b1 |
The NetkeyKeygenService.serviceRequest() has been modified to catch
|
|
|
2413b1 |
all exceptions and generate SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
|
|
|
2413b1 |
with FAILURE outcome.
|
|
|
2413b1 |
|
|
|
2413b1 |
https://pagure.io/dogtagpki/issue/2848
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: I08608fbb21ef14fddc2076d2e993766c30fd3cf0
|
|
|
2413b1 |
(cherry picked from commit 74d72d9b5798d16e68054c0859d79288a38eee36)
|
|
|
2413b1 |
(cherry picked from commit a33c542fd4c8b2b7db259f092c2875fdbc842e95)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../src/com/netscape/kra/NetkeyKeygenService.java | 42 +++++++++++-----------
|
|
|
2413b1 |
1 file changed, 22 insertions(+), 20 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
index 17ac66d..55fd9a0 100644
|
|
|
2413b1 |
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
|
|
|
2413b1 |
@@ -424,10 +424,10 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
|
|
|
2413b1 |
|
|
|
2413b1 |
privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
- CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit failed");
|
|
|
2413b1 |
- return false;
|
|
|
2413b1 |
+ throw new Exception("Unable to wrap private key with storage key", e);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
CMS.debug("NetkeyKeygenService: privatekey encryption by storage unit successful");
|
|
|
2413b1 |
@@ -443,13 +443,13 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
if (rKeytype.equals("RSA")) {
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
RSAPublicKey rsaPublicKey = new RSAPublicKey(publicKeyData);
|
|
|
2413b1 |
-
|
|
|
2413b1 |
rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} catch (InvalidKeyException e) {
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(11));
|
|
|
2413b1 |
- CMS.debug("NetkeyKeygenService: failed:InvalidKeyException");
|
|
|
2413b1 |
- return false;
|
|
|
2413b1 |
+ throw new Exception("Invalid RSA public key", e);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+
|
|
|
2413b1 |
} else if (rKeytype.equals("EC")) {
|
|
|
2413b1 |
CMS.debug("NetkeyKeygenService: alg is EC");
|
|
|
2413b1 |
String oidDescription = "UNDETERMINED";
|
|
|
2413b1 |
@@ -490,8 +490,7 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
|
|
|
2413b1 |
if (serialNo == null) {
|
|
|
2413b1 |
request.setExtData(IRequest.RESULT, Integer.valueOf(11));
|
|
|
2413b1 |
- CMS.debug("NetkeyKeygenService: serialNo null");
|
|
|
2413b1 |
- return false;
|
|
|
2413b1 |
+ throw new Exception("Unable to generate next serial number");
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
rec.setWrappingParams(params, allowEncDecrypt_archival);
|
|
|
2413b1 |
@@ -515,7 +514,22 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
CMS.debug(e);
|
|
|
2413b1 |
- request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ audit(SecurityDataArchivalProcessedEvent.createFailureEvent(
|
|
|
2413b1 |
+ agentId,
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ request.getRequestId(),
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ null,
|
|
|
2413b1 |
+ e.toString(),
|
|
|
2413b1 |
+ PubKey));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ Integer result = request.getExtDataInInteger(IRequest.RESULT);
|
|
|
2413b1 |
+ if (result == null) {
|
|
|
2413b1 |
+ // set default RESULT code
|
|
|
2413b1 |
+ request.setExtData(IRequest.RESULT, Integer.valueOf(4));
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
return false;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -525,18 +539,6 @@ public class NetkeyKeygenService implements IService {
|
|
|
2413b1 |
return true;
|
|
|
2413b1 |
} //serviceRequest
|
|
|
2413b1 |
|
|
|
2413b1 |
- /**
|
|
|
2413b1 |
- * Signed Audit Log
|
|
|
2413b1 |
- * y
|
|
|
2413b1 |
- * This method is called to store messages to the signed audit log.
|
|
|
2413b1 |
- *
|
|
|
2413b1 |
- *
|
|
|
2413b1 |
- * @param msg signed audit log message
|
|
|
2413b1 |
- */
|
|
|
2413b1 |
- private void audit(String msg) {
|
|
|
2413b1 |
- signedAuditLogger.log(msg);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
-
|
|
|
2413b1 |
protected void audit(LogEvent event) {
|
|
|
2413b1 |
signedAuditLogger.log(event);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From d80696789edf427fe0b05c208da0270249af44e0 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: Jack Magne <jmagne@redhat.com>
|
|
|
2413b1 |
Date: Thu, 1 Feb 2018 14:58:30 -0800
|
|
|
2413b1 |
Subject: [PATCH 6/9] Fix Bug 1522938 - CC: Missing failure resumption
|
|
|
2413b1 |
detection and audit event logging at startup
|
|
|
2413b1 |
|
|
|
2413b1 |
This patch addressed two cases listed in the bug:
|
|
|
2413b1 |
|
|
|
2413b1 |
1. Signing Failure due to bad HSM connection.
|
|
|
2413b1 |
2. Audit log failure of some kind.
|
|
|
2413b1 |
|
|
|
2413b1 |
I felt the best and safest way to handle these conditions was to simply write to the
|
|
|
2413b1 |
error console, which results in a simple System.err.println being sent to the former
|
|
|
2413b1 |
catalina.out file now covered with the journalctl command.
|
|
|
2413b1 |
|
|
|
2413b1 |
I considered using some other dogtag log file, but if we are in some sort of emergency
|
|
|
2413b1 |
or resource constrained situation, it is best to write the log out mostly simply.
|
|
|
2413b1 |
|
|
|
2413b1 |
Quick testing instructions:
|
|
|
2413b1 |
|
|
|
2413b1 |
1. To see signing failure put this in the CS.cfg for ONLY testing purposes.
|
|
|
2413b1 |
|
|
|
2413b1 |
ca.signing.testSignatureFailure=true , This will force an error when trying to sign and log it.
|
|
|
2413b1 |
|
|
|
2413b1 |
Approve a certificate request, which will trigger a signing operation.
|
|
|
2413b1 |
2. Check the journalctl for a log message.
|
|
|
2413b1 |
|
|
|
2413b1 |
3. Remove the config value to resume normal operation.
|
|
|
2413b1 |
|
|
|
2413b1 |
4. To see an audit log failure do the following:
|
|
|
2413b1 |
|
|
|
2413b1 |
[root@localhost signedAudit]# ps -fe | grep pki
|
|
|
2413b1 |
pkiuser 8456 1 2 14:39 ? 00:00:32 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
|
|
|
2413b1 |
|
|
|
2413b1 |
lsof /var/lib/pki/pki-tomcat/ca/logs/signedAudit/ca_audit
|
|
|
2413b1 |
java 9905 pkiuser 124u REG 253,0 17298 3016784 /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit
|
|
|
2413b1 |
|
|
|
2413b1 |
gdb /usr/lib/jvm/jre-1.8.0-openjdk/bin/java 8456 , Use the pid from above
|
|
|
2413b1 |
|
|
|
2413b1 |
Inside gdb do this:
|
|
|
2413b1 |
|
|
|
2413b1 |
call close(124)
|
|
|
2413b1 |
|
|
|
2413b1 |
This will close the file descriptor for the running server.
|
|
|
2413b1 |
|
|
|
2413b1 |
5. Now just try to do anything with the CS UI and observe errors written to the journalctl log,
|
|
|
2413b1 |
having to do with not being able to write to the ca_adit file. If signed audid logging is configured,
|
|
|
2413b1 |
many of these conditions will result in the the shutdown of the server.
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: I21c62a5ad6bedfe8678144a764bff2e2a4716dce
|
|
|
2413b1 |
(cherry picked from commit 268cc70782b517c17439a17a5036f9f51182b650)
|
|
|
2413b1 |
(cherry picked from commit cdfe6f3e5a29fa061a0e6b6fb599dcddc19984c3)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
base/ca/src/com/netscape/ca/SigningUnit.java | 16 +++++++
|
|
|
2413b1 |
.../cms/src/com/netscape/cms/logging/LogFile.java | 23 ++++++++++
|
|
|
2413b1 |
.../cms/src/com/netscape/cms/logging/LogQueue.java | 22 ++++++---
|
|
|
2413b1 |
.../netscape/cms/logging/SignedAuditLogger.java | 53 ++++++++++++++--------
|
|
|
2413b1 |
base/server/cmsbundle/src/UserMessages.properties | 2 +
|
|
|
2413b1 |
.../src/com/netscape/cmscore/apps/CMSEngine.java | 9 ++++
|
|
|
2413b1 |
6 files changed, 99 insertions(+), 26 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/ca/src/com/netscape/ca/SigningUnit.java b/base/ca/src/com/netscape/ca/SigningUnit.java
|
|
|
2413b1 |
index 3194380..7cd0dd4 100644
|
|
|
2413b1 |
--- a/base/ca/src/com/netscape/ca/SigningUnit.java
|
|
|
2413b1 |
+++ b/base/ca/src/com/netscape/ca/SigningUnit.java
|
|
|
2413b1 |
@@ -41,7 +41,9 @@ import com.netscape.certsrv.base.ISubsystem;
|
|
|
2413b1 |
import com.netscape.certsrv.ca.CAMissingCertException;
|
|
|
2413b1 |
import com.netscape.certsrv.ca.CAMissingKeyException;
|
|
|
2413b1 |
import com.netscape.certsrv.ca.ECAException;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ConsoleError;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.SystemEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.security.ISigningUnit;
|
|
|
2413b1 |
import com.netscape.cms.logging.Logger;
|
|
|
2413b1 |
import com.netscape.cmscore.security.JssSubsystem;
|
|
|
2413b1 |
@@ -274,6 +276,7 @@ public final class SigningUnit implements ISigningUnit {
|
|
|
2413b1 |
if (!mInited) {
|
|
|
2413b1 |
throw new EBaseException("CASigningUnit not initialized!");
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+ boolean testSignatureFailure = false;
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
// XXX for now do this mapping until James changes the names
|
|
|
2413b1 |
// to match JCA names and provide a getAlgorithm method.
|
|
|
2413b1 |
@@ -303,6 +306,13 @@ public final class SigningUnit implements ISigningUnit {
|
|
|
2413b1 |
|
|
|
2413b1 |
// XXX add something more descriptive.
|
|
|
2413b1 |
CMS.debug("Signing Certificate");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ testSignatureFailure = mConfig.getBoolean("testSignatureFailure",false);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ if(testSignatureFailure == true) {
|
|
|
2413b1 |
+ throw new SignatureException("Signature Exception forced for testing purposes.");
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
return signer.sign();
|
|
|
2413b1 |
} catch (NoSuchAlgorithmException e) {
|
|
|
2413b1 |
log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
|
|
|
2413b1 |
@@ -319,6 +329,12 @@ public final class SigningUnit implements ISigningUnit {
|
|
|
2413b1 |
} catch (SignatureException e) {
|
|
|
2413b1 |
log(ILogger.LL_FAILURE, CMS.getLogMessage("OPERATION_ERROR", e.toString()));
|
|
|
2413b1 |
CMS.debug("SigningUnit.sign: " + e.toString());
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ //For this one case, show the eventual erorr message that will be written to the system error
|
|
|
2413b1 |
+ //log in case of a Signature failure.
|
|
|
2413b1 |
+ if (testSignatureFailure == true) {
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString())));
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
CMS.checkForAndAutoShutdown();
|
|
|
2413b1 |
// XXX fix this exception later.
|
|
|
2413b1 |
throw new EBaseException(e);
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
2413b1 |
index 510e796..74a8ada 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
|
|
|
2413b1 |
@@ -824,6 +824,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
2413b1 |
mFileName)));
|
|
|
2413b1 |
} catch (GeneralSecurityException gse) {
|
|
|
2413b1 |
// error with signed audit log, shutdown CMS
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_OPEN_FAILED", mFileName, gse.toString())));
|
|
|
2413b1 |
gse.printStackTrace();
|
|
|
2413b1 |
shutdownCMS();
|
|
|
2413b1 |
}
|
|
|
2413b1 |
@@ -843,6 +844,8 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
2413b1 |
} catch (ELogException le) {
|
|
|
2413b1 |
ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName,
|
|
|
2413b1 |
le.toString())));
|
|
|
2413b1 |
+ le.printStackTrace();
|
|
|
2413b1 |
+ shutdownCMS();
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -858,8 +861,15 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
} catch (GeneralSecurityException gse) {
|
|
|
2413b1 |
// error with signed audit log, shutdown CMS
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, gse.toString())));
|
|
|
2413b1 |
gse.printStackTrace();
|
|
|
2413b1 |
shutdownCMS();
|
|
|
2413b1 |
+ } catch (Exception ee) {
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_FLUSH_LOG_FAILED", mFileName, ee.toString())));
|
|
|
2413b1 |
+ if(mLogSigning) {
|
|
|
2413b1 |
+ ee.printStackTrace();
|
|
|
2413b1 |
+ shutdownCMS();
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
mBytesUnflushed = 0;
|
|
|
2413b1 |
@@ -995,6 +1005,11 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
2413b1 |
if (mLogWriter == null) {
|
|
|
2413b1 |
String[] params = { mFileName, entry };
|
|
|
2413b1 |
|
|
|
2413b1 |
+ if (mLogSigning) {
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params)));
|
|
|
2413b1 |
+ // Failed to write to audit log, shut down CMS
|
|
|
2413b1 |
+ shutdownCMS();
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
throw new ELogException(CMS.getUserMessage("CMS_LOG_LOGFILE_CLOSED", params));
|
|
|
2413b1 |
} else {
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
@@ -1066,6 +1081,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
|
|
|
2413b1 |
gse.printStackTrace();
|
|
|
2413b1 |
ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(
|
|
|
2413b1 |
LOG_SIGNED_AUDIT_EXCEPTION, gse.toString())));
|
|
|
2413b1 |
+ } catch (Exception ee) { // Make darn sure we got everything
|
|
|
2413b1 |
+ ConsoleError.send(new SignedAuditEvent(CMS.getLogMessage(LOG_SIGNED_AUDIT_EXCEPTION, ee.toString())));
|
|
|
2413b1 |
+ if (mLogSigning) {
|
|
|
2413b1 |
+ // Failed to write to audit log, shut down CMS
|
|
|
2413b1 |
+ ee.printStackTrace();
|
|
|
2413b1 |
+ shutdownCMS();
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
// XXX
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java
|
|
|
2413b1 |
index 1b40676..5eb96d7 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/logging/LogQueue.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/logging/LogQueue.java
|
|
|
2413b1 |
@@ -19,10 +19,13 @@ package com.netscape.cms.logging;
|
|
|
2413b1 |
|
|
|
2413b1 |
import java.util.Vector;
|
|
|
2413b1 |
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.ELogException;
|
|
|
2413b1 |
+import com.netscape.certsrv.apps.CMS;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ConsoleError;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogEventListener;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogQueue;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.SignedAuditEvent;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.SystemEvent;
|
|
|
2413b1 |
|
|
|
2413b1 |
/**
|
|
|
2413b1 |
* A class represents a log queue.
|
|
|
2413b1 |
@@ -95,13 +98,20 @@ public class LogQueue implements ILogQueue {
|
|
|
2413b1 |
*/
|
|
|
2413b1 |
public void log(ILogEvent event) {
|
|
|
2413b1 |
for (int i = 0; i < mListeners.size(); i++) {
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ boolean isAudit = false;
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ if( event instanceof SignedAuditEvent) {
|
|
|
2413b1 |
+ isAudit = true;
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
mListeners.elementAt(i).log(event);
|
|
|
2413b1 |
- } catch (ELogException e) {
|
|
|
2413b1 |
- // Raidzilla Bug #57592: Don't display potentially
|
|
|
2413b1 |
- // incorrect log message.
|
|
|
2413b1 |
- // ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_EVENT_FAILED",
|
|
|
2413b1 |
- // event.getEventType(), e.toString())));
|
|
|
2413b1 |
+ } catch (Exception e) {//Try to catch ELogException or possible RuntimeExceptions if thrown
|
|
|
2413b1 |
+ //Last resort log to the system for failed audit log attempt
|
|
|
2413b1 |
+ if(isAudit == true) {
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(),
|
|
|
2413b1 |
+ "Audit Event Failure!")));
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java
|
|
|
2413b1 |
index 183f93c..90b5d5d 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/logging/SignedAuditLogger.java
|
|
|
2413b1 |
@@ -18,11 +18,13 @@
|
|
|
2413b1 |
package com.netscape.cms.logging;
|
|
|
2413b1 |
|
|
|
2413b1 |
import com.netscape.certsrv.apps.CMS;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ConsoleError;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogCategory;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogSource;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.SignedAuditEvent;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.SystemEvent;
|
|
|
2413b1 |
|
|
|
2413b1 |
/**
|
|
|
2413b1 |
* A class represents certificate server logger
|
|
|
2413b1 |
@@ -53,37 +55,48 @@ public class SignedAuditLogger extends Logger {
|
|
|
2413b1 |
Object params[], boolean multiline) {
|
|
|
2413b1 |
|
|
|
2413b1 |
// create event
|
|
|
2413b1 |
- SignedAuditEvent event = (SignedAuditEvent)create(
|
|
|
2413b1 |
+ SignedAuditEvent event = (SignedAuditEvent) create(
|
|
|
2413b1 |
category, source, level, message, params, multiline);
|
|
|
2413b1 |
|
|
|
2413b1 |
// parse attributes in message
|
|
|
2413b1 |
int start = 0;
|
|
|
2413b1 |
- while (start < message.length()) {
|
|
|
2413b1 |
|
|
|
2413b1 |
- // find [name=value]
|
|
|
2413b1 |
- int i = message.indexOf("[", start);
|
|
|
2413b1 |
- if (i < 0) break;
|
|
|
2413b1 |
+ try {
|
|
|
2413b1 |
+ while (start < message.length()) {
|
|
|
2413b1 |
|
|
|
2413b1 |
- int j = message.indexOf("=", i + 1);
|
|
|
2413b1 |
- if (j < 0) {
|
|
|
2413b1 |
- throw new RuntimeException("Missing equal sign: " + message);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
+ // find [name=value]
|
|
|
2413b1 |
+ int i = message.indexOf("[", start);
|
|
|
2413b1 |
+ if (i < 0)
|
|
|
2413b1 |
+ break;
|
|
|
2413b1 |
|
|
|
2413b1 |
- // get attribute name
|
|
|
2413b1 |
- String name = message.substring(i + 1, j);
|
|
|
2413b1 |
+ int j = message.indexOf("=", i + 1);
|
|
|
2413b1 |
+ if (j < 0) {
|
|
|
2413b1 |
+ throw new RuntimeException("Missing equal sign: " + message);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
|
|
|
2413b1 |
- int k = message.indexOf("]", j + 1);
|
|
|
2413b1 |
- if (k < 0) {
|
|
|
2413b1 |
- throw new RuntimeException("Missing closing bracket: " + message);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
+ // get attribute name
|
|
|
2413b1 |
+ String name = message.substring(i + 1, j);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ int k = message.indexOf("]", j + 1);
|
|
|
2413b1 |
+ if (k < 0) {
|
|
|
2413b1 |
+ throw new RuntimeException("Missing closing bracket: " + message);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
|
|
|
2413b1 |
- // get attribute value
|
|
|
2413b1 |
- String value = message.substring(j + 1, k);
|
|
|
2413b1 |
+ // get attribute value
|
|
|
2413b1 |
+ String value = message.substring(j + 1, k);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ // store attribute in event
|
|
|
2413b1 |
+ event.setAttribute(name, value);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ start = k + 1;
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
|
|
|
2413b1 |
- // store attribute in event
|
|
|
2413b1 |
- event.setAttribute(name, value);
|
|
|
2413b1 |
+ } catch (Exception e) { //Catch any of our RunTime exceptions just so we can log it to the console
|
|
|
2413b1 |
+ ConsoleError
|
|
|
2413b1 |
+ .send(new SystemEvent(CMS.getUserMessage("CMS_LOG_WRITE_FAILED", event.getEventType(), e.toString(),
|
|
|
2413b1 |
+ "Audit Event Failure!")));
|
|
|
2413b1 |
|
|
|
2413b1 |
- start = k + 1;
|
|
|
2413b1 |
+ throw e;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
mLogQueue.log(event);
|
|
|
2413b1 |
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
2413b1 |
index 8007ce1..9c324f5 100644
|
|
|
2413b1 |
--- a/base/server/cmsbundle/src/UserMessages.properties
|
|
|
2413b1 |
+++ b/base/server/cmsbundle/src/UserMessages.properties
|
|
|
2413b1 |
@@ -387,6 +387,7 @@ CMS_CA_SET_SERIALNO_FAILED=Request {0} was completed with errors.\nError setting
|
|
|
2413b1 |
CMS_CA_NOSERIALNO=Request {0} was completed with errors.\nCA has exausted all available serial numbers
|
|
|
2413b1 |
CMS_CA_SIGNING_CRL_FAILED=Failed signing CRL. Error {0}
|
|
|
2413b1 |
CMS_CA_SIGNING_CERT_FAILED=Failed signing certificate. Error {0}
|
|
|
2413b1 |
+CMS_CA_SIGNING_OPERATION_FAILED=Signing Unit signing operation failed. Error {0}
|
|
|
2413b1 |
CMS_CA_MISSING_INFO_IN_ISSUEREQ=Missing certificate info in issuing request
|
|
|
2413b1 |
CMS_CA_MISSING_INFO_IN_REVREQ=Missing revocation info in revocation request
|
|
|
2413b1 |
CMS_CA_MISSING_INFO_IN_CLAREQ=Missing CLA certificate info in cert4crl request
|
|
|
2413b1 |
@@ -506,6 +507,7 @@ CMS_LOG_INVALID_FILE_NAME=Attempt to initialize log with an invalid filename: \"
|
|
|
2413b1 |
CMS_LOG_UNEXPECTED_EXCEPTION=Caught unexpected exception: {0}
|
|
|
2413b1 |
CMS_LOG_ILLEGALARGUMENT=Illegal argument when opening: {0}
|
|
|
2413b1 |
CMS_LOG_CLOSE_FAILED=Failed to close file \"{0}\", error: {1}
|
|
|
2413b1 |
+CMS_LOG_OPEN_FAILED=Failed to open file \"{0}\", error: {1}
|
|
|
2413b1 |
CMS_LOG_INVALID_LOG_TYPE=Invalid log type in \"{0}\" property: {1}
|
|
|
2413b1 |
CMS_LOG_SRVLT_ILL_PLUGIN_ID=Another plugin ID already exists {0}
|
|
|
2413b1 |
CMS_LOG_SRVLT_NULL_CLASS=Plugin classname is null
|
|
|
2413b1 |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
2413b1 |
index be79607..b1df429 100644
|
|
|
2413b1 |
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
2413b1 |
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
|
|
|
2413b1 |
@@ -100,12 +100,14 @@ import com.netscape.certsrv.ldap.ELdapException;
|
|
|
2413b1 |
import com.netscape.certsrv.ldap.ILdapAuthInfo;
|
|
|
2413b1 |
import com.netscape.certsrv.ldap.ILdapConnFactory;
|
|
|
2413b1 |
import com.netscape.certsrv.ldap.ILdapConnInfo;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ConsoleError;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ELogException;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.IAuditor;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogEventListener;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogQueue;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.SystemEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.notification.IEmailFormProcessor;
|
|
|
2413b1 |
import com.netscape.certsrv.notification.IEmailResolver;
|
|
|
2413b1 |
import com.netscape.certsrv.notification.IEmailResolverKeys;
|
|
|
2413b1 |
@@ -1318,6 +1320,7 @@ public class CMSEngine implements ICMSEngine {
|
|
|
2413b1 |
public void checkForAndAutoShutdown() {
|
|
|
2413b1 |
String method= "CMSEngine: checkForAndAutoShutdown: ";
|
|
|
2413b1 |
CMS.debug(method + "begins");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
boolean allowShutdown = mConfig.getBoolean("autoShutdown.allowed", false);
|
|
|
2413b1 |
if ((!allowShutdown) || (mSigningKey == null) ||
|
|
|
2413b1 |
@@ -1336,7 +1339,13 @@ public class CMSEngine implements ICMSEngine {
|
|
|
2413b1 |
byte[] result = signer.sign();
|
|
|
2413b1 |
CMS.debug(method + " signining successful: " + new String(result));
|
|
|
2413b1 |
} catch (SignatureException e) {
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ //Let's write to the error console in case we are in a bad memory situation
|
|
|
2413b1 |
+ //This will be the most likely to work, giving us a record of the signing failure
|
|
|
2413b1 |
+ ConsoleError.send(new SystemEvent(CMS.getUserMessage("CMS_CA_SIGNING_OPERATION_FAILED", e.toString())));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
CMS.debug(method + "autoShutdown for " + e.toString());
|
|
|
2413b1 |
+
|
|
|
2413b1 |
CMS.autoShutdown();
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
CMS.debug(method + "continue for " + e.toString());
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 54a52b8cfffdb3d39408d3e765e45f5751715700 Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
2413b1 |
Date: Thu, 1 Feb 2018 18:37:10 -0800
|
|
|
2413b1 |
Subject: [PATCH 7/9] Ticket #2880 missing CMC request and response record
|
|
|
2413b1 |
|
|
|
2413b1 |
This patch adds audit events to record received CMC requests and signed CMC responses:
|
|
|
2413b1 |
CMC_REQUEST_RECEIVED
|
|
|
2413b1 |
CMC_RESPONSE_SENT
|
|
|
2413b1 |
|
|
|
2413b1 |
This patch fixes https://pagure.io/dogtagpki/issue/2880
|
|
|
2413b1 |
|
|
|
2413b1 |
Change-Id: Id093225b22a2c434e680726442c49b410fa738a3
|
|
|
2413b1 |
(cherry picked from commit 55a6fa09d24b1c30bfd9d80357d69a8905ee4090)
|
|
|
2413b1 |
(cherry picked from commit d9ae15065d96bf5b634bae6dfa4b6d0e4780d4ae)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
base/ca/shared/conf/CS.cfg | 4 ++--
|
|
|
2413b1 |
.../com/netscape/certsrv/logging/AuditEvent.java | 4 ++++
|
|
|
2413b1 |
.../cms/servlet/common/CMCOutputTemplate.java | 15 ++++++++++++++
|
|
|
2413b1 |
.../servlet/profile/ProfileSubmitCMCServlet.java | 23 ++++++++++++++++++----
|
|
|
2413b1 |
base/server/cmsbundle/src/LogMessages.properties | 19 ++++++++++++++++--
|
|
|
2413b1 |
.../com/netscape/cmsutil/crypto/CryptoUtil.java | 10 +---------
|
|
|
2413b1 |
base/util/src/com/netscape/cmsutil/util/Utils.java | 23 ++++++++++++++++++++++
|
|
|
2413b1 |
7 files changed, 81 insertions(+), 17 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
|
|
|
2413b1 |
index 76a7057..59de904 100644
|
|
|
2413b1 |
--- a/base/ca/shared/conf/CS.cfg
|
|
|
2413b1 |
+++ b/base/ca/shared/conf/CS.cfg
|
|
|
2413b1 |
@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
|
|
|
2413b1 |
log.instance.SignedAudit._002=##
|
|
|
2413b1 |
log.instance.SignedAudit._003=##
|
|
|
2413b1 |
log.instance.SignedAudit._004=## Available Audit events:
|
|
|
2413b1 |
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
|
|
|
2413b1 |
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
|
|
|
2413b1 |
log.instance.SignedAudit._006=##
|
|
|
2413b1 |
log.instance.SignedAudit.bufferSize=512
|
|
|
2413b1 |
log.instance.SignedAudit.enable=true
|
|
|
2413b1 |
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
|
|
|
2413b1 |
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION
|
|
|
2413b1 |
log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
2413b1 |
log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
|
|
|
2413b1 |
log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
|
|
|
2413b1 |
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
|
|
|
2413b1 |
index 131b2a9..db58f34 100644
|
|
|
2413b1 |
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
|
|
|
2413b1 |
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
|
|
|
2413b1 |
@@ -67,6 +67,10 @@ public class AuditEvent extends LogEvent {
|
|
|
2413b1 |
"LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
|
|
|
2413b1 |
public final static String PROFILE_CERT_REQUEST =
|
|
|
2413b1 |
"LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
|
|
|
2413b1 |
+ public final static String CMC_REQUEST_RECEIVED =
|
|
|
2413b1 |
+ "LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3";
|
|
|
2413b1 |
+ public final static String CMC_RESPONSE_SENT =
|
|
|
2413b1 |
+ "LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3";
|
|
|
2413b1 |
public final static String INTER_BOUNDARY =
|
|
|
2413b1 |
"LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
|
|
|
2413b1 |
public final static String CERT_PROFILE_APPROVAL =
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
index 814a9c2..e89c9a0 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.SessionContext;
|
|
|
2413b1 |
import com.netscape.certsrv.ca.ICertificateAuthority;
|
|
|
2413b1 |
import com.netscape.certsrv.dbs.certdb.ICertRecord;
|
|
|
2413b1 |
import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.AuditEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.AuditFormat;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.LogEvent;
|
|
|
2413b1 |
@@ -150,6 +151,7 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
OutputStream os = resp.getOutputStream();
|
|
|
2413b1 |
os.write(contentBytes);
|
|
|
2413b1 |
os.flush();
|
|
|
2413b1 |
+ auditCMCResponseSent(Utils.base64encode(contentBytes, false));
|
|
|
2413b1 |
} catch (Exception e) {
|
|
|
2413b1 |
CMS.debug("CMCOutputTemplate createFullResponseWithFailedStatus Exception: " + e.toString());
|
|
|
2413b1 |
return;
|
|
|
2413b1 |
@@ -480,6 +482,7 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
OutputStream os = resp.getOutputStream();
|
|
|
2413b1 |
os.write(contentBytes);
|
|
|
2413b1 |
os.flush();
|
|
|
2413b1 |
+ auditCMCResponseSent(Utils.base64encode(contentBytes, false));
|
|
|
2413b1 |
CMS.debug(method + "ends");
|
|
|
2413b1 |
} catch (java.security.cert.CertificateEncodingException e) {
|
|
|
2413b1 |
CMS.debug(method + e.toString());
|
|
|
2413b1 |
@@ -722,6 +725,7 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
OutputStream os = resp.getOutputStream();
|
|
|
2413b1 |
os.write(contentBytes);
|
|
|
2413b1 |
os.flush();
|
|
|
2413b1 |
+ auditCMCResponseSent(Utils.base64encode(contentBytes, false));
|
|
|
2413b1 |
} catch (java.security.cert.CertificateEncodingException e) {
|
|
|
2413b1 |
CMS.debug("CMCOutputTemplate exception: " + e.toString());
|
|
|
2413b1 |
} catch (InvalidBERException e) {
|
|
|
2413b1 |
@@ -1391,6 +1395,17 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
signedAuditLogger.log(msg);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
+ protected void auditCMCResponseSent(String response) {
|
|
|
2413b1 |
+ SessionContext context = SessionContext.getContext();
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ String auditMessage = CMS.getLogMessage(
|
|
|
2413b1 |
+ AuditEvent.CMC_RESPONSE_SENT,
|
|
|
2413b1 |
+ (String) context.get(SessionContext.USER_ID),
|
|
|
2413b1 |
+ ILogger.SUCCESS,
|
|
|
2413b1 |
+ Utils.normalizeString(response));
|
|
|
2413b1 |
+ audit(auditMessage);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
private RevocationReason toRevocationReason(ENUMERATED n) {
|
|
|
2413b1 |
long code = n.getValue();
|
|
|
2413b1 |
if (code == RevokeRequest.aACompromise.getValue())
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
index 5509080..91a26b1 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
|
|
|
2413b1 |
@@ -46,9 +46,10 @@ import com.netscape.certsrv.authentication.IAuthToken;
|
|
|
2413b1 |
import com.netscape.certsrv.authorization.AuthzToken;
|
|
|
2413b1 |
import com.netscape.certsrv.base.EBaseException;
|
|
|
2413b1 |
import com.netscape.certsrv.base.SessionContext;
|
|
|
2413b1 |
-import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.AuditEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.AuthEvent;
|
|
|
2413b1 |
import com.netscape.certsrv.logging.event.CertRequestProcessedEvent;
|
|
|
2413b1 |
+import com.netscape.certsrv.logging.ILogger;
|
|
|
2413b1 |
import com.netscape.certsrv.profile.ECMCBadIdentityException;
|
|
|
2413b1 |
import com.netscape.certsrv.profile.ECMCBadMessageCheckException;
|
|
|
2413b1 |
import com.netscape.certsrv.profile.ECMCBadRequestException;
|
|
|
2413b1 |
@@ -67,6 +68,8 @@ import com.netscape.certsrv.request.INotify;
|
|
|
2413b1 |
import com.netscape.certsrv.request.IRequest;
|
|
|
2413b1 |
import com.netscape.certsrv.request.RequestId;
|
|
|
2413b1 |
import com.netscape.certsrv.request.RequestStatus;
|
|
|
2413b1 |
+import com.netscape.cms.logging.Logger;
|
|
|
2413b1 |
+import com.netscape.cms.logging.SignedAuditLogger;
|
|
|
2413b1 |
import com.netscape.cms.servlet.common.AuthCredentials;
|
|
|
2413b1 |
import com.netscape.cms.servlet.common.CMCOutputTemplate;
|
|
|
2413b1 |
import com.netscape.cms.servlet.common.CMSRequest;
|
|
|
2413b1 |
@@ -85,6 +88,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
/**
|
|
|
2413b1 |
*
|
|
|
2413b1 |
*/
|
|
|
2413b1 |
+ private static Logger signedAuditLogger = SignedAuditLogger.getLogger();
|
|
|
2413b1 |
private static final long serialVersionUID = -8017841111435988197L;
|
|
|
2413b1 |
private static final String PROP_PROFILE_ID = "profileId";
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -112,7 +116,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
private void setInputsIntoContext(HttpServletRequest request, IProfile profile, IProfileContext ctx) {
|
|
|
2413b1 |
-
|
|
|
2413b1 |
+ String method = "ProfileSubmitCMCServlet.setInputsIntoContext: ";
|
|
|
2413b1 |
// passing inputs into context
|
|
|
2413b1 |
Enumeration<String> inputIds = profile.getProfileInputIds();
|
|
|
2413b1 |
|
|
|
2413b1 |
@@ -126,6 +130,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
String inputName = inputNames.nextElement();
|
|
|
2413b1 |
|
|
|
2413b1 |
if (request.getParameter(inputName) != null) {
|
|
|
2413b1 |
+ CMS.debug(method + "setting: " + inputName);
|
|
|
2413b1 |
ctx.set(inputName, request.getParameter(inputName));
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
@@ -399,7 +404,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
IProfileContext ctx = profile.createContext();
|
|
|
2413b1 |
if (requestB64 != null) {
|
|
|
2413b1 |
ctx.set("cert_request_type", cert_request_type);
|
|
|
2413b1 |
- ctx.set("cert_request", requestB64);
|
|
|
2413b1 |
+ ctx.set("cert_request", Utils.normalizeString(requestB64));
|
|
|
2413b1 |
}
|
|
|
2413b1 |
// passing auths into context
|
|
|
2413b1 |
IProfileAuthenticator authenticator = null;
|
|
|
2413b1 |
@@ -481,6 +486,17 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
+ String auditSubjectID = auditSubjectID();
|
|
|
2413b1 |
+ if (authToken != null) {
|
|
|
2413b1 |
+ auditSubjectID = authToken.getInString(IAuthToken.USER_ID);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+ String auditMessage = CMS.getLogMessage(
|
|
|
2413b1 |
+ AuditEvent.CMC_REQUEST_RECEIVED,
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ ILogger.SUCCESS,
|
|
|
2413b1 |
+ Utils.normalizeString(requestB64));
|
|
|
2413b1 |
+ signedAuditLogger.log(auditMessage);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
IRequest reqs[] = null;
|
|
|
2413b1 |
|
|
|
2413b1 |
///////////////////////////////////////////////
|
|
|
2413b1 |
@@ -777,7 +793,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
|
|
|
2413b1 |
}
|
|
|
2413b1 |
} //for
|
|
|
2413b1 |
|
|
|
2413b1 |
- String auditSubjectID = auditSubjectID();
|
|
|
2413b1 |
String auditRequesterID = ILogger.UNIDENTIFIED;
|
|
|
2413b1 |
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
2413b1 |
index 9ca508a..7963f6f 100644
|
|
|
2413b1 |
--- a/base/server/cmsbundle/src/LogMessages.properties
|
|
|
2413b1 |
+++ b/base/server/cmsbundle/src/LogMessages.properties
|
|
|
2413b1 |
@@ -2008,6 +2008,21 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
|
|
|
2413b1 |
#
|
|
|
2413b1 |
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
|
|
|
2413b1 |
#
|
|
|
2413b1 |
+# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED
|
|
|
2413b1 |
+# - used when a CMC request is received.
|
|
|
2413b1 |
+# SubjectID must be the UID of user that triggered this event
|
|
|
2413b1 |
+# (if CMC requests is signed by an agent, SubjectID should
|
|
|
2413b1 |
+# be that of the agent)
|
|
|
2413b1 |
+# In case of an unsigned request, it would bear $Unidentified$
|
|
|
2413b1 |
+#
|
|
|
2413b1 |
+LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
|
|
|
2413b1 |
+#
|
|
|
2413b1 |
+# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT
|
|
|
2413b1 |
+# - used when a CMC response is sent
|
|
|
2413b1 |
+# SubjectID must be the UID of user that triggered this event
|
|
|
2413b1 |
+#
|
|
|
2413b1 |
+LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
|
|
|
2413b1 |
+#
|
|
|
2413b1 |
# LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
|
|
|
2413b1 |
# - used when a profile certificate request is made (before approval process)
|
|
|
2413b1 |
# SubjectID must be the UID of user that triggered this event
|
|
|
2413b1 |
@@ -2220,13 +2235,13 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
|
|
|
2413b1 |
LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
|
|
|
2413b1 |
#
|
|
|
2413b1 |
# LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY
|
|
|
2413b1 |
-# - used when CMC (agent-pre-signed) certificate requests or revocation requests
|
|
|
2413b1 |
+# - used when agent signed CMC certificate requests or revocation requests
|
|
|
2413b1 |
# are submitted and signature is verified
|
|
|
2413b1 |
# ReqType must be the request type (enrollment, or revocation)
|
|
|
2413b1 |
# CertSubject must be the certificate subject name of the certificate request
|
|
|
2413b1 |
# SignerInfo must be a unique String representation for the signer
|
|
|
2413b1 |
#
|
|
|
2413b1 |
-LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent pre-approved CMC request signature verification
|
|
|
2413b1 |
+LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
|
|
|
2413b1 |
#
|
|
|
2413b1 |
# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY
|
|
|
2413b1 |
# - used when CMC (user-signed or self-signed) certificate requests or revocation requests
|
|
|
2413b1 |
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
2413b1 |
index f527967..27ae0de 100644
|
|
|
2413b1 |
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
2413b1 |
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
|
|
|
2413b1 |
@@ -1198,15 +1198,7 @@ public class CryptoUtil {
|
|
|
2413b1 |
// grammar defined at https://tools.ietf.org/html/rfc7468#section-3
|
|
|
2413b1 |
s = s.replaceAll("-----(BEGIN|END) [\\p{Print}&&[^- ]]([- ]?[\\p{Print}&&[^- ]])*-----", "");
|
|
|
2413b1 |
|
|
|
2413b1 |
- StringBuffer sb = new StringBuffer();
|
|
|
2413b1 |
- StringTokenizer st = new StringTokenizer(s, "\r\n ");
|
|
|
2413b1 |
-
|
|
|
2413b1 |
- while (st.hasMoreTokens()) {
|
|
|
2413b1 |
- String nextLine = st.nextToken();
|
|
|
2413b1 |
- nextLine = nextLine.trim();
|
|
|
2413b1 |
- sb.append(nextLine);
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
- return sb.toString();
|
|
|
2413b1 |
+ return Utils.normalizeString(s);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
public static String normalizeCertStr(String s) {
|
|
|
2413b1 |
diff --git a/base/util/src/com/netscape/cmsutil/util/Utils.java b/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
2413b1 |
index a9ee974..5ff78ad 100644
|
|
|
2413b1 |
--- a/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
2413b1 |
+++ b/base/util/src/com/netscape/cmsutil/util/Utils.java
|
|
|
2413b1 |
@@ -32,6 +32,7 @@ import java.net.InetAddress;
|
|
|
2413b1 |
import java.net.UnknownHostException;
|
|
|
2413b1 |
import java.text.SimpleDateFormat;
|
|
|
2413b1 |
import java.util.Date;
|
|
|
2413b1 |
+import java.util.StringTokenizer;
|
|
|
2413b1 |
import java.util.Vector;
|
|
|
2413b1 |
|
|
|
2413b1 |
import org.apache.commons.codec.binary.Base64;
|
|
|
2413b1 |
@@ -330,4 +331,26 @@ public class Utils {
|
|
|
2413b1 |
public static byte[] base64decode(String string) {
|
|
|
2413b1 |
return Base64.decodeBase64(string);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ /**
|
|
|
2413b1 |
+ * Normalize B64 input String
|
|
|
2413b1 |
+ *
|
|
|
2413b1 |
+ * @pram string base-64 string
|
|
|
2413b1 |
+ * @return normalized string
|
|
|
2413b1 |
+ */
|
|
|
2413b1 |
+ public static String normalizeString(String string) {
|
|
|
2413b1 |
+ if (string == null) {
|
|
|
2413b1 |
+ return string;
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ StringBuffer sb = new StringBuffer();
|
|
|
2413b1 |
+ StringTokenizer st = new StringTokenizer(string, "\r\n ");
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ while (st.hasMoreTokens()) {
|
|
|
2413b1 |
+ String nextLine = st.nextToken();
|
|
|
2413b1 |
+ nextLine = nextLine.trim();
|
|
|
2413b1 |
+ sb.append(nextLine);
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+ return sb.toString();
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
}
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 5d46447f9c680fff61bbb72b36dee13e53f549af Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: Christina Fu <cfu@redhat.com>
|
|
|
2413b1 |
Date: Sat, 3 Feb 2018 15:50:24 -0800
|
|
|
2413b1 |
Subject: [PATCH 8/9] Ticket #2921 CMC: Revocation works with an unknown
|
|
|
2413b1 |
revRequest.issuer
|
|
|
2413b1 |
|
|
|
2413b1 |
This patche adds check between the issuer value of the RevokeRequest against the issuer of the certificate to be revoked.
|
|
|
2413b1 |
|
|
|
2413b1 |
fixes: https://pagure.io/dogtagpki/issue/2921
|
|
|
2413b1 |
Change-Id: Ib2bb2debeb7d1c7ffea1799b5c32630062ddca6a
|
|
|
2413b1 |
(cherry picked from commit c2c5bdad088fabbb89a8d3634530c74dae78c875)
|
|
|
2413b1 |
(cherry picked from commit d3fa14e61d76de48631a209f95ae6f91d9da4484)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../com/netscape/certsrv/base/SessionContext.java | 1 +
|
|
|
2413b1 |
.../src/com/netscape/cmstools/CMCRequest.java | 1 +
|
|
|
2413b1 |
.../cms/authentication/CMCUserSignedAuth.java | 18 ++++++++
|
|
|
2413b1 |
.../cms/servlet/common/CMCOutputTemplate.java | 52 +++++++++++++++++++---
|
|
|
2413b1 |
4 files changed, 65 insertions(+), 7 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/common/src/com/netscape/certsrv/base/SessionContext.java b/base/common/src/com/netscape/certsrv/base/SessionContext.java
|
|
|
2413b1 |
index 9323e6e..691173b 100644
|
|
|
2413b1 |
--- a/base/common/src/com/netscape/certsrv/base/SessionContext.java
|
|
|
2413b1 |
+++ b/base/common/src/com/netscape/certsrv/base/SessionContext.java
|
|
|
2413b1 |
@@ -56,6 +56,7 @@ public class SessionContext extends Hashtable<Object, Object> {
|
|
|
2413b1 |
* Principal name object of the signed CMC request
|
|
|
2413b1 |
*/
|
|
|
2413b1 |
public static final String CMC_SIGNER_PRINCIPAL = "cmcSignerPrincipal";
|
|
|
2413b1 |
+ public static final String CMC_ISSUER_PRINCIPAL = "cmcISSUERPrincipal";
|
|
|
2413b1 |
public static final String CMC_SIGNER_INFO = "cmcSignerInfo";
|
|
|
2413b1 |
public static final String CMC_REQUEST_CERT_SUBJECT = "cmcRequestCertSubject";
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
2413b1 |
index fc58f4e..8146cee 100644
|
|
|
2413b1 |
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
2413b1 |
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
|
|
|
2413b1 |
@@ -1180,6 +1180,7 @@ public class CMCRequest {
|
|
|
2413b1 |
System.out.println(method + "issuer name must be supplied when shared secret is used");
|
|
|
2413b1 |
System.exit(1);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
+ System.out.println(method + "adding revRequestIssuer: " + revRequestIssuer);
|
|
|
2413b1 |
issuerName = new X500Name(revRequestIssuer);
|
|
|
2413b1 |
} else { // signing case; revokeSignCert is required
|
|
|
2413b1 |
if (revokeSignCert == null) {
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
2413b1 |
index 9dbf787..527b7e5 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCUserSignedAuth.java
|
|
|
2413b1 |
@@ -40,6 +40,7 @@ import java.util.Locale;
|
|
|
2413b1 |
import java.util.Vector;
|
|
|
2413b1 |
|
|
|
2413b1 |
import org.mozilla.jss.CryptoManager;
|
|
|
2413b1 |
+import org.mozilla.jss.asn1.ANY;
|
|
|
2413b1 |
import org.mozilla.jss.asn1.ASN1Util;
|
|
|
2413b1 |
import org.mozilla.jss.asn1.BIT_STRING;
|
|
|
2413b1 |
import org.mozilla.jss.asn1.INTEGER;
|
|
|
2413b1 |
@@ -491,6 +492,23 @@ public class CMCUserSignedAuth implements IAuthManager, IExtendedPluginInfo,
|
|
|
2413b1 |
Integer IntObject = Integer.valueOf((int) reasonCode);
|
|
|
2413b1 |
authToken.set(REASON_CODE, IntObject);
|
|
|
2413b1 |
|
|
|
2413b1 |
+ ANY issuerANY = revRequest.getIssuerName();
|
|
|
2413b1 |
+ // handling of faillures with issuer is deferred
|
|
|
2413b1 |
+ // to CMCOutputTemplate so that we can
|
|
|
2413b1 |
+ // have a chance to capture user identification info
|
|
|
2413b1 |
+ if (issuerANY != null) {
|
|
|
2413b1 |
+ try {
|
|
|
2413b1 |
+ byte[] issuerBytes = issuerANY.getEncoded();
|
|
|
2413b1 |
+ X500Name issuerName = new X500Name(issuerBytes);
|
|
|
2413b1 |
+ CMS.debug(method + "revRequest issuer name = " + issuerName.toString());
|
|
|
2413b1 |
+ // capture issuer principal to be checked against
|
|
|
2413b1 |
+ // cert issuer principal later in CMCOutputTemplate
|
|
|
2413b1 |
+ auditContext.put(SessionContext.CMC_ISSUER_PRINCIPAL, issuerName);
|
|
|
2413b1 |
+ } catch (Exception e) {
|
|
|
2413b1 |
+ CMS.debug(method + "failed getting issuer from RevokeRequest:" + e.toString());
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
//authToken.set("uid", uid);
|
|
|
2413b1 |
//authToken.set("userid", userid);
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
index e89c9a0..a0a946d 100644
|
|
|
2413b1 |
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
|
|
|
2413b1 |
@@ -971,10 +971,6 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
CMS.debug(method + "authManagerId =" + authManagerId);
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
- // in case of CMCUserSignedAuth,
|
|
|
2413b1 |
- // for matching signer and revoked cert principal
|
|
|
2413b1 |
- X500Name signerPrincipal = null;
|
|
|
2413b1 |
-
|
|
|
2413b1 |
// for auditing
|
|
|
2413b1 |
String auditRequesterID = null;
|
|
|
2413b1 |
auditRequesterID = (String) context.get(SessionContext.USER_ID);
|
|
|
2413b1 |
@@ -984,7 +980,14 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
} else {
|
|
|
2413b1 |
auditRequesterID = ILogger.NONROLEUSER;
|
|
|
2413b1 |
}
|
|
|
2413b1 |
- signerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ // in case of CMCUserSignedAuth,
|
|
|
2413b1 |
+ // for matching signer and revoked cert principal
|
|
|
2413b1 |
+ X500Name reqSignerPrincipal = (X500Name) context.get(SessionContext.CMC_SIGNER_PRINCIPAL);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ // in case of shared secret revocation, for matching issuer
|
|
|
2413b1 |
+ X500Name reqIssuerPrincipal = (X500Name) context.get(SessionContext.CMC_ISSUER_PRINCIPAL);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
String auditSubjectID = null;
|
|
|
2413b1 |
String auditRequestType = "revoke";
|
|
|
2413b1 |
String auditSerialNumber = null;
|
|
|
2413b1 |
@@ -1019,7 +1022,7 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
|
|
|
2413b1 |
if (needVerify) {
|
|
|
2413b1 |
if (authManagerId.equals("CMCUserSignedAuth")) {
|
|
|
2413b1 |
- if (signerPrincipal == null) {
|
|
|
2413b1 |
+ if (reqSignerPrincipal == null) {
|
|
|
2413b1 |
CMS.debug(method + "missing CMC signer principal");
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
|
|
|
2413b1 |
new INTEGER(OtherInfo.BAD_MESSAGE_CHECK),
|
|
|
2413b1 |
@@ -1235,12 +1238,47 @@ public class CMCOutputTemplate {
|
|
|
2413b1 |
X509CertImpl impl = record.getCertificate();
|
|
|
2413b1 |
|
|
|
2413b1 |
X500Name certPrincipal = (X500Name) impl.getSubjectDN();
|
|
|
2413b1 |
+ X500Name certIssuerPrincipal = (X500Name) impl.getIssuerDN();
|
|
|
2413b1 |
auditSubjectID = certPrincipal.toString();
|
|
|
2413b1 |
|
|
|
2413b1 |
+ // for Shared Secret case, check if issuer DN matches
|
|
|
2413b1 |
+ if (reqSecret != null) {
|
|
|
2413b1 |
+ CMS.debug(method + "shared secret revocation: checking issuer DN");
|
|
|
2413b1 |
+ if ((reqIssuerPrincipal == null) ||
|
|
|
2413b1 |
+ ! reqIssuerPrincipal.equals(certIssuerPrincipal)) {
|
|
|
2413b1 |
+ msg = " certificate issuer DN and revocation request issuer DN do not match";
|
|
|
2413b1 |
+ CMS.debug(method + msg);
|
|
|
2413b1 |
+ OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
|
|
|
2413b1 |
+ null, null);
|
|
|
2413b1 |
+ SEQUENCE failed_bpids = new SEQUENCE();
|
|
|
2413b1 |
+ failed_bpids.addElement(attrbpid);
|
|
|
2413b1 |
+ cmcStatusInfoV2 = new CMCStatusInfoV2(CMCStatusInfoV2.FAILED, failed_bpids, msg,
|
|
|
2413b1 |
+ otherInfo);
|
|
|
2413b1 |
+ tagattr = new TaggedAttribute(
|
|
|
2413b1 |
+ new INTEGER(bpid++),
|
|
|
2413b1 |
+ OBJECT_IDENTIFIER.id_cmc_statusInfoV2, cmcStatusInfoV2);
|
|
|
2413b1 |
+ controlSeq.addElement(tagattr);
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ audit(new CertStatusChangeRequestProcessedEvent(
|
|
|
2413b1 |
+ auditSubjectID,
|
|
|
2413b1 |
+ ILogger.FAILURE,
|
|
|
2413b1 |
+ auditReqID,
|
|
|
2413b1 |
+ auditSerialNumber,
|
|
|
2413b1 |
+ auditRequestType,
|
|
|
2413b1 |
+ auditReasonNum,
|
|
|
2413b1 |
+ auditApprovalStatus,
|
|
|
2413b1 |
+ msg));
|
|
|
2413b1 |
+
|
|
|
2413b1 |
+ return bpid;
|
|
|
2413b1 |
+ } else {
|
|
|
2413b1 |
+ CMS.debug( method + "certificate issuer DN and revocation request issuer DN match");
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+ }
|
|
|
2413b1 |
+
|
|
|
2413b1 |
// in case of user-signed request, check if signer
|
|
|
2413b1 |
// principal matches that of the revoking cert
|
|
|
2413b1 |
if ((reqSecret == null) && authManagerId.equals("CMCUserSignedAuth")) {
|
|
|
2413b1 |
- if (!certPrincipal.equals(signerPrincipal)) {
|
|
|
2413b1 |
+ if (!certPrincipal.equals(reqSignerPrincipal)) {
|
|
|
2413b1 |
msg = " certificate principal and signer do not match";
|
|
|
2413b1 |
CMS.debug(method + msg);
|
|
|
2413b1 |
OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL, new INTEGER(OtherInfo.BAD_IDENTITY),
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|
|
|
2413b1 |
|
|
|
2413b1 |
From 8f94902f7837fa3f9338e461e706f7ca85cdf7fd Mon Sep 17 00:00:00 2001
|
|
|
2413b1 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
2413b1 |
Date: Fri, 19 Jan 2018 17:01:12 +1100
|
|
|
2413b1 |
Subject: [PATCH 9/9] Fix profile import dropping backslash characters
|
|
|
2413b1 |
|
|
|
2413b1 |
When writing (importing, updating) RAW profile data, config values
|
|
|
2413b1 |
that have backslashes in them have the backslashes dropped, leading
|
|
|
2413b1 |
to issuance failures or issuance of incorrect certificates. For
|
|
|
2413b1 |
example:
|
|
|
2413b1 |
|
|
|
2413b1 |
policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat\, Inc.
|
|
|
2413b1 |
|
|
|
2413b1 |
becomes:
|
|
|
2413b1 |
|
|
|
2413b1 |
policyset.x.1.default.params.name=CN=$request.req_subject_name.cn$,O=Red Hat, Inc.
|
|
|
2413b1 |
|
|
|
2413b1 |
which causes issuance failures due to parse failure of the resulting
|
|
|
2413b1 |
DN.
|
|
|
2413b1 |
|
|
|
2413b1 |
This occurs because java.util.Properties is opinionated about what
|
|
|
2413b1 |
does or doesn't need to be escaped. The ProfileSubsystem "raw"
|
|
|
2413b1 |
methods originally used Properties to avoid more use of our "custom"
|
|
|
2413b1 |
SimpleProperties class. That turned out to be a mistake, due to
|
|
|
2413b1 |
Properties' incompatible treatment of backslashes. Switch over to
|
|
|
2413b1 |
SimpleProperties for handling raw profile data.
|
|
|
2413b1 |
|
|
|
2413b1 |
Fixes: https://pagure.io/dogtagpki/issue/2909
|
|
|
2413b1 |
Change-Id: I5cd738651cbfba0cad607d2b02edea04fe6be561
|
|
|
2413b1 |
(cherry picked from commit e634316eb7f2aedc65fe528fb572b15e1bdc1eb2)
|
|
|
2413b1 |
(cherry picked from commit 10498f9c1db06ff31712a5543a9a0a76cb2523e2)
|
|
|
2413b1 |
---
|
|
|
2413b1 |
.../dogtagpki/server/ca/rest/ProfileService.java | 27 ++++------------------
|
|
|
2413b1 |
1 file changed, 4 insertions(+), 23 deletions(-)
|
|
|
2413b1 |
|
|
|
2413b1 |
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
|
|
|
2413b1 |
index 3a68a1c..2884704 100644
|
|
|
2413b1 |
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
|
|
|
2413b1 |
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
|
|
|
2413b1 |
@@ -29,7 +29,6 @@ import java.util.LinkedHashMap;
|
|
|
2413b1 |
import java.util.List;
|
|
|
2413b1 |
import java.util.Locale;
|
|
|
2413b1 |
import java.util.Map;
|
|
|
2413b1 |
-import java.util.Properties;
|
|
|
2413b1 |
import java.util.Vector;
|
|
|
2413b1 |
|
|
|
2413b1 |
import javax.ws.rs.PathParam;
|
|
|
2413b1 |
@@ -523,9 +522,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
2413b1 |
Map<String, String> auditParams = new LinkedHashMap<String, String>();
|
|
|
2413b1 |
String profileId = null;
|
|
|
2413b1 |
String classId = null;
|
|
|
2413b1 |
- // First read the data into a Properties to process escaped
|
|
|
2413b1 |
- // separator characters (':', '=') in values
|
|
|
2413b1 |
- Properties properties = new Properties();
|
|
|
2413b1 |
+ SimpleProperties properties = new SimpleProperties();
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
// load data and read profileId and classId
|
|
|
2413b1 |
properties.load(new ByteArrayInputStream(data));
|
|
|
2413b1 |
@@ -543,16 +540,9 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
2413b1 |
properties.remove("profileId");
|
|
|
2413b1 |
properties.remove("classId");
|
|
|
2413b1 |
|
|
|
2413b1 |
- // Now copy into SimpleProperties to avoid unwanted escapes
|
|
|
2413b1 |
- // of separator characters in output
|
|
|
2413b1 |
- SimpleProperties simpleProperties = new SimpleProperties();
|
|
|
2413b1 |
- for (String k : properties.stringPropertyNames()) {
|
|
|
2413b1 |
- simpleProperties.setProperty(k, properties.getProperty(k));
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
-
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
|
|
2413b1 |
- simpleProperties.store(out, null);
|
|
|
2413b1 |
+ properties.store(out, null);
|
|
|
2413b1 |
data = out.toByteArray(); // original data sans profileId, classId
|
|
|
2413b1 |
|
|
|
2413b1 |
IProfile profile = ps.getProfile(profileId);
|
|
|
2413b1 |
@@ -669,9 +659,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
2413b1 |
throw new ConflictingOperationException("Cannot change profile data. Profile must be disabled");
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
- // First read the data into a Properties to process escaped
|
|
|
2413b1 |
- // separator characters (':', '=') in values
|
|
|
2413b1 |
- Properties properties = new Properties();
|
|
|
2413b1 |
+ SimpleProperties properties = new SimpleProperties();
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
properties.load(new ByteArrayInputStream(data));
|
|
|
2413b1 |
} catch (IOException e) {
|
|
|
2413b1 |
@@ -680,13 +668,6 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
2413b1 |
properties.remove("profileId");
|
|
|
2413b1 |
properties.remove("classId");
|
|
|
2413b1 |
|
|
|
2413b1 |
- // Now copy into SimpleProperties to avoid unwanted escapes
|
|
|
2413b1 |
- // of separator characters in output
|
|
|
2413b1 |
- SimpleProperties simpleProperties = new SimpleProperties();
|
|
|
2413b1 |
- for (String k : properties.stringPropertyNames()) {
|
|
|
2413b1 |
- simpleProperties.setProperty(k, properties.getProperty(k));
|
|
|
2413b1 |
- }
|
|
|
2413b1 |
-
|
|
|
2413b1 |
try {
|
|
|
2413b1 |
IProfile profile = ps.getProfile(profileId);
|
|
|
2413b1 |
if (profile == null) {
|
|
|
2413b1 |
@@ -694,7 +675,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
|
|
|
2413b1 |
}
|
|
|
2413b1 |
|
|
|
2413b1 |
ByteArrayOutputStream out = new ByteArrayOutputStream();
|
|
|
2413b1 |
- simpleProperties.store(out, null);
|
|
|
2413b1 |
+ properties.store(out, null);
|
|
|
2413b1 |
data = out.toByteArray(); // original data sans profileId, classId
|
|
|
2413b1 |
|
|
|
2413b1 |
// create temporary profile to verify profile configuration
|
|
|
2413b1 |
--
|
|
|
2413b1 |
1.8.3.1
|
|
|
2413b1 |
|