From ae472954d4b1a62b368acf044ac5e7c15ef8d0e4 Mon Sep 17 00:00:00 2001

From: John Magne <jmagne@mharmsen-rhel7.usersys.redhat.com>

Date: Fri, 19 Oct 2018 19:23:37 -0400

Subject: [PATCH 03/19] Resolves: Bug 1624097 - CC: Identify version/release of

 pki-ca, pki-kra, pki-ocsp, pki-tks, and pki-tps remotely.

---

 .../netscape/cms/servlet/csadmin/GetStatus.java    | 48 ++++++++++++++++++++++

 1 file changed, 48 insertions(+)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java

index 1d2d0e6..338e26b 100644

--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java

+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/GetStatus.java

@@ -18,6 +18,7 @@

 package com.netscape.cms.servlet.csadmin;

 import java.io.IOException;

+import java.io.FileInputStream;

 import java.util.Locale;

 import javax.servlet.ServletConfig;

@@ -34,6 +35,8 @@ import com.netscape.cms.servlet.base.CMSServlet;

 import com.netscape.cms.servlet.base.UserInfo;

 import com.netscape.cms.servlet.common.CMSRequest;

 import com.netscape.cmsutil.xml.XMLObject;

+import org.apache.commons.io.IOUtils;

+import org.apache.commons.lang.StringUtils;

 public class GetStatus extends CMSServlet {

@@ -41,6 +44,8 @@ public class GetStatus extends CMSServlet {

      *

      */

     private static final long serialVersionUID = -2852842030221659847L;

+    // File below will be a member of a pki theme package.

+    private static final String productVersionFILE = "/usr/share/pki/CS_SERVER_VERSION";

     public GetStatus() {

         super();

@@ -80,6 +85,13 @@ public class GetStatus extends CMSServlet {

             xmlObj.addItemToContainer(root, "Type", type);

             xmlObj.addItemToContainer(root, "Status", status);

             xmlObj.addItemToContainer(root, "Version", version);

+            // File below will be a member of a pki theme package.

+            String productVersion = getProductVersion(productVersionFILE);

+

+            if(!StringUtils.isEmpty(productVersion)) {

+                xmlObj.addItemToContainer(root,"ProductVersion", productVersion);

+            }

+

             byte[] cb = xmlObj.toByteArray();

             outputResult(httpResp, "application/xml", cb);

@@ -108,4 +120,40 @@ public class GetStatus extends CMSServlet {

         return locale;

     }

+    /**

+     * Return the product version if the file: /usr/share/pki/CS_SERVER_VERSION

+     * exists.

+     *

+     * Caller only cares if there is a string or not, exceptions handled here.

+     */

+    private String getProductVersion(String versionFilePathName) {

+        String version = null;

+        FileInputStream inputStream = null;

+

+        if(StringUtils.isEmpty(versionFilePathName)) {

+            CMS.debug("Missing product version file path!");

+            return null;

+        }

+

+        try {

+            inputStream = new FileInputStream(versionFilePathName);

+            String contents = IOUtils.toString(inputStream);

+            

+            if(contents != null) {

+                CMS.debug("Returning product version: " + version);

+                version = contents.trim();

+            }

+        } catch (Exception e) {

+            CMS.debug("Failed to read product version String. " + e);

+        }

+        finally {

+            if(inputStream != null) {

+                try {

+                    inputStream.close();

+                } catch (IOException e) {

+                }

+            }

+        }

+        return version;

+    }

 }

-- 

1.8.3.1

From 28452a131f11d6372beb6bc262b7c26bb4cb1961 Mon Sep 17 00:00:00 2001

From: Matthew Harmsen <mharmsen@redhat.com>

Date: Fri, 14 Sep 2018 19:19:23 -0600

Subject: [PATCH 04/19] Ticket 2865 X500Name.directoryStringEncodingOrder

 overridden by CSR encoding

https://pagure.io/dogtagpki/issue/2865 coverity fixes

(cherry picked from commit b375305e00dedc4127e5aa1b97e11dcc26a68f72)

---

 .../netscape/cms/profile/def/UserSubjectNameDefault.java   | 14 +++++++++++++-

 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java

index 636b045..459735e 100644

--- a/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java

+++ b/base/server/cms/src/com/netscape/cms/profile/def/UserSubjectNameDefault.java

@@ -105,7 +105,13 @@ public class UserSubjectNameDefault extends EnrollDefault {

                      * keep the old name so that the attribute

                      * encodings are preserved. */

                     X500Name oldX500name = oldName.getX500Name();

-                    if (x500name.toString().equals(oldX500name.toString())) {

+                    if (x500name == null) {

+                        CMS.debug( method

+                            + "new Subject DN is null; "

+                            + "retaining current value."

+                        );

+                        x500name = oldX500name;

+                    } else if (x500name.toString().equals(oldX500name.toString())) {

                         CMS.debug( method

                             + "new Subject DN has same string representation "

                             + "as current value; retaining current value."

@@ -196,6 +202,12 @@ public class UserSubjectNameDefault extends EnrollDefault {

         // to the certinfo

         CertificateSubjectName req_sbj = request.getExtDataInCertSubjectName(

                     IEnrollProfile.REQUEST_SUBJECT_NAME);

+        if (req_sbj == null) {

+            // failed to retrieve subject name

+            CMS.debug("UserSubjectNameDefault: populate req_sbj is null");

+            throw new EProfileException(CMS.getUserMessage(getLocale(request),

+                        "CMS_PROFILE_SUBJECT_NAME_NOT_FOUND"));

+        }

         try {

             info.set(X509CertInfo.SUBJECT, req_sbj);

-- 

1.8.3.1

From 2180a832fa531120c9fe2dead72b58e615ef4744 Mon Sep 17 00:00:00 2001

From: Christina Fu <cfu@redhat.com>

Date: Wed, 22 Aug 2018 18:12:06 -0700

Subject: [PATCH 07/19] ticket #2879 audit events for CA acting as TLS client

This patch provides code for ticket 2879, adding audit events for CS when

 acting as a TLS client.

For a running CS system, there are two cases when this happens:

1. When one CS subsystem is talking to another CS subsystem

    In this case: HttpClient is used

2. When a CS subsystem is talking to an ldap syste

    In this case: PKISocketFactory is used

Events added are:

 - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE

 - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS

 - LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED

https://pagure.io/dogtagpki/issue/2879

Change-Id: Ib8e4c27c57cb2b13b461c36f37f52dc6a13956f8

(cherry picked from commit add6813cb15673d604f05173585101a6e56745ca)

---

 base/ca/shared/conf/CS.cfg                         |   4 +-

 .../event/ClientAccessSessionEstablishEvent.java   |  74 +++++++

 .../event/ClientAccessSessionTerminatedEvent.java  |  53 +++++

 base/kra/shared/conf/CS.cfg                        |   4 +-

 base/ocsp/shared/conf/CS.cfg                       |   4 +-

 .../cms/publish/publishers/OCSPPublisher.java      |   4 +

 .../dogtagpki/server/PKIClientSocketListener.java  | 230 +++++++++++++++++++++

 base/server/cmsbundle/src/LogMessages.properties   |  20 ++

 .../cmscore/connector/HttpConnFactory.java         |   6 +

 .../netscape/cmscore/connector/HttpConnection.java |  42 ++++

 .../netscape/cmscore/connector/HttpConnector.java  |  10 +

 .../com/netscape/cmscore/connector/Resender.java   |   8 +-

 .../cmscore/ldapconn/PKISocketFactory.java         |   9 +-

 base/tks/shared/conf/CS.cfg                        |   4 +-

 .../src/com/netscape/cmsutil/http/HttpClient.java  |  14 ++

 .../netscape/cmsutil/http/JssSSLSocketFactory.java |   8 +

 16 files changed, 484 insertions(+), 10 deletions(-)

 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java

 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java

 create mode 100644 base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg

index 92504ff..4cef240 100644

--- a/base/ca/shared/conf/CS.cfg

+++ b/base/ca/shared/conf/CS.cfg

@@ -905,11 +905,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging

 log.instance.SignedAudit._002=##

 log.instance.SignedAudit._003=##

 log.instance.SignedAudit._004=## Available Audit events:

-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION

+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION

 log.instance.SignedAudit._006=##

 log.instance.SignedAudit.bufferSize=512

 log.instance.SignedAudit.enable=true

-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG

+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG

 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)

 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)

 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)

diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java

new file mode 100644

index 0000000..f54641a

--- /dev/null

+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java

@@ -0,0 +1,74 @@

+// --- BEGIN COPYRIGHT BLOCK ---

+// This program is free software; you can redistribute it and/or modify

+// it under the terms of the GNU General Public License as published by

+// the Free Software Foundation; version 2 of the License.

+//

+// This program is distributed in the hope that it will be useful,

+// but WITHOUT ANY WARRANTY; without even the implied warranty of

+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+// GNU General Public License for more details.

+//

+// You should have received a copy of the GNU General Public License along

+// with this program; if not, write to the Free Software Foundation, Inc.,

+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+//

+// (C) 2017 Red Hat, Inc.

+// All rights reserved.

+// --- END COPYRIGHT BLOCK ---

+package com.netscape.certsrv.logging.event;

+

+import com.netscape.certsrv.logging.ILogger;

+import com.netscape.certsrv.logging.SignedAuditEvent;

+

+public class ClientAccessSessionEstablishEvent extends SignedAuditEvent {

+

+    private static final long serialVersionUID = 1L;

+

+    public final static String CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS =

+            "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS";

+

+    public final static String CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE =

+            "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE";

+

+    public ClientAccessSessionEstablishEvent(String messageID) {

+        super(messageID);

+    }

+

+    public static ClientAccessSessionEstablishEvent createSuccessEvent(

+            String clientHost,

+            String serverHost,

+            String serverPort,

+            String subjectID) {

+

+        ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(

+                CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS);

+

+        event.setAttribute("ClientHost", clientHost);

+        event.setAttribute("ServerHost", serverHost);

+        event.setAttribute("ServerPort", serverPort);

+        event.setAttribute("SubjectID", subjectID);

+        event.setAttribute("Outcome", ILogger.SUCCESS);

+

+        return event;

+    }

+

+    public static ClientAccessSessionEstablishEvent createFailureEvent(

+            String clientHost,

+            String serverHost,

+            String serverPort,

+            String subjectID,

+            String info) {

+

+        ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(

+                CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE);

+

+        event.setAttribute("ClientHost", clientHost);

+        event.setAttribute("ServerHost", serverHost);

+        event.setAttribute("ServerPort", serverPort);

+        event.setAttribute("SubjectID", subjectID);

+        event.setAttribute("Outcome", ILogger.FAILURE);

+        event.setAttribute("Info", info);

+

+        return event;

+    }

+}

diff --git a/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java

new file mode 100644

index 0000000..cad0c97

--- /dev/null

+++ b/base/common/src/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java

@@ -0,0 +1,53 @@

+// --- BEGIN COPYRIGHT BLOCK ---

+// This program is free software; you can redistribute it and/or modify

+// it under the terms of the GNU General Public License as published by

+// the Free Software Foundation; version 2 of the License.

+//

+// This program is distributed in the hope that it will be useful,

+// but WITHOUT ANY WARRANTY; without even the implied warranty of

+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+// GNU General Public License for more details.

+//

+// You should have received a copy of the GNU General Public License along

+// with this program; if not, write to the Free Software Foundation, Inc.,

+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+//

+// (C) 2017 Red Hat, Inc.

+// All rights reserved.

+// --- END COPYRIGHT BLOCK ---

+package com.netscape.certsrv.logging.event;

+

+import com.netscape.certsrv.logging.ILogger;

+import com.netscape.certsrv.logging.SignedAuditEvent;

+

+public class ClientAccessSessionTerminatedEvent extends SignedAuditEvent {

+

+    private static final long serialVersionUID = 1L;

+

+    public final static String CLIENT_ACCESS_SESSION_TERMINATED =

+            "LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED";

+

+    public ClientAccessSessionTerminatedEvent(String messageID) {

+        super(messageID);

+    }

+

+    public static ClientAccessSessionTerminatedEvent createEvent(

+            String clientHost,

+            String serverHost,

+            String serverPort,

+            String subjectID,

+            String info) {

+

+        ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent(

+                CLIENT_ACCESS_SESSION_TERMINATED);

+

+        event.setAttribute("ClientHost", clientHost);

+        event.setAttribute("ServerHost", serverHost);

+        event.setAttribute("ServerPort", serverPort);

+        event.setAttribute("SubjectID", subjectID);

+        event.setAttribute("Outcome", ILogger.SUCCESS);

+        event.setAttribute("Info", info);

+

+        return event;

+    }

+}

diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg

index 878e5f8..6108576 100644

--- a/base/kra/shared/conf/CS.cfg

+++ b/base/kra/shared/conf/CS.cfg

@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging

 log.instance.SignedAudit._002=##

 log.instance.SignedAudit._003=##

 log.instance.SignedAudit._004=## Available Audit events:

-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION

+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION

 log.instance.SignedAudit._006=##

 log.instance.SignedAudit.bufferSize=512

 log.instance.SignedAudit.enable=true

-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL

+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL

 log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)

 log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)

 log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)

diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg

index b412e5e..d2e5256 100644

--- a/base/ocsp/shared/conf/CS.cfg

+++ b/base/ocsp/shared/conf/CS.cfg

@@ -216,11 +216,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging

 log.instance.SignedAudit._002=##

 log.instance.SignedAudit._003=##

 log.instance.SignedAudit._004=## Available Audit events:

-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION

+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION

 log.instance.SignedAudit._006=##

 log.instance.SignedAudit.bufferSize=512

 log.instance.SignedAudit.enable=true

-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL

+log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL

 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)

 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)

 log.instance.SignedAudit.expirationTime=0

diff --git a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java

index 11d44b8..d15523e 100644

--- a/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java

+++ b/base/server/cms/src/com/netscape/cms/publish/publishers/OCSPPublisher.java

@@ -42,6 +42,8 @@ import com.netscape.cmsutil.http.HttpRequest;

 import com.netscape.cmsutil.http.JssSSLSocketFactory;

 import com.netscape.cmsutil.util.Utils;

+import org.dogtagpki.server.PKIClientSocketListener;

+

 import netscape.ldap.LDAPConnection;

 /**

@@ -247,12 +249,14 @@ public class OCSPPublisher implements ILdapPublisher, IExtendedPluginInfo {

             Socket socket = null;

             JssSSLSocketFactory factory;

+            PKIClientSocketListener sockListener = new PKIClientSocketListener();

             if (mClientAuthEnabled) {

                 factory = new JssSSLSocketFactory(mNickname);

             } else {

                 factory = new JssSSLSocketFactory();

             }

+            factory.addSocketListener(sockListener);

             if (mHost != null && mHost.indexOf(' ') != -1) {

                 // support failover hosts configuration

diff --git a/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java

new file mode 100644

index 0000000..dc49908

--- /dev/null

+++ b/base/server/cms/src/org/dogtagpki/server/PKIClientSocketListener.java

@@ -0,0 +1,230 @@

+// --- BEGIN COPYRIGHT BLOCK ---

+// This program is free software; you can redistribute it and/or modify

+// it under the terms of the GNU General Public License as published by

+// the Free Software Foundation; version 2 of the License.

+//

+// This program is distributed in the hope that it will be useful,

+// but WITHOUT ANY WARRANTY; without even the implied warranty of

+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+// GNU General Public License for more details.

+//

+// You should have received a copy of the GNU General Public License along

+// with this program; if not, write to the Free Software Foundation, Inc.,

+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

+//

+// (C) 2017 Red Hat, Inc.

+// All rights reserved.

+// --- END COPYRIGHT BLOCK ---

+package org.dogtagpki.server;

+

+import java.lang.Integer;

+import java.net.InetAddress;

+import java.security.Principal;

+import java.util.HashMap;

+import java.util.Map;

+import java.util.WeakHashMap;

+

+import org.mozilla.jss.crypto.X509Certificate;

+import org.mozilla.jss.ssl.SSLAlertDescription;

+import org.mozilla.jss.ssl.SSLAlertEvent;

+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;

+import org.mozilla.jss.ssl.SSLSecurityStatus;

+import org.mozilla.jss.ssl.SSLSocket;

+import org.mozilla.jss.ssl.SSLSocketListener;

+import org.slf4j.Logger;

+import org.slf4j.LoggerFactory;

+

+import com.netscape.certsrv.logging.SignedAuditEvent;

+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;

+import com.netscape.certsrv.logging.event.ClientAccessSessionTerminatedEvent;

+import com.netscape.cms.logging.SignedAuditLogger;

+import com.netscape.certsrv.apps.CMS;

+

+public class PKIClientSocketListener implements SSLSocketListener {

+

+    private static Logger logger = LoggerFactory.getLogger(PKIClientSocketListener.class);

+    private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();

+

+    /**

+     * The socketInfos map is a storage for socket information that may not be available

+     * after the socket has been closed such as client IP address and subject ID. The

+     * WeakHashMap is used here to allow the map key (i.e. the socket object) to be

+     * garbage-collected since there is no guarantee that socket will be closed with an

+     * SSL alert for a proper map entry removal.

+     */

+    Map<SSLSocket,Map<String,Object>> socketInfos = new WeakHashMap<>();

+

+    @Override

+    public void alertReceived(SSLAlertEvent event) {

+        String method = "PKIClientSocketListener.alertReceived: ";

+CMS.debug(method + "begins");

+        try {

+            SSLSocket socket = event.getSocket();

+

+            InetAddress serverAddress = socket.getInetAddress();

+            InetAddress clientAddress = socket.getLocalAddress();

+            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();

+            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();

+            String serverPort = Integer.toString(socket.getPort());

+

+            SSLSecurityStatus status = socket.getStatus();

+/*

+            X509Certificate peerCertificate = status.getPeerCertificate();

+            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();

+            String subjectID = subjectDN == null ? "" : subjectDN.toString();

+*/

+String subjectID = "SYSTEM";

+

+            int description = event.getDescription();

+            String reason = SSLAlertDescription.valueOf(description).toString();

+

+            logger.debug("SSL alert received:");

+            logger.debug(" - reason: " + reason);

+            logger.debug(" - client: " + clientIP);

+            logger.debug(" - server: " + serverIP);

+            logger.debug(" - subject: " + subjectID);

+

+

+            signedAuditLogger.log(ClientAccessSessionTerminatedEvent.createEvent(

+                    clientIP,

+                    serverIP,

+                    serverPort,

+                    subjectID,

+                    reason));

+

+        CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED");

+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason);

+

+        } catch (Exception e) {

+            logger.error(e.getMessage(), e);

+        }

+    }

+

+    @Override

+    public void alertSent(SSLAlertEvent event) {

+        String method = "PKIClientSocketListener.alertSent: ";

+CMS.debug(method + "begins");

+        try {

+            SSLSocket socket = event.getSocket();

+

+            int description = event.getDescription();

+CMS.debug(method + "got description:"+ description);

+            String reason = SSLAlertDescription.valueOf(description).toString();

+CMS.debug(method + "got reason:"+ reason);

+

+            SignedAuditEvent auditEvent;

+            String clientIP;

+            String serverIP;

+            String serverPort;

+            String subjectID;

+

+            if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {

+

+                // get socket info from socketInfos map since socket has been closed

+                Map<String,Object> info = socketInfos.get(socket);

+                clientIP = (String)info.get("clientIP");

+                serverIP = (String)info.get("serverIP");

+                serverPort = (String)info.get("serverPort");

+                subjectID = (String)info.get("subjectID");

+

+                auditEvent = ClientAccessSessionTerminatedEvent.createEvent(

+                        clientIP,

+                        serverIP,

+                        serverPort,

+                        subjectID,

+                        reason);

+

+        CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED");

+	CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP+ " serverPort=" + serverPort + " reason=" + reason);

+

+            } else {

+

+                // get socket info from the socket itself

+                InetAddress serverAddress = socket.getInetAddress();

+                InetAddress clientAddress = socket.getLocalAddress();

+

+                clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();

+                serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();

+                serverPort = Integer.toString(socket.getPort());

+

+                SSLSecurityStatus status = socket.getStatus();

+/*

+                X509Certificate peerCertificate = status.getPeerCertificate();

+                Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();

+                subjectID = subjectDN == null ? "" : subjectDN.toString();

+*/

+subjectID = "SYSTEM";

+

+                auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(

+                        clientIP,

+                        serverIP,

+                        serverPort,

+                        subjectID,

+                        reason);

+

+            }

+

+            logger.debug("SSL alert sent:");

+            logger.debug(" - reason: " + reason);

+            logger.debug(" - client: " + clientIP);

+            logger.debug(" - server: " + serverIP);

+            logger.debug(" - subject: " + subjectID);

+

+            signedAuditLogger.log(auditEvent);

+

+        CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE");

+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort + " reason=" + reason);

+

+        } catch (Exception e) {

+            logger.error(e.getMessage(), e);

+        }

+    }

+

+    @Override

+    public void handshakeCompleted(SSLHandshakeCompletedEvent event) {

+        String method = "PKIClientSocketListener.handshakeCompleted: ";

+CMS.debug(method + "begins");

+        try {

+            SSLSocket socket = event.getSocket();

+

+            InetAddress serverAddress = socket.getInetAddress();

+            InetAddress clientAddress = socket.getLocalAddress();

+            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();

+            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();

+            String serverPort = Integer.toString(socket.getPort());

+

+            SSLSecurityStatus status = socket.getStatus();

+/*

+            X509Certificate peerCertificate = status.getPeerCertificate();

+            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();

+            String subjectID = subjectDN == null ? "" : subjectDN.toString();

+*/

+String subjectID = "SYSTEM";

+

+            logger.debug("Handshake completed:");

+            logger.debug(" - client: " + clientIP);

+            logger.debug(" - server: " + serverIP);

+            logger.debug(" - subject: " + subjectID);

+

+            // store socket info in socketInfos map

+            Map<String,Object> info = new HashMap<>();

+            info.put("clientIP", clientIP);

+            info.put("serverIP", serverIP);

+            info.put("serverPort", serverPort);

+            info.put("subjectID", subjectID);

+            socketInfos.put(socket, info);

+

+            signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent(

+                    clientIP,

+                    serverIP,

+                    serverPort,

+                    subjectID));

+

+        CMS.debug(method + "CS_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS");

+CMS.debug(method + "clientIP=" + clientIP + " serverIP=" + serverIP + " serverPort=" + serverPort);

+

+        } catch (Exception e) {

+            logger.error(e.getMessage(), e);

+        }

+    }

+}

diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties

index d534506..a8a8deb 100644

--- a/base/server/cmsbundle/src/LogMessages.properties

+++ b/base/server/cmsbundle/src/LogMessages.properties

@@ -2775,6 +2775,26 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\

 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\

 <type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated

+#

+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE

+# access session failed to establish when Certificate System acts as client

+#

+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\

+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client

+#

+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS

+# - used when access session was established successfully when

+#   Certificate System acts as client

+#

+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\

+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client

+#

+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED

+# - used when access session was terminated when Certificate System acts as client

+#

+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\

+<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client

+

 ###########################

 #Unselectable signedAudit Events

diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java

index 47f5e61..e4f92b4 100644

--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java

+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnFactory.java

@@ -27,6 +27,8 @@ import com.netscape.certsrv.logging.ILogger;

 import com.netscape.cmsutil.http.JssSSLSocketFactory;

 import com.netscape.cmsutil.net.ISocketFactory;

+import org.dogtagpki.server.PKIClientSocketListener;

+

 /**

  * Factory for getting HTTP Connections to a HTTPO server

  */

@@ -127,6 +129,10 @@ public class HttpConnFactory {

         try {

             ISocketFactory tFactory = new JssSSLSocketFactory(mNickname, mClientCiphers);

+            PKIClientSocketListener sockListener = new PKIClientSocketListener()

+;

+            JssSSLSocketFactory factory = (JssSSLSocketFactory) tFactory;

+            factory.addSocketListener(sockListener);

             if (mTimeout == 0) {

                 retConn = CMS.getHttpConnection(mDest, tFactory);

diff --git a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java

index fbd3268..649fa80 100644

--- a/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java

+++ b/base/server/cmscore/src/com/netscape/cmscore/connector/HttpConnection.java

@@ -18,7 +18,10 @@

 package com.netscape.cmscore.connector;

 import java.io.IOException;

+import java.lang.Integer;

 import java.net.InetSocketAddress;

+import java.net.InetAddress;

+import java.net.UnknownHostException;

 import java.util.ArrayList;

 import java.util.List;