From 1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 16 May 2017 17:29:45 -0400 Subject: [PATCH 01/38] Encapsulate the archival audit log This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2 --- base/ca/src/com/netscape/ca/CAService.java | 45 +++-------- .../com/netscape/certsrv/logging/AuditEvent.java | 4 - .../logging/event/SecurityDataArchivalEvent.java | 59 ++++++++++++++ base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/EnrollmentService.java | 92 ++++++---------------- .../src/com/netscape/kra/KeyRecoveryAuthority.java | 27 ++----- .../src/com/netscape/kra/NetkeyKeygenService.java | 15 +--- .../server/kra/rest/KeyRequestService.java | 9 +-- .../cms/profile/common/CAEnrollProfile.java | 40 +++------- .../cms/servlet/base/SubsystemService.java | 10 +++ base/server/cmsbundle/src/LogMessages.properties | 14 +--- 11 files changed, 132 insertions(+), 187 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index 2ad1967..45fae66 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -52,6 +52,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList; import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.profile.IProfileSubsystem; @@ -368,10 +369,8 @@ public class CAService implements ICAService, IService { * @return true or false */ public boolean serviceRequest(IRequest request) { - String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); - String auditArchiveID = ILogger.SIGNED_AUDIT_NON_APPLICABLE; boolean completed = false; @@ -392,7 +391,7 @@ public class CAService implements ICAService, IService { request.setExtData(IRequest.RESULT, IRequest.RES_ERROR); request.setExtData(IRequest.ERROR, e.toString()); - audit(auditMessage); + // TODO(alee) New audit message needed here return false; } @@ -420,14 +419,10 @@ public class CAService implements ICAService, IService { CMS.debug("CAService: Sending enrollment request to KRA"); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); boolean sendStatus = mKRAConnector.send(request); @@ -439,14 +434,10 @@ public class CAService implements ICAService, IService { new ECAException(CMS.getUserMessage("CMS_CA_SEND_KRA_REQUEST"))); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); return true; } else { @@ -457,14 +448,10 @@ public class CAService implements ICAService, IService { } if (request.getExtDataInString(IRequest.ERROR) != null) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); return true; } @@ -484,14 +471,10 @@ public class CAService implements ICAService, IService { // store a message in the signed audit log file if (!(type.equals(IRequest.REVOCATION_REQUEST) || type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); } return true; @@ -504,14 +487,10 @@ public class CAService implements ICAService, IService { if (!(type.equals(IRequest.REVOCATION_REQUEST) || type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); } return completed; diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index 21cac27..a224ae6 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String LOG_PATH_CHANGE = "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - public final static String PRIVATE_KEY_ARCHIVE_REQUEST = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4"; public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = @@ -182,8 +180,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; - public static final String SECURITY_DATA_ARCHIVAL_REQUEST = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4"; public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; public static final String SECURITY_DATA_RECOVERY_REQUEST = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java new file mode 100644 index 0000000..43f7525 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java @@ -0,0 +1,59 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SecurityDataArchivalEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST"; + + public SecurityDataArchivalEvent( + String subjectID, + String outcome, + RequestId requestID, + String clientKeyID) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID + }); + } + + public SecurityDataArchivalEvent( + String subjectID, + String outcome, + String requestID) { + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + null + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index bd49a8d..be4ce71 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index e413a06..0a1fe1f 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.ProofOfArchival; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; @@ -155,13 +156,10 @@ public class EnrollmentService implements IService { String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); - String auditArchiveID = ILogger.UNIDENTIFIED; String auditPublicKey = ILogger.UNIDENTIFIED; String id = request.getRequestId().toString(); - if (id != null) { - auditArchiveID = id.trim(); - } + if (CMS.debugOn()) CMS.debug("EnrollmentServlet: KRA services enrollment request"); @@ -198,15 +196,11 @@ public class EnrollmentService implements IService { aOpts = CRMFParser.getPKIArchiveOptions( request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST)); } catch (IOException e) { - - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } @@ -247,14 +241,11 @@ public class EnrollmentService implements IService { } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } @@ -283,14 +274,11 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } @@ -325,14 +313,11 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_DEBUG, e.getMessage()); mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); } } // !allowEncDecrypt_archival @@ -346,14 +331,11 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } @@ -371,14 +353,11 @@ public class EnrollmentService implements IService { if (owner == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } @@ -406,14 +385,11 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_DEBUG, e.getMessage()); mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } @@ -433,14 +409,11 @@ public class EnrollmentService implements IService { rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize())); } catch (InvalidKeyException e) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } } else if (keyAlg.equals("EC")) { @@ -483,14 +456,11 @@ public class EnrollmentService implements IService { CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER", rec.getSerialNumber().toString())); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -505,14 +475,11 @@ public class EnrollmentService implements IService { } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters"); // TODO(alee) Set correct audit message here - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -523,14 +490,11 @@ public class EnrollmentService implements IService { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } if (i == 0) { @@ -580,14 +544,10 @@ public class EnrollmentService implements IService { ); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); // store a message in the signed audit log file auditPublicKey = auditPublicKey(rec); diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 54953d1..de097b2 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -58,6 +58,7 @@ import com.netscape.certsrv.kra.IKeyService; import com.netscape.certsrv.listeners.EListenersException; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.request.ARequestNotifier; import com.netscape.certsrv.request.IPolicy; import com.netscape.certsrv.request.IRequest; @@ -751,11 +752,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); String auditPublicKey = auditPublicKey(rec); - String auditArchiveID = ILogger.UNIDENTIFIED; IRequestQueue queue = null; IRequest r = null; - String id = null; // ensure that any low-level exceptions are reported // to the signed audit log and stored as failures @@ -764,34 +763,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r = queue.newRequest(KRAService.ENROLLMENT); - if (r != null) { - // overwrite "auditArchiveID" if and only if "id" != null - id = r.getRequestId().toString(); - if (id != null) { - auditArchiveID = id.trim(); - } - } - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); } catch (EBaseException eAudit1) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); - + auditRequesterID)); throw eAudit1; } diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 636e93e..0885469 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; @@ -142,7 +143,6 @@ public class NetkeyKeygenService implements IService { throws EBaseException { String auditMessage = null; String auditSubjectID = null; - String auditArchiveID = ILogger.UNIDENTIFIED; byte[] wrapped_des_key; byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; @@ -165,11 +165,6 @@ public class NetkeyKeygenService implements IService { ; String PubKey = ""; - String id = request.getRequestId().toString(); - if (id != null) { - auditArchiveID = id.trim(); - } - String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG); if (rArchive.equals("true")) { archive = true; @@ -395,14 +390,10 @@ public class NetkeyKeygenService implements IService { // // mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private"); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit( new SecurityDataArchivalEvent( agentId, ILogger.SUCCESS, - auditSubjectID, - auditArchiveID); - - audit(auditMessage); + auditSubjectID)); CMS.debug("KRA encrypts private key to put on internal ldap db"); byte privateKeyData[] = null; diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 38f7e93..b0bcff2 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -50,6 +50,7 @@ import com.netscape.certsrv.key.KeyRequestResponse; import com.netscape.certsrv.key.SymKeyGenerationRequest; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.realm.PKIPrincipal; @@ -354,13 +355,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes } public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST, + audit(new SecurityDataArchivalEvent( getRequestor(), status, - requestId != null? requestId.toString(): "null", - clientKeyID); - auditor.log(msg); + requestId, + clientKeyID)); } public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java index 02aa8c8..85db2cb 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -29,9 +29,9 @@ import com.netscape.certsrv.ca.AuthorityID; import com.netscape.certsrv.ca.ICAService; import com.netscape.certsrv.ca.ICertificateAuthority; import com.netscape.certsrv.connector.IConnector; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.profile.ERejectException; import com.netscape.certsrv.profile.IProfileUpdater; @@ -80,15 +80,10 @@ public class CAEnrollProfile extends EnrollProfile { throw new EProfileException("Profile Not Enabled"); } - String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(request); - String auditArchiveID = ILogger.UNIDENTIFIED; - String id = request.getRequestId().toString(); - if (id != null) { - auditArchiveID = id.trim(); - } + CMS.debug("CAEnrollProfile: execute request ID " + id); @@ -117,29 +112,21 @@ public class CAEnrollProfile extends EnrollProfile { CMS.debug("CAEnrollProfile: KRA connector " + "not configured"); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); - + auditRequesterID)); } else { CMS.debug("CAEnrollProfile: execute send request"); kraConnector.send(request); // check response if (!request.isSuccess()) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); if (request.getError(getLocale(request)) != null && (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { CMS.debug("CAEnrollProfile: execute set request status: REJECTED"); @@ -150,14 +137,10 @@ public class CAEnrollProfile extends EnrollProfile { request.getError(getLocale(request))); } - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID, - auditArchiveID); - - audit(auditMessage); + auditRequesterID)); } } catch (Exception e) { @@ -167,14 +150,11 @@ public class CAEnrollProfile extends EnrollProfile { CMS.debug("CAEnrollProfile: " + e); CMS.debug(e); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST, + audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID, - auditArchiveID); + auditRequesterID)); - audit(auditMessage); throw new EProfileException(e); } } diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java index 30d6b9c..2bcde64 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java +++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java @@ -81,6 +81,16 @@ public class SubsystemService extends PKIService { getClass().getSimpleName() + ": " + message); } + protected void audit(AuditEvent event) { + + String template = event.getMessage(); + Object[] params = event.getParameters(); + + String message = CMS.getLogMessage(template, params); + + auditor.log(message); + } + public void audit(String message, String scope, String type, String id, Map params, String status) { String auditMessage = CMS.getLogMessage( diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 6bc2d82..03af216 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -1943,18 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA # -- feature disabled -- #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt # -# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST -# - used when user private key archive request is made -# this is an option in a certificate enrollment request detected by RA or CA -# so should be seen logged right following the certificate request, if selected -# ReqID must be the certificate enrollment request ID associated with the -# CA archive option (even if the request was originally submitted via -# an RA) (this field is set to the "EntityID" in caase of server-side key gen) -# ArchiveID must be the DRM request ID associated with the enrollment ID, -# ReqID (this field will be "N/A" when logged by the CA) -# -LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ArchiveID={3}] private key archive request -# # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED # - used when user private key archive request is processed # this is when DRM receives and processed the request @@ -2490,7 +2478,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made # # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED -- 1.8.3.1 From 3a35eceffed65862e66806c20cff3a3b64d75ae8 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 16 May 2017 22:16:30 -0400 Subject: [PATCH 02/38] Encapsulate archival processed audit logs Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7 --- .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- .../event/SecurityDataArchivalProcessedEvent.java | 49 ++++++++++++++++++++++ base/kra/shared/conf/CS.cfg | 2 +- .../src/com/netscape/kra/EnrollmentService.java | 15 ++++--- .../src/com/netscape/kra/KeyRecoveryAuthority.java | 33 ++++++++------- .../src/com/netscape/kra/NetkeyKeygenService.java | 13 +++--- .../com/netscape/kra/SecurityDataProcessor.java | 8 ++-- base/server/cmsbundle/src/LogMessages.properties | 10 +---- 8 files changed, 86 insertions(+), 48 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index a224ae6..ce5cc4b 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -72,8 +72,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String LOG_PATH_CHANGE = "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3"; public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = @@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String CONFIG_SERIAL_NUMBER = "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; public static final String SECURITY_DATA_RECOVERY_REQUEST = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java new file mode 100644 index 0000000..8d7593b --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java @@ -0,0 +1,49 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; + +public class SecurityDataArchivalProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED"; + + public SecurityDataArchivalProcessedEvent( + String subjectID, + String outcome, + String requestID, + String clientKeyID, + String keyID, + String failureReason, + String pubkey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID, + keyID, + failureReason, + pubkey + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index be4ce71..23d2508 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index 0a1fe1f..cf2a88f 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -51,6 +51,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; +import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; @@ -153,13 +154,10 @@ public class EnrollmentService implements IService { statsSub.startTiming("archival", true /* main action */); } - String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); String auditPublicKey = ILogger.UNIDENTIFIED; - String id = request.getRequestId().toString(); - if (CMS.debugOn()) CMS.debug("EnrollmentServlet: KRA services enrollment request"); @@ -551,13 +549,14 @@ public class EnrollmentService implements IService { // store a message in the signed audit log file auditPublicKey = auditPublicKey(rec); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.SUCCESS, - auditPublicKey); - - audit(auditMessage); + request.getRequestId().toString(), + null, + rec.getSerialNumber().toString(), + null, + auditPublicKey)); // Xxx - should sign this proof of archival ProofOfArchival mProof = new ProofOfArchival(serialNo, diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index de097b2..bc58d14 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -59,6 +59,7 @@ import com.netscape.certsrv.listeners.EListenersException; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; +import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.request.ARequestNotifier; import com.netscape.certsrv.request.IPolicy; import com.netscape.certsrv.request.IRequest; @@ -786,23 +787,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue.processRequest(r); } - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.SUCCESS, - auditPublicKey); - - audit(auditMessage); + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.SUCCESS, + r.getRequestId().toString(), + null, + rec.getSerialNumber().toString(), + null, + auditPublicKey)); } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditPublicKey); - - audit(auditMessage); + audit(new SecurityDataArchivalProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + r.getRequestId().toString(), + null, + rec.getSerialNumber().toString(), + eAudit1.getMessage(), + auditPublicKey)); throw eAudit1; } diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 0885469..cd1079d 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; +import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; @@ -480,14 +481,14 @@ public class NetkeyKeygenService implements IService { storage.addKeyRecord(rec); CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED, + audit(new SecurityDataArchivalProcessedEvent( agentId, ILogger.SUCCESS, - PubKey); - - audit(auditMessage); - + request.getRequestId().toString(), + null, + serialNo.toString(), + null, + PubKey)); } //if archive request.setExtData(IRequest.RESULT, Integer.valueOf(1)); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 344f376..fa12805 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -40,6 +40,7 @@ import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestId; @@ -867,14 +868,13 @@ public class SecurityDataProcessor { private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, String keyID, String reason) { - String auditMessage = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, + audit(new SecurityDataArchivalProcessedEvent( subjectID, status, requestID.toString(), clientKeyID, keyID != null ? keyID : "None", - reason); - audit(auditMessage); + reason, + null)); } } diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 03af216..a7ce567 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -1943,14 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA # -- feature disabled -- #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt # -# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED -# - used when user private key archive request is processed -# this is when DRM receives and processed the request -# PubKey must be the base-64 encoded public key associated with -# the private key to be archived -# -LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3=:[AuditEvent=PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][PubKey={2}] private key archive request processed -# # LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS # - used when user private key export request is made and processed with success # - this is used in case of server-side keygen when keys generated on the server @@ -2471,7 +2463,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv # Client ID must be the user supplied client ID associated with # the security data to be archived # -LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] security data archival request processed +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST # - used when security data recovery request is made -- 1.8.3.1 From 90f6d8ece46d70a3566b97b549efb1053895f407 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 16 May 2017 23:11:34 -0400 Subject: [PATCH 03/38] Encapsulate key recovery audit events Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac --- .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- .../event/SecurityDataArchivalProcessedEvent.java | 6 ++- .../logging/event/SecurityDataRecoveryEvent.java | 48 +++++++++++++++++++++ base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/EnrollmentService.java | 5 ++- .../src/com/netscape/kra/KeyRecoveryAuthority.java | 49 ++++++++++++++-------- .../src/com/netscape/kra/NetkeyKeygenService.java | 5 ++- .../com/netscape/kra/SecurityDataProcessor.java | 9 ++-- .../com/netscape/kra/TokenKeyRecoveryService.java | 18 ++++---- .../server/kra/rest/KeyRequestService.java | 10 ++--- base/server/cmsbundle/src/LogMessages.properties | 2 +- 11 files changed, 114 insertions(+), 46 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index ce5cc4b..da571fe 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -82,8 +82,6 @@ public class AuditEvent implements IBundleLogEvent { "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; - public final static String KEY_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4"; public final static String KEY_RECOVERY_REQUEST_ASYNC = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; public final static String KEY_RECOVERY_AGENT_LOGIN = @@ -178,8 +176,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; - public static final String SECURITY_DATA_RECOVERY_REQUEST = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4"; public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; public final static String SECURITY_DATA_RETRIEVE_KEY = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java index 8d7593b..eb4f6b3 100644 --- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java @@ -17,7 +17,9 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.logging.event; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; public class SecurityDataArchivalProcessedEvent extends AuditEvent { @@ -28,9 +30,9 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { public SecurityDataArchivalProcessedEvent( String subjectID, String outcome, - String requestID, + RequestId requestID, String clientKeyID, - String keyID, + KeyId keyID, String failureReason, String pubkey) { diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java new file mode 100644 index 0000000..97e3c96 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryEvent.java @@ -0,0 +1,48 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SecurityDataRecoveryEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST"; + + public SecurityDataRecoveryEvent( + String subjectID, + String outcome, + RequestId recoveryID, + KeyId keyID, + String pubkey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + recoveryID, + keyID, + pubkey + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 23d2508..54adae1 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index cf2a88f..b28fbc6 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -44,6 +44,7 @@ import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.kra.ProofOfArchival; @@ -552,9 +553,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.SUCCESS, - request.getRequestId().toString(), + request.getRequestId(), null, - rec.getSerialNumber().toString(), + new KeyId(rec.getSerialNumber()), null, auditPublicKey)); diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index bc58d14..8f86eef 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -52,6 +52,7 @@ import com.netscape.certsrv.base.ISubsystem; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.IDBSubsystem; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.kra.IKeyService; @@ -60,6 +61,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; import com.netscape.certsrv.request.ARequestNotifier; import com.netscape.certsrv.request.IPolicy; import com.netscape.certsrv.request.IRequest; @@ -749,7 +751,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove */ public IRequest archiveKey(KeyRecord rec) throws EBaseException { - String auditMessage = null; String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); String auditPublicKey = auditPublicKey(rec); @@ -790,18 +791,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.SUCCESS, - r.getRequestId().toString(), + r.getRequestId(), null, - rec.getSerialNumber().toString(), + new KeyId(rec.getSerialNumber()), null, auditPublicKey)); } catch (EBaseException eAudit1) { audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.FAILURE, - r.getRequestId().toString(), + r.getRequestId(), null, - rec.getSerialNumber().toString(), + new KeyId(rec.getSerialNumber()), eAudit1.getMessage(), auditPublicKey)); @@ -994,7 +995,11 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove throws EBaseException { String auditMessage = null; String auditSubjectID = auditSubjectID(); + + // temporary variable till other audit events are converted String auditRecoveryID = auditRecoveryID(); + + RequestId auditRequestID = auditRequestID(); String auditPublicKey = auditPublicKey(cert); String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; @@ -1029,24 +1034,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST, + audit(new SecurityDataRecoveryEvent( auditSubjectID, ILogger.SUCCESS, - auditRecoveryID, - auditPublicKey); - - audit(auditMessage); + auditRequestID, + null, + auditPublicKey)); } catch (EBaseException eAudit1) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST, + audit(new SecurityDataRecoveryEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - auditPublicKey); - - audit(auditMessage); + auditRequestID, + null, + auditPublicKey)); throw eAudit1; } @@ -1680,6 +1681,20 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return recoveryID; } + /* + * temporary function till other audit messages are converted + */ + private RequestId auditRequestID() { + SessionContext auditContext = SessionContext.getExistingContext(); + if (auditContext != null) { + String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); + if (recoveryID != null) { + return new RequestId(recoveryID.trim()); + } + } + + return null; + } /** * Signed Audit Log Public Key diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index cd1079d..5463b92 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -46,6 +46,7 @@ import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; @@ -484,9 +485,9 @@ public class NetkeyKeygenService implements IService { audit(new SecurityDataArchivalProcessedEvent( agentId, ILogger.SUCCESS, - request.getRequestId().toString(), + request.getRequestId(), null, - serialNo.toString(), + new KeyId(serialNo), null, PubKey)); } //if archive diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index fa12805..da8dd9b 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; @@ -300,7 +301,7 @@ public class SecurityDataProcessor { keyRepository.addKeyRecord(rec); auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestId, - clientKeyId, serialNo.toString(), "None"); + clientKeyId, new KeyId(serialNo), "None"); request.setExtData(ATTR_KEY_RECORD, serialNo); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); @@ -867,13 +868,13 @@ public class SecurityDataProcessor { } private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { + KeyId keyID, String reason) { audit(new SecurityDataArchivalProcessedEvent( subjectID, status, - requestID.toString(), + requestID, clientKeyID, - keyID != null ? keyID : "None", + keyID, reason, null)); } diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 64f65a0..7aca24c 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -47,8 +47,10 @@ import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; @@ -211,6 +213,10 @@ public class TokenKeyRecoveryService implements IService { if (id != null) { auditRecoveryID = id.trim(); } + + // temporary variable till other audit messages have been replaced + RequestId auditRequestID = request.getRequestId(); + SessionContext sContext = SessionContext.getContext(); String agentId = ""; if (sContext != null) { @@ -563,14 +569,12 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: RSA PubKey base64 encoded"); } - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST, + audit(new SecurityDataRecoveryEvent( auditSubjectID, - ILogger.SUCCESS, - auditRecoveryID, - PubKey); - - audit(auditMessage); + ILogger.SUCCESS, + auditRequestID, + null, + PubKey)); if (PubKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index b0bcff2..a2d01f1 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -51,6 +51,7 @@ import com.netscape.certsrv.key.SymKeyGenerationRequest; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.realm.PKIPrincipal; @@ -345,13 +346,12 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes } public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { - String msg = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_RECOVERY_REQUEST, + audit(new SecurityDataRecoveryEvent( getRequestor(), status, - requestId != null? requestId.toString(): "null", - dataId.toString()); - auditor.log(msg); + requestId, + dataId, + null)); } public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) { diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index a7ce567..d594f1c 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2486,7 +2486,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}] security data recovery request made +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][DataID={3}][PubKey={4}] security data recovery request made # # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE # - used when DRM agents login as recovery agents to change -- 1.8.3.1 From 58927bc0573769480dd35b564b9791eb086b267e Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 17 May 2017 14:10:37 -0400 Subject: [PATCH 04/38] Encapsulate recovery processed audit events This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb --- .../com/netscape/certsrv/logging/AuditEvent.java | 4 - .../event/SecurityDataRecoveryProcessedEvent.java | 50 ++++++ base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/KeyRecoveryAuthority.java | 94 +++-------- .../com/netscape/kra/SecurityDataProcessor.java | 45 ++--- .../com/netscape/kra/TokenKeyRecoveryService.java | 182 ++++++++++----------- base/server/cmsbundle/src/LogMessages.properties | 12 +- 7 files changed, 184 insertions(+), 207 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index da571fe..c9c8f96 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -86,8 +86,6 @@ public class AuditEvent implements IBundleLogEvent { "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; public final static String KEY_RECOVERY_AGENT_LOGIN = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; - public final static String KEY_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4"; public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; public final static String KEY_GEN_ASYMMETRIC = @@ -174,8 +172,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String CONFIG_SERIAL_NUMBER = "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; public final static String SECURITY_DATA_RETRIEVE_KEY = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java new file mode 100644 index 0000000..8e5ad4b --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryProcessedEvent.java @@ -0,0 +1,50 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SecurityDataRecoveryProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED"; + + public SecurityDataRecoveryProcessedEvent( + String subjectID, + String outcome, + RequestId recoveryID, + KeyId keyID, + String failureReason, + String recoveryAgents) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + recoveryID, + keyID, + failureReason, + recoveryAgents + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 54adae1..8f55a37 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 8f86eef..670279e 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -62,6 +62,7 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.request.ARequestNotifier; import com.netscape.certsrv.request.IPolicy; import com.netscape.certsrv.request.IRequest; @@ -980,7 +981,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove * @param kid key identifier * @param creds list of recovery agent credentials * @param password password of the PKCS12 package - * @param cert certficate that will be put in PKCS12 + * @param cert certificate that will be put in PKCS12 * @param delivery file, mail or something else * @param nickname string containing the nickname of the id cert for this * subsystem @@ -993,13 +994,8 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String delivery, String nickname, String agent) throws EBaseException { - String auditMessage = null; String auditSubjectID = auditSubjectID(); - - // temporary variable till other audit events are converted - String auditRecoveryID = auditRecoveryID(); - - RequestId auditRequestID = auditRequestID(); + RequestId auditRecoveryID = auditRecoveryID(); String auditPublicKey = auditPublicKey(cert); String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; @@ -1037,16 +1033,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove audit(new SecurityDataRecoveryEvent( auditSubjectID, ILogger.SUCCESS, - auditRequestID, - null, + auditRecoveryID, + new KeyId(kid), auditPublicKey)); } catch (EBaseException eAudit1) { // store a message in the signed audit log file audit(new SecurityDataRecoveryEvent( auditSubjectID, ILogger.FAILURE, - auditRequestID, - null, + auditRecoveryID, + new KeyId(kid), auditPublicKey)); throw eAudit1; @@ -1063,43 +1059,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove auditAgents = auditAgents(creds); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.SUCCESS, auditRecoveryID, - auditAgents); - - audit(auditMessage); + new KeyId(kid), + null, + auditAgents)); destroyVolatileRequest(r.getRequestId()); return pkcs12; } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, auditRecoveryID, - auditAgents); - - audit(auditMessage); + new KeyId(kid), + r.getExtDataInString(IRequest.ERROR), + auditAgents)); throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); } } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); - - audit(auditMessage); - + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + new KeyId(kid), + eAudit1.getMessage(), + auditAgents)); throw eAudit1; } } @@ -1646,45 +1635,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove return requesterID; } - /** - * Signed Audit Log Recovery ID - * - * This method is called to obtain the "RecoveryID" for - * a signed audit log message. - *

- * - * @return id string containing the signed audit log message RecoveryID - */ - private String auditRecoveryID() { - // if no signed audit object exists, bail - if (mSignedAuditLogger == null) { - return null; - } - - String recoveryID = null; - - // Initialize recoveryID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - recoveryID = (String) - auditContext.get(SessionContext.RECOVERY_ID); - - if (recoveryID != null) { - recoveryID = recoveryID.trim(); - } else { - recoveryID = ILogger.UNIDENTIFIED; - } - } else { - recoveryID = ILogger.UNIDENTIFIED; - } - - return recoveryID; - } /* - * temporary function till other audit messages are converted + * Returns the requestID for the recovery request for audit logs. */ - private RequestId auditRequestID() { + private RequestId auditRecoveryID() { SessionContext auditContext = SessionContext.getExistingContext(); if (auditContext != null) { String recoveryID = (String) auditContext.get(SessionContext.RECOVERY_ID); diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index da8dd9b..a44eb2f 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestId; @@ -326,14 +327,15 @@ public class SecurityDataProcessor { Hashtable params = kra.getVolatileRequest( request.getRequestId()); - BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); - request.setExtData(ATTR_KEY_RECORD, serialno); + KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); + request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); RequestId requestID = request.getRequestId(); + String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (params == null) { CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "cannot get volatile params"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, + "cannot get volatile params", approvers); throw new EBaseException("Can't obtain volatile params!"); } @@ -355,7 +357,7 @@ public class SecurityDataProcessor { return false; } - KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(serialno); + KeyRecord keyRecord = (KeyRecord) keyRepository.readKeyRecord(keyId.toBigInteger()); String dataType = (String) keyRecord.get(IKeyRecord.ATTR_DATA_TYPE); if (dataType == null) dataType = KeyRequestResource.ASYMMETRIC_KEY_TYPE; @@ -455,8 +457,8 @@ public class SecurityDataProcessor { iv != null? new IVParameterSpec(iv): null, iv_wrap != null? new IVParameterSpec(iv_wrap): null); } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "Cannot generate wrapping params"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, + "Cannot generate wrapping params", approvers); throw new EBaseException("Cannot generate wrapping params: " + e, e); } } @@ -512,8 +514,8 @@ public class SecurityDataProcessor { params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "Cannot unwrap passphrase"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, + "Cannot unwrap passphrase", approvers); throw new EBaseException("Cannot unwrap passphrase: " + e, e); } finally { @@ -554,8 +556,8 @@ public class SecurityDataProcessor { } } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "Cannot wrap symmetric key"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, + "Cannot wrap symmetric key", approvers); throw new EBaseException("Cannot wrap symmetric key: " + e, e); } @@ -573,7 +575,7 @@ public class SecurityDataProcessor { wrapParams.getPayloadEncryptionIV()); } catch (Exception e) { auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, - serialno.toString(), "Cannot encrypt passphrase"); + keyId, "Cannot encrypt passphrase", approvers); throw new EBaseException("Cannot encrypt passphrase: " + e, e); } @@ -604,8 +606,8 @@ public class SecurityDataProcessor { } } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), - "Cannot wrap private key"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, + "Cannot wrap private key", approvers); throw new EBaseException("Cannot wrap private key: " + e, e); } } @@ -639,8 +641,8 @@ public class SecurityDataProcessor { params.put(IRequest.SECURITY_DATA_TYPE, dataType); - auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(), - "None"); + auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, + null, approvers); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); return false; //return true ? TODO @@ -856,15 +858,14 @@ public class SecurityDataProcessor { } private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, + KeyId keyID, String reason, String recoveryAgents) { + audit(new SecurityDataRecoveryProcessedEvent( subjectID, status, - requestID.toString(), + requestID, keyID, - reason); - audit(auditMessage); + reason, + recoveryAgents)); } private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 7aca24c..2519a4d 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -43,11 +43,13 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.request.RequestId; @@ -183,9 +185,7 @@ public class TokenKeyRecoveryService implements IService { * @exception EBaseException failed to serve */ public synchronized boolean serviceRequest(IRequest request) throws EBaseException { - String auditMessage = null; String auditSubjectID = null; - String auditRecoveryID = ILogger.UNIDENTIFIED; String iv_s = ""; CMS.debug("KRA services token key recovery request"); @@ -209,12 +209,6 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); } - String id = request.getRequestId().toString(); - if (id != null) { - auditRecoveryID = id.trim(); - } - - // temporary variable till other audit messages have been replaced RequestId auditRequestID = request.getRequestId(); SessionContext sContext = SessionContext.getContext(); @@ -240,7 +234,7 @@ public class TokenKeyRecoveryService implements IService { String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); - // the request reocrd field delayLDAPCommit == "true" will cause + // the request record field delayLDAPCommit == "true" will cause // updateRequest() to delay actual write to ldap request.setExtData("delayLDAPCommit", "true"); // wrappedDesKey no longer needed. removing. @@ -272,32 +266,32 @@ public class TokenKeyRecoveryService implements IService { } else { CMS.debug("TokenKeyRecoveryService: not receive des key"); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); + auditRequestID, + null, + "TokenRecoveryService: Did not receive DES key", + agentId)); - audit(auditMessage); return false; } // retrieve based on Certificate String cert_s = request.getExtDataInString(ATTR_USER_CERT); String keyid_s = request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID); + KeyId keyId = new KeyId(request.getExtDataInString(IRequest.NETKEY_ATTR_KEYID)); /* have to have at least one */ if ((cert_s == null) && (keyid_s == null)) { CMS.debug("TokenKeyRecoveryService: not receive cert or keyid"); request.setExtData(IRequest.RESULT, Integer.valueOf(3)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + keyId, + "TokenRecoveryService: Did not receive cert or keyid", + agentId)); return false; } @@ -311,27 +305,25 @@ public class TokenKeyRecoveryService implements IService { if (x509cert == null) { CMS.debug("cert mapping failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(5)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenRecoveryService: cert mapping failed", + agentId)); return false; } } catch (IOException e) { CMS.debug("TokenKeyRecoveryService: mapCert failed"); request.setExtData(IRequest.RESULT, Integer.valueOf(6)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenRecoveryService: mapCert failed: " + e.getMessage(), + agentId)); return false; } } else { @@ -363,27 +355,25 @@ public class TokenKeyRecoveryService implements IService { else { CMS.debug("key record not found"); request.setExtData(IRequest.RESULT, Integer.valueOf(8)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenRecoveryService: key record not found", + agentId)); return false; } } catch (Exception e) { com.netscape.cmscore.util.Debug.printStackTrace(e); request.setExtData(IRequest.RESULT, Integer.valueOf(9)); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenRecoveryService: error reading key record: " + e.getMessage(), + agentId)); return false; } @@ -410,14 +400,14 @@ public class TokenKeyRecoveryService implements IService { if (inputPubData.length != pubData.length) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); + auditRequestID, + keyId, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), + agentId)); - audit(auditMessage); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } @@ -425,14 +415,13 @@ public class TokenKeyRecoveryService implements IService { for (int i = 0; i < pubData.length; i++) { if (pubData[i] != inputPubData[i]) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN")); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"), + agentId)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_PUBLIC_KEY_NOT_MATCHED")); } @@ -455,13 +444,13 @@ public class TokenKeyRecoveryService implements IService { if (privateKeyData == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - audit(auditMessage); + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + keyId, + "TokenKeyRecoveryService: failed getting private key", + agentId)); return false; } CMS.debug("TokenKeyRecoveryService: got private key...about to verify"); @@ -485,14 +474,13 @@ public class TokenKeyRecoveryService implements IService { if (verifyKeyPair(pubData, privateKeyData) == false) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND")); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + keyId, + CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"), + agentId)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); } else { @@ -511,14 +499,13 @@ public class TokenKeyRecoveryService implements IService { if (privKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("TokenKeyRecoveryService: failed getting private key"); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRequestID, + keyId, + "TokenKeyRecoveryService: failed getting private key", + agentId)); return false; } @@ -541,14 +528,13 @@ public class TokenKeyRecoveryService implements IService { if (wrappedPrivKeyString == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenKeyRecoveryService: failed generating wrapped private key", + agentId)); return false; } else { CMS.debug("TokenKeyRecoveryService: got private key data wrapped"); @@ -579,14 +565,13 @@ public class TokenKeyRecoveryService implements IService { if (PubKey == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded"); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, - auditRecoveryID, - agentId); - - audit(auditMessage); + auditRequestID, + keyId, + "TokenKeyRecoveryService: failed getting publickey encoded", + agentId)); return false; } else { //CMS.debug("TokenKeyRecoveryService: got publicKeyData b64 = " + @@ -594,15 +579,14 @@ public class TokenKeyRecoveryService implements IService { CMS.debug("TokenKeyRecoveryService: got publicKeyData"); } request.setExtData("public_key", PubKey); - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED, + + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.SUCCESS, - auditRecoveryID, - agentId); - - audit(auditMessage); - + auditRequestID, + keyId, + null, + agentId)); return true; } catch (Exception e) { diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index d594f1c..b85310c 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2009,15 +2009,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login # -# -# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED -# - used when key recovery request is processed -# RecoveryID must be the recovery request ID -# RecoveryAgents must be a comma-separated list of -# UIDs of the recovery agents approving this request -# -LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgents={3}] key recovery request processed -# # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC # - used when key recovery request is processed # RequestID must be the recovery request ID @@ -2477,8 +2468,9 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}] security data recovery request processed +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][FailureReason={4}][RecoveryAgents={5}] security data recovery request processed # # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST -- 1.8.3.1 From f52f5be832e37cc45e665708d3b59d2a3aa04370 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 17 May 2017 16:17:30 -0400 Subject: [PATCH 05/38] Eliminate async recovery audit events There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089 --- .../com/netscape/certsrv/logging/AuditEvent.java | 4 -- base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/KeyRecoveryAuthority.java | 75 +++++++++------------- base/server/cmsbundle/src/LogMessages.properties | 17 ----- 4 files changed, 34 insertions(+), 66 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index c9c8f96..03340e1 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -82,12 +82,8 @@ public class AuditEvent implements IBundleLogEvent { "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; - public final static String KEY_RECOVERY_REQUEST_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4"; public final static String KEY_RECOVERY_AGENT_LOGIN = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; - public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC = - "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4"; public final static String KEY_GEN_ASYMMETRIC = "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 8f55a37..90ef4bc 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 670279e..3c29bbf 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -820,8 +820,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove throws EBaseException { String auditPublicKey = auditPublicKey(cert); - String auditRecoveryID = "undefined"; - String auditMessage = null; + RequestId auditRecoveryID = null; String auditSubjectID = auditSubjectID(); IRequestQueue queue = null; @@ -838,28 +837,23 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setRequestStatus(RequestStatus.PENDING); r.setRealm(realm); queue.updateRequest(r); - auditRecoveryID = r.getRequestId().toString(); + auditRecoveryID = r.getRequestId(); // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, + audit(new SecurityDataRecoveryEvent( auditSubjectID, ILogger.SUCCESS, auditRecoveryID, - auditPublicKey); - - audit(auditMessage); + null, + auditPublicKey)); } catch (EBaseException eAudit1) { // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditPublicKey); - - audit(auditMessage); - + audit(new SecurityDataRecoveryEvent( + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + null, + auditPublicKey)); throw eAudit1; } @@ -1115,10 +1109,10 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove String reqID, String password) throws EBaseException { - String auditMessage = null; String auditSubjectID = auditSubjectID(); - String auditRecoveryID = reqID; + RequestId auditRecoveryID = new RequestId(reqID); String auditAgents = ILogger.SIGNED_AUDIT_EMPTY_VALUE; + KeyId keyID = null; IRequestQueue queue = null; IRequest r = null; @@ -1129,6 +1123,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r = queue.findRequest(new RequestId(reqID)); auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + keyID = new KeyId(r.getExtDataInBigInteger("serialNumber")); // set transient parameters params = createVolatileRequest(r.getRequestId()); @@ -1147,42 +1142,36 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove byte pkcs12[] = (byte[]) params.get( RecoveryService.ATTR_PKCS12); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.SUCCESS, auditRecoveryID, - auditAgents); - - audit(auditMessage); + keyID, + null, + auditAgents)); destroyVolatileRequest(r.getRequestId()); return pkcs12; } else { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, - auditSubjectID, - ILogger.FAILURE, - auditRecoveryID, - auditAgents); - - audit(auditMessage); - - throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); - } - } catch (EBaseException eAudit1) { - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC, + audit(new SecurityDataRecoveryProcessedEvent( auditSubjectID, ILogger.FAILURE, auditRecoveryID, - auditAgents); + keyID, + r.getExtDataInString(IRequest.ERROR), + auditAgents)); - audit(auditMessage); + throw new EBaseException(r.getExtDataInString(IRequest.ERROR)); + } + } catch (EBaseException eAudit1) { + audit(new SecurityDataRecoveryProcessedEvent( + auditSubjectID, + ILogger.FAILURE, + auditRecoveryID, + keyID, + eAudit1.getMessage(), + auditAgents)); throw eAudit1; } } diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index b85310c..5a01e13 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -1991,15 +1991,6 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made # -# -# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC -# - used when asynchronous key recovery request is made -# RequestID must be the recovery request ID -# PubKey must be the base-64 encoded public key associated with -# the private key to be recovered -# -LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][PubKey={3}] asynchronous key recovery request made -# # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN # - used when DRM agents login as recovery agents to approve # key recovery requests @@ -2009,14 +2000,6 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4=:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login # -# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC -# - used when key recovery request is processed -# RequestID must be the recovery request ID -# RecoveryAgents must be a comma-separated list of -# UIDs of the recovery agents approving this request -# -LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4=:[AuditEvent=KEY_RECOVERY_REQUEST_PROCESSED_ASYNC][SubjectID={0}][Outcome={1}][RequestID={2}][RecoveryAgents={3}] asynchronous key recovery request processed -# # LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC # - used when asymmetric keys are generated # (like when CA certificate requests are generated - -- 1.8.3.1 From 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 18 May 2017 01:27:12 -0400 Subject: [PATCH 06/38] Encapsulate key retrieval audit events Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c --- .../com/netscape/certsrv/logging/AuditEvent.java | 6 -- .../logging/event/SecurityDataExportEvent.java | 70 ++++++++++++++++++++++ base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/NetkeyKeygenService.java | 18 +++--- .../org/dogtagpki/server/kra/rest/KeyService.java | 14 ++--- .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 25 ++++---- .../src/com/netscape/cms/servlet/key/GetPk12.java | 26 ++++---- base/server/cmsbundle/src/LogMessages.properties | 26 ++------ 8 files changed, 117 insertions(+), 72 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index 03340e1..45907d0 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -72,10 +72,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String LOG_PATH_CHANGE = "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4"; - public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4"; public final static String SERVER_SIDE_KEYGEN_REQUEST = "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = @@ -170,8 +166,6 @@ public class AuditEvent implements IBundleLogEvent { public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; - public final static String SECURITY_DATA_RETRIEVE_KEY = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5"; public final static String KEY_STATUS_CHANGE = "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java new file mode 100644 index 0000000..a2c7939 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataExportEvent.java @@ -0,0 +1,70 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SecurityDataExportEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY"; + + public SecurityDataExportEvent( + String subjectID, + String outcome, + RequestId recoveryID, + KeyId keyID, + String failureReason, + String pubKey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + recoveryID, + keyID, + failureReason, + pubKey + }); + } + + public SecurityDataExportEvent( + String subjectID, + String outcome, + String recoveryID, + KeyId keyID, + String failureReason, + String pubKey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + recoveryID, + keyID, + failureReason, + pubKey + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 90ef4bc..298e35a 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 5463b92..df42a4f 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.security.IStorageKeyUnit; @@ -356,25 +357,26 @@ public class NetkeyKeygenService implements IService { if (wrappedPrivKeyString == null) { request.setExtData(IRequest.RESULT, Integer.valueOf(4)); CMS.debug("NetkeyKeygenService: failed generating wrapped private key"); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + audit(new SecurityDataExportEvent( agentId, ILogger.FAILURE, auditSubjectID, - PubKey); + null, + "NetkeyKeygenService: failed generating wrapped private key", + PubKey)); audit(auditMessage); return false; } else { request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + + audit(new SecurityDataExportEvent( agentId, ILogger.SUCCESS, auditSubjectID, - PubKey); - - audit(auditMessage); + null, + null, + PubKey)); } iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv); diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index 7a21971..87e6f15 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -62,6 +62,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.kra.IKeyService; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; @@ -601,15 +602,14 @@ public class KeyService extends SubsystemService implements KeyResource { } public void auditRetrieveKey(String status, String reason) { - String msg = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_RETRIEVE_KEY, + audit(new SecurityDataExportEvent( servletRequest.getUserPrincipal().getName(), status, - requestId != null ? requestId.toString(): "null", - keyId != null ? keyId.toString(): "null", - (reason != null) ? auditInfo + ";" + reason : auditInfo - ); - auditor.log(msg); + requestId, + keyId, + (reason != null) ? auditInfo + ";" + reason : auditInfo, + null + )); } public void auditRetrieveKey(String status) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java index f0065e1..b28132d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java @@ -35,8 +35,9 @@ import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; @@ -207,14 +208,13 @@ public class GetAsyncPk12 extends CMSServlet { resp.getOutputStream().write(pkcs12); mRenderResult = false; - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + audit(new SecurityDataExportEvent( agent, ILogger.SUCCESS, - reqID, - ""); - - audit(auditMessage); + new RequestId(reqID), + null, + null, + null)); return; } catch (IOException e) { @@ -233,14 +233,13 @@ public class GetAsyncPk12 extends CMSServlet { } if ((agent != null) && (reqID != null)) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + audit(new SecurityDataExportEvent( agent, ILogger.FAILURE, - reqID, - ""); - - audit(auditMessage); + new RequestId(reqID), + null, + null, + null)); } try { diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java index 9bb52cd..c878605 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java @@ -36,8 +36,9 @@ import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; @@ -201,15 +202,13 @@ public class GetPk12 extends CMSServlet { resp.getOutputStream().write(pkcs12); mRenderResult = false; - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + audit(new SecurityDataExportEvent( agent, ILogger.SUCCESS, - recoveryID, - ""); - - audit(auditMessage); - + new RequestId(recoveryID), + null, + null, + null)); return; } catch (IOException e) { header.addStringValue(OUT_ERROR, @@ -227,14 +226,13 @@ public class GetPk12 extends CMSServlet { } if ((agent != null) && (recoveryID != null)) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + audit(new SecurityDataExportEvent( agent, ILogger.FAILURE, - recoveryID, - ""); - - audit(auditMessage); + new RequestId(recoveryID), + null, + null, + null)); } try { diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 5a01e13..9cdcae6 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -1943,26 +1943,6 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA # -- feature disabled -- #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt # -# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS -# - used when user private key export request is made and processed with success -# - this is used in case of server-side keygen when keys generated on the server -# need to be transported back to the client -# EntityID must be the id that represents the client -# PubKey must be the base-64 encoded public key associated with -# the private key to be archived -# -LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with success -# -# LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE -# - used when user private key export request is made and processed with failure -# - this is used in case of server-side keygen when keys generated on the server -# need to be transported back to the client -# EntityID must be the id that represents the client -# PubKey must be the base-64 encoded public key associated with -# the private key to be archived -# -LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4=:[AuditEvent=PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] private key export request processed with failure -# # LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST # - used when server-side key generation request is made # This is for tokenkeys @@ -2476,9 +2456,11 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_RETRIEVE_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}] security data retrieval request +LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request # # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE # - used when modify key status is executed -- 1.8.3.1 From 8016ed7972d9211e7f0db14e45bc9658a7b292ef Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Mon, 22 May 2017 22:34:58 +0200 Subject: [PATCH 07/38] Enabling all subsystems on startup. The operations script has been modified to enable all subsystems on startup by default. If the selftest fails, the subsystem will be shutdown again automatically as before. A pki.conf option has been added to configure this behavior. https://pagure.io/dogtagpki/issue/2699 Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50 --- base/common/share/etc/pki.conf | 6 +++ base/server/python/pki/server/cli/subsystem.py | 58 +++++++++++++++++++------- base/server/scripts/operations | 14 +++++-- 3 files changed, 59 insertions(+), 19 deletions(-) diff --git a/base/common/share/etc/pki.conf b/base/common/share/etc/pki.conf index e9b5522..14bb8dd 100644 --- a/base/common/share/etc/pki.conf +++ b/base/common/share/etc/pki.conf @@ -60,3 +60,9 @@ export SSL_CIPHERS # Key Wrapping: AES KeyWrap with Padding KEY_WRAP_PARAMETER_SET=1 export KEY_WRAP_PARAMETER_SET + +# Auto-enable subsystems +# This boolean parameter determines whether to automatically enable all +# subsystems on startup. +PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS="true" +export PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py index ee5d2d2..8395bd2 100644 --- a/base/server/python/pki/server/cli/subsystem.py +++ b/base/server/python/pki/server/cli/subsystem.py @@ -200,7 +200,7 @@ class SubsystemEnableCLI(pki.cli.CLI): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', + 'instance=', 'all', 'verbose', 'help']) except getopt.GetoptError as e: @@ -209,11 +209,15 @@ class SubsystemEnableCLI(pki.cli.CLI): sys.exit(1) instance_name = 'pki-tomcat' + all_subsystems = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a + elif o == '--all': + all_subsystems = True + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -226,13 +230,6 @@ class SubsystemEnableCLI(pki.cli.CLI): self.usage() sys.exit(1) - if len(args) != 1: - print('ERROR: missing subsystem ID') - self.usage() - sys.exit(1) - - subsystem_name = args[0] - instance = pki.server.PKIInstance(instance_name) if not instance.is_valid(): @@ -241,6 +238,22 @@ class SubsystemEnableCLI(pki.cli.CLI): instance.load() + if all_subsystems: + for subsystem in instance.subsystems: + if not subsystem.is_enabled(): + subsystem.enable() + + self.print_message('Enabled all subsystems') + + return + + if len(args) != 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance ' @@ -276,7 +289,7 @@ class SubsystemDisableCLI(pki.cli.CLI): try: opts, args = getopt.gnu_getopt(argv, 'i:v', [ - 'instance=', + 'instance=', 'all', 'verbose', 'help']) except getopt.GetoptError as e: @@ -285,11 +298,15 @@ class SubsystemDisableCLI(pki.cli.CLI): sys.exit(1) instance_name = 'pki-tomcat' + all_subsystems = False for o, a in opts: if o in ('-i', '--instance'): instance_name = a + elif o == '--all': + all_subsystems = True + elif o in ('-v', '--verbose'): self.set_verbose(True) @@ -302,13 +319,6 @@ class SubsystemDisableCLI(pki.cli.CLI): self.usage() sys.exit(1) - if len(args) != 1: - print('ERROR: missing subsystem ID') - self.usage() - sys.exit(1) - - subsystem_name = args[0] - instance = pki.server.PKIInstance(instance_name) if not instance.is_valid(): @@ -317,6 +327,22 @@ class SubsystemDisableCLI(pki.cli.CLI): instance.load() + if all_subsystems: + for subsystem in instance.subsystems: + if subsystem.is_enabled(): + subsystem.disable() + + self.print_message('Disabled all subsystems') + + return + + if len(args) != 1: + print('ERROR: missing subsystem ID') + self.usage() + sys.exit(1) + + subsystem_name = args[0] + subsystem = instance.get_subsystem(subsystem_name) if not subsystem: print('ERROR: No %s subsystem in instance ' diff --git a/base/server/scripts/operations b/base/server/scripts/operations index 5b50178..907dd0e 100644 --- a/base/server/scripts/operations +++ b/base/server/scripts/operations @@ -30,11 +30,14 @@ # 200-254 reserved # -# Read default PKI configuration. +# default PKI configuration . /usr/share/pki/etc/pki.conf -# Read user-defined PKI configuration. -. /etc/pki/pki.conf +# system-wide PKI configuration +if [ -f /etc/pki/pki.conf ] +then + . /etc/pki/pki.conf +fi default_error=0 @@ -1294,6 +1297,11 @@ EOF /var/lib/pki/$PKI_INSTANCE_NAME/conf/custom.policy > \ /var/lib/pki/$PKI_INSTANCE_NAME/conf/catalina.policy + if [ "${PKI_SERVER_AUTO_ENABLE_SUBSYSTEMS}" = "true" ] ; then + # enable all subsystems + pki-server subsystem-enable -i "$PKI_INSTANCE_NAME" --all + fi + # We no longer start tomcat instances here. # instead we rely on the tomcat unit scripts -- 1.8.3.1 From 3027b565320c96857b7f7fdffed9a5fbec084bab Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 18 May 2017 16:05:07 -0400 Subject: [PATCH 08/38] Fix auditing in retrieveKey The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182 --- .../logging/event/SecurityDataInfoEvent.java | 49 ++++++++++++ base/kra/shared/conf/CS.cfg | 2 +- .../org/dogtagpki/server/kra/rest/KeyService.java | 88 +++++++++++++++++----- base/server/cmsbundle/src/LogMessages.properties | 12 ++- 4 files changed, 132 insertions(+), 19 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java new file mode 100644 index 0000000..82c049e --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataInfoEvent.java @@ -0,0 +1,49 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; + +public class SecurityDataInfoEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO"; + + public SecurityDataInfoEvent( + String subjectID, + String outcome, + KeyId keyID, + String clientKeyID, + String failureReason, + String pubKey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + keyID, + clientKeyID, + failureReason, + pubKey + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 298e35a..4b6ff74 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,7 +300,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index 87e6f15..52799e6 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -63,6 +63,9 @@ import com.netscape.certsrv.kra.IKeyService; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; @@ -92,6 +95,7 @@ public class KeyService extends SubsystemService implements KeyResource { private RequestId requestId; private KeyId keyId; private String auditInfo; + private String approvers; public KeyService() { kra = ( IKeyRecoveryAuthority ) CMS.getSubsystem( "kra" ); @@ -112,12 +116,14 @@ public class KeyService extends SubsystemService implements KeyResource { @Override public Response retrieveKey(KeyRecoveryRequest data) { try { - return retrieveKeyImpl(data); + Response response = retrieveKeyImpl(data); + auditRetrieveKey(ILogger.SUCCESS); + return response; } catch(RuntimeException e) { - auditError(e.getMessage()); + auditRetrieveKeyError(e.getMessage()); throw e; } catch (Exception e) { - auditError(e.getMessage()); + auditRetrieveKeyError(e.getMessage()); throw new PKIException(e.getMessage(), e); } } @@ -191,17 +197,20 @@ public class KeyService extends SubsystemService implements KeyResource { try { queue.updateRequest(request); } catch (EBaseException e) { + auditRecoveryRequest(ILogger.FAILURE); e.printStackTrace(); throw new PKIException(e.getMessage(), e); } CMS.debug("Returning created recovery request"); - auditRetrieveKey(ILogger.SUCCESS, "Created recovery request"); + auditRecoveryRequest(ILogger.SUCCESS); KeyData keyData = new KeyData(); keyData.setRequestID(requestId); return createOKResponse(keyData); } + + auditRecoveryRequest(ILogger.SUCCESS); } data.setRequestId(requestId); @@ -226,15 +235,19 @@ public class KeyService extends SubsystemService implements KeyResource { throw new BadRequestException("Invalid request type: " + type); } } catch (Exception e) { + auditRecoveryRequestProcessed(ILogger.FAILURE, e.getMessage()); throw new PKIException(e.getMessage(), e); } if (keyData == null) { + auditRecoveryRequestProcessed(ILogger.FAILURE, "No key record"); throw new HTTPGoneException("No key record."); } + approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + auditRecoveryRequestProcessed(ILogger.SUCCESS, null); + CMS.debug("KeyService: key retrieved"); - auditRetrieveKey(ILogger.SUCCESS); return createOKResponse(keyData); } @@ -408,10 +421,8 @@ public class KeyService extends SubsystemService implements KeyResource { try { return createOKResponse(listKeyInfos(clientKeyID, status, maxResults, maxTime, start, size, realm)); } catch (RuntimeException e) { - auditError(e.getMessage()); throw e; } catch (Exception e) { - auditError(e.getMessage()); throw new PKIException(e.getMessage(), e); } } @@ -449,7 +460,6 @@ public class KeyService extends SubsystemService implements KeyResource { try { Enumeration e = repo.searchKeys(filter, maxResults, maxTime); if (e == null) { - auditRetrieveKey(ILogger.SUCCESS); return infos; } @@ -458,7 +468,11 @@ public class KeyService extends SubsystemService implements KeyResource { while (e.hasMoreElements()) { IKeyRecord rec = e.nextElement(); if (rec == null) continue; - results.add(createKeyDataInfo(rec, false)); + + KeyInfo info = createKeyDataInfo(rec, false); + results.add(info); + + auditKeyInfoSuccess(info.getKeyId(), null); } int total = results.size(); @@ -482,7 +496,6 @@ public class KeyService extends SubsystemService implements KeyResource { } catch (EBaseException e) { throw new PKIException(e.getMessage(), e); } - auditRetrieveKey(ILogger.SUCCESS); return infos; } @@ -492,10 +505,10 @@ public class KeyService extends SubsystemService implements KeyResource { try { return getActiveKeyInfoImpl(clientKeyID); } catch (RuntimeException e) { - auditError(e.getMessage()); + auditKeyInfoError(null, clientKeyID, e.getMessage()); throw e; } catch (Exception e) { - auditError(e.getMessage()); + auditKeyInfoError(null, clientKeyID, e.getMessage()); throw new PKIException(e.getMessage(), e); } } @@ -531,7 +544,7 @@ public class KeyService extends SubsystemService implements KeyResource { throw new PKIException(e.toString(), e); } - auditRetrieveKey(ILogger.SUCCESS); + auditKeyInfoSuccess(info.getKeyId(), clientKeyID); return createOKResponse(info); } @@ -616,11 +629,31 @@ public class KeyService extends SubsystemService implements KeyResource { auditRetrieveKey(status, null); } - public void auditError(String message) { + public void auditRetrieveKeyError(String message) { CMS.debug(message); auditRetrieveKey(ILogger.FAILURE, message); } + public void auditKeyInfo(KeyId keyId, String clientKeyId, String status, String reason) { + audit(new SecurityDataInfoEvent( + servletRequest.getUserPrincipal().getName(), + status, + keyId, + clientKeyId, + (reason != null) ? auditInfo + ";" + reason : auditInfo, + null + )); + } + + public void auditKeyInfoSuccess(KeyId keyid, String clientKeyId) { + auditKeyInfo(keyId, clientKeyId, ILogger.SUCCESS, null); + } + + public void auditKeyInfoError(KeyId keyId, String clientKeyId, String message) { + CMS.debug(message); + auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); + } + public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, String newKeyStatus, String info) { String msg = CMS.getLogMessage( @@ -634,6 +667,27 @@ public class KeyService extends SubsystemService implements KeyResource { auditor.log(msg); } + public void auditRecoveryRequest(String status) { + audit(new SecurityDataRecoveryEvent( + servletRequest.getUserPrincipal().getName(), + status, + requestId, + keyId, + null + )); + } + + public void auditRecoveryRequestProcessed(String status, String reason) { + audit(new SecurityDataRecoveryProcessedEvent( + servletRequest.getUserPrincipal().getName(), + status, + requestId, + keyId, + (reason != null) ? auditInfo + ";" + reason : auditInfo, + approvers + )); + } + /** * Used to retrieve a key * @param data @@ -697,10 +751,10 @@ public class KeyService extends SubsystemService implements KeyResource { try { return getKeyInfoImpl(keyId); } catch (RuntimeException e) { - auditError(e.getMessage()); + auditKeyInfoError(keyId, null, e.getMessage()); throw e; } catch (Exception e) { - auditError(e.getMessage()); + auditKeyInfoError(keyId, null, e.getMessage()); throw new PKIException(e.getMessage(), e); } } @@ -715,7 +769,7 @@ public class KeyService extends SubsystemService implements KeyResource { rec = repo.readKeyRecord(keyId.toBigInteger()); authz.checkRealm(rec.getRealm(), getAuthToken(), rec.getOwnerName(), "certServer.kra.key", "read"); KeyInfo info = createKeyDataInfo(rec, true); - auditRetrieveKey(ILogger.SUCCESS); + auditKeyInfoSuccess(keyId, null); return createOKResponse(info); } catch (EAuthzAccessDenied e) { diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 9cdcae6..3b998d9 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2451,7 +2451,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change # -# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY # - used when user attempts to retrieve key after the recovery request # has been approved. # @@ -2462,6 +2462,16 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4=:[AuditEvent=SECURITY_DATA_EXPORT_KEY][SubjectID={0}][Outcome={1}][RecoveryID={2}][KeyID={3}][Info={4}][PubKey={5}] security data retrieval request # +# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO +# - used when user attempts to get metadata information about a key +# +# RecoveryID must be the recovery request ID +# KeyID is the key being retrieved +# Info is the failure reason if the export fails. +# PubKey is the public key for the private key being retrieved +# +LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SECURITY_DATA_INFO][SubjectID={0}][Outcome={1}][KeyID={2}][ClientKeyId={3}[Info={4}][PubKey={5}] security data info request +# # LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE # - used when modify key status is executed # keyID must be an existing key id in the database -- 1.8.3.1 From f40d0aaf446b162994e9c8598a7b00a6d4c906f2 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 23 May 2017 10:01:47 -0400 Subject: [PATCH 09/38] Encapsulate recovery request approval audit logs The audit logs where an agent grants an asynchronous recovery request and the case where recovery request is appproved from the REST API are consolidated and encapsulated in a class. Change-Id: I237c1dcfc413012d421f3ccc64e21c7caf5a7701 --- .../com/netscape/certsrv/logging/AuditEvent.java | 2 - .../SecurityDataRecoveryStateChangeEvent.java | 45 +++++++++++++++ .../server/kra/rest/KeyRequestService.java | 9 ++- .../cms/servlet/key/GrantAsyncRecovery.java | 65 ++++------------------ base/server/cmsbundle/src/LogMessages.properties | 2 +- 5 files changed, 61 insertions(+), 62 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index 45907d0..891398d 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -164,8 +164,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String CONFIG_SERIAL_NUMBER = "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE = - "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4"; public final static String KEY_STATUS_CHANGE = "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java new file mode 100644 index 0000000..d0e97f8 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataRecoveryStateChangeEvent.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SecurityDataRecoveryStateChangeEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE"; + + public SecurityDataRecoveryStateChangeEvent( + String subjectID, + String outcome, + RequestId recoveryID, + String operation) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + recoveryID, + operation + }); + } +} diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index a2d01f1..12040e0 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.realm.PKIPrincipal; @@ -336,13 +337,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes } public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) { - String msg = CMS.getLogMessage( - AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE, + audit(new SecurityDataRecoveryStateChangeEvent( getRequestor(), status, - requestId.toString(), - operation); - auditor.log(msg); + requestId, + operation)); } public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) { diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java index c410525..2a50067 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java @@ -34,8 +34,9 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.kra.IKeyService; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; +import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; @@ -194,32 +195,7 @@ public class GrantAsyncRecovery extends CMSServlet { String agentID, HttpServletRequest req, HttpServletResponse resp, Locale locale) { - String auditMessage = null; String auditSubjectID = auditSubjectID(); - String auditRequestID = reqID; - String auditAgentID = agentID; - - // "normalize" the "reqID" - if (auditRequestID != null) { - auditRequestID = auditRequestID.trim(); - - if (auditRequestID.equals("")) { - auditRequestID = ILogger.UNIDENTIFIED; - } - } else { - auditRequestID = ILogger.UNIDENTIFIED; - } - - // "normalize" the "auditAgentID" - if (auditAgentID != null) { - auditAgentID = auditAgentID.trim(); - - if (auditAgentID.equals("")) { - auditAgentID = ILogger.UNIDENTIFIED; - } - } else { - auditAgentID = ILogger.UNIDENTIFIED; - } try { header.addStringValue(OUT_OP, @@ -233,40 +209,21 @@ public class GrantAsyncRecovery extends CMSServlet { header.addStringValue("requestID", reqID); header.addStringValue("agentID", agentID); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.SUCCESS, - auditRequestID, - auditAgentID); - audit(auditMessage); - - } catch (EBaseException e) { - header.addStringValue(OUT_ERROR, e.toString(locale)); - - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_AGENT_LOGIN, + audit(new SecurityDataRecoveryStateChangeEvent( auditSubjectID, - ILogger.FAILURE, - auditRequestID, - auditAgentID); + ILogger.SUCCESS, + new RequestId(reqID), + "approve")); - audit(auditMessage); } catch (Exception e) { header.addStringValue(OUT_ERROR, e.toString()); - // store a message in the signed audit log file - auditMessage = CMS.getLogMessage( - AuditEvent.KEY_RECOVERY_AGENT_LOGIN, - auditSubjectID, - ILogger.FAILURE, - auditRequestID, - auditAgentID); - - audit(auditMessage); + audit(new SecurityDataRecoveryStateChangeEvent( + auditSubjectID, + ILogger.FAILURE, + new RequestId(reqID), + "approve")); } } } diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 3b998d9..44eec23 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2449,7 +2449,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change +LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE][SubjectID={0}][Outcome={1}][RecoveryID={2}][Operation={3}] security data recovery request state change # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY # - used when user attempts to retrieve key after the recovery request -- 1.8.3.1 From 6dd0800d8bb24d9d2d3f9e377a90f641612c7c78 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 May 2017 02:37:18 +0200 Subject: [PATCH 10/38] Moved TokenServlet into pki-tks package. The TokenServlet has been moved into pki-tks package in order to use the JssSubsystem in pki-cmscore package. Some constants in SecureChannelProtocol have been made public so they can be accessed by the TokenServlet. https://pagure.io/dogtagpki/issue/2695 Change-Id: I5542e5dcf09c3d081a131af042d833203bcc086c --- .../cms/servlet/tks/SecureChannelProtocol.java | 27 +- .../com/netscape/cms/servlet/tks/TokenServlet.java | 3223 ------------------- base/tks/shared/webapps/tks/WEB-INF/web.xml | 8 +- .../dogtagpki/server/tks/servlet/TokenServlet.java | 3226 ++++++++++++++++++++ 4 files changed, 3244 insertions(+), 3240 deletions(-) delete mode 100644 base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java create mode 100644 base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java index ef0c61b..0542470 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java +++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java @@ -25,12 +25,12 @@ import org.mozilla.jss.crypto.SymmetricKey.NotExtractableException; import org.mozilla.jss.crypto.SymmetricKeyDeriver; import org.mozilla.jss.crypto.TokenException; -import sun.security.pkcs11.wrapper.PKCS11Constants; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.cmsutil.crypto.CryptoUtil; +import sun.security.pkcs11.wrapper.PKCS11Constants; + public class SecureChannelProtocol { static String sharedSecretKeyName = null; @@ -47,17 +47,18 @@ public class SecureChannelProtocol { static final String DEFKEYSET_NAME = "defKeySet"; static int protocol = 1; - static final String encType = "enc"; - static final String macType = "mac"; - static final String kekType = "kek"; - static final String authType = "auth"; - static final String dekType = "dek"; - static final String rmacType = "rmac"; - static final int PROTOCOL_ONE = 1; - static final int PROTOCOL_TWO = 2; - static final int PROTOCOL_THREE = 3; - static final int HOST_CRYPTOGRAM = 0; - static final int CARD_CRYPTOGRAM = 1; + public static final String encType = "enc"; + public static final String macType = "mac"; + public static final String kekType = "kek"; + public static final String authType = "auth"; + public static final String dekType = "dek"; + public static final String rmacType = "rmac"; + public static final int PROTOCOL_ONE = 1; + public static final int PROTOCOL_TWO = 2; + public static final int PROTOCOL_THREE = 3; + public static final int HOST_CRYPTOGRAM = 0; + public static final int CARD_CRYPTOGRAM = 1; + //Size of long type in bytes, since java7 has no define for this static final int LONG_SIZE = 8; diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java deleted file mode 100644 index 1377055..0000000 --- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ /dev/null @@ -1,3223 +0,0 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// This program is free software; you can redistribute it and/or modify -// it under the terms of the GNU General Public License as published by -// the Free Software Foundation; version 2 of the License. -// -// This program is distributed in the hope that it will be useful, -// but WITHOUT ANY WARRANTY; without even the implied warranty of -// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -// GNU General Public License for more details. -// -// You should have received a copy of the GNU General Public License along -// with this program; if not, write to the Free Software Foundation, Inc., -// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. -// -// (C) 2007 Red Hat, Inc. -// All rights reserved. -// --- END COPYRIGHT BLOCK --- -package com.netscape.cms.servlet.tks; - -import java.io.ByteArrayOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.PublicKey; -import java.security.SecureRandom; -import java.util.ArrayList; -import java.util.StringTokenizer; - -import javax.servlet.ServletConfig; -import javax.servlet.ServletException; -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.dogtagpki.server.connector.IRemoteRequest; -import org.mozilla.jss.CryptoManager; -import org.mozilla.jss.CryptoManager.NotInitializedException; -import org.mozilla.jss.crypto.CryptoToken; -import org.mozilla.jss.crypto.KeyWrapAlgorithm; -import org.mozilla.jss.crypto.KeyWrapper; -import org.mozilla.jss.crypto.SymmetricKey; -import org.mozilla.jss.crypto.X509Certificate; -import org.mozilla.jss.pkcs11.PK11SymKey; - -import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.IConfigStore; -import com.netscape.certsrv.base.IPrettyPrintFormat; -import com.netscape.certsrv.base.SessionContext; -import com.netscape.certsrv.logging.AuditEvent; -import com.netscape.certsrv.logging.ILogger; -import com.netscape.cms.servlet.base.CMSServlet; -import com.netscape.cms.servlet.common.CMSRequest; -import com.netscape.cmsutil.crypto.CryptoUtil; -import com.netscape.symkey.SessionKey; - -/** - * A class representings an administration servlet for Token Key - * Service Authority. This servlet is responsible to serve - * tks administrative operation such as configuration - * parameter updates. - * - * @version $Revision$, $Date$ - */ -public class TokenServlet extends CMSServlet { - /** - * - */ - private static final long serialVersionUID = 8687436109695172791L; - protected static final String PROP_ENABLED = "enabled"; - protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; - private final static String INFO = "TokenServlet"; - public static int ERROR = 1; - String mKeyNickName = null; - String mNewKeyNickName = null; - String mCurrentUID = null; - IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); - - // Derivation Constants for SCP02 - public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; - public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; - public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; - public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; - - /** - * Constructs tks servlet. - */ - public TokenServlet() { - super(); - - } - - public static String trim(String a) { - StringBuffer newa = new StringBuffer(); - StringTokenizer tokens = new StringTokenizer(a, "\n"); - while (tokens.hasMoreTokens()) { - newa.append(tokens.nextToken()); - } - return newa.toString(); - } - - public void init(ServletConfig config) throws ServletException { - super.init(config); - } - - /** - * Returns serlvet information. - * - * @return name of this servlet - */ - public String getServletInfo() { - return INFO; - } - - /** - * Process the HTTP request. - * - * @param s The URL to decode. - */ - protected String URLdecode(String s) { - if (s == null) - return null; - ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); - - for (int i = 0; i < s.length(); i++) { - int c = s.charAt(i); - - if (c == '+') { - out.write(' '); - } else if (c == '%') { - int c1 = Character.digit(s.charAt(++i), 16); - int c2 = Character.digit(s.charAt(++i), 16); - - out.write((char) (c1 * 16 + c2)); - } else { - out.write(c); - } - } // end for - return out.toString(); - } - - private void setDefaultSlotAndKeyName(HttpServletRequest req) { - try { - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("keySet selected: " + keySet); - - String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); - String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx - String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if (mappingValue != null) { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - int tokenNumber = 0; - while (st.hasMoreTokens()) { - - String currentToken = st.nextToken(); - if (tokenNumber == 1) - mKeyNickName = currentToken; - tokenNumber++; - - } - } - if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification - { - temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx - String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; - String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); - if (newMappingValue != null) { - StringTokenizer st = new StringTokenizer(newMappingValue, ":"); - int tokenNumber = 0; - while (st.hasMoreTokens()) { - String currentToken = st.nextToken(); - if (tokenNumber == 1) - mNewKeyNickName = currentToken; - tokenNumber++; - - } - } - } - - CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); - - SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); - /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ - - } catch (Exception e) { - e.printStackTrace(); - CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); - } - - } - - // AC: KDF SPEC CHANGE - read new setting value from config file - // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) - // CAREFUL: Result returned may be negative due to java's lack of unsigned types. - // Negative values need to be treated as higher key numbers than positive key numbers. - private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { - String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; - // KDF phase1: default to 00 - String nistSP800_108KdfOnKeyVersion_value = - CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); - short nistSP800_108KdfOnKeyVersion_short = 0; - // if value does not exist in file - if (nistSP800_108KdfOnKeyVersion_value == null) { - // throw - // (we want admins to pay attention to this configuration item rather than guessing for them) - throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map - + "\" missing from configuration file."); - } - // convert setting value (in ASCII-hex) to short - try { - nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); - if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { - throw new Exception("Out of range."); - } - } catch (Throwable t) { - throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map - + "\" is in incorrect format. " + - "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map - + "=xx\" where xx is key version specified in ASCII-HEX format.", t); - } - // convert to byte (anything higher than 0x7F is represented as a negative) - byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; - return nistSP800_108KdfOnKeyVersion_byte; - } - - // AC: KDF SPEC CHANGE - read new setting value from config file - // (This value allows configuration of the NIST SP800-108 KDF: - // If "true" we use the CUID parameter within the NIST SP800-108 KDF. - // If "false" we use the KDD parameter within the NIST SP800-108 KDF. - private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { - String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; - // KDF phase1: default to "false" - String setting_str = - CMS.getConfigStore().getString(setting_map, "false" /*null*/); - boolean setting_boolean = false; - // if value does not exist in file - if (setting_str == null) { - // throw - // (we want admins to pay attention to this configuration item rather than guessing for them) - throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); - } - // convert setting value to boolean - try { - setting_boolean = Boolean.parseBoolean(setting_str); - } catch (Throwable t) { - throw new Exception("Configuration value \"" + setting_map - + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); - } - return setting_boolean; - } - - // AC: KDF SPEC CHANGE - Audit logging helper functions. - // Converts a byte array to an ASCII-hex string. - // We implemented this ourselves rather than using this.pp.toHexArray() because - // the team preferred CUID and KDD strings to be without ":" separators every byte. - final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); - - private String bytesToHex(byte[] bytes) { - char[] hexChars = new char[bytes.length * 2]; - for (int i = 0; i < bytes.length; i++) { - int thisChar = bytes[i] & 0x000000FF; - hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 - hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; - } - return new String(hexChars); - } - - // AC: KDF SPEC CHANGE - Audit logging helper functions. - // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa - // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. - // Returns "null" if parameter is null. - // Returns "invalid" if parameter.length < 1 - private String log_string_from_keyInfo(byte[] xkeyInfo) { - return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" - + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); - } - - // AC: KDF SPEC CHANGE - Audit logging helper functions. - // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. - // Parameters: - // specialDecoded - byte array containing data. May be null. - // Returns: - // if specialDecoded is blank, returns "null" - // if specialDecoded != null, returns - private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { - if (specialDecoded == null) { - return "null"; - } else { - return bytesToHex(specialDecoded); - } - } - - /* Compute Session Key for SCP02 - * For simplicity compute just one session key,unless it is the DEK key case. - */ - - private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - - CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); - String auditMessage = null; - String errorMsg = ""; - String badParams = ""; - String transportKeyName = ""; - boolean missingParam = false; - String selectedToken = null; - String keyNickName = null; - byte[] drm_trans_wrapped_desKey = null; - - byte[] xKDD = null; - byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; - boolean nistSP800_108KdfUseCuidAsKdd = false; - - IConfigStore sconfig = CMS.getConfigStore(); - - boolean isCryptoValidate = false; - byte[] keyInfo, xCUID = null, session_key = null; - - Exception missingSettingException = null; - - String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - - String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); - - String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - - if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { - badParams += " KeyInfo,"; - CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); - missingParam = true; - } - - keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); - - boolean serversideKeygen = false; - - String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); - String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); - - if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { - badParams += " derivation_constant,"; - CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); - missingParam = true; - } - - if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { - badParams += " sequence_counter,"; - CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); - missingParam = true; - } - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, - agentId); - - audit(auditMessage); - - if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); - missingParam = true; - } - - if ((rKDD == null) || (rKDD.length() == 0)) { - CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); - badParams += " KDD,"; - missingParam = true; - } - - xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); - if (xKDD == null || xKDD.length != 10) { - badParams += " KDD length,"; - CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); - missingParam = true; - } - - keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - if (keyInfo == null || keyInfo.length != 2) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); - missingParam = true; - } - - try { - nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); - nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); - - // log settings read in to debug log along with xkeyInfo - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" - + Integer.toHexString((keyInfo[0]) & 0x0000000FF) - + ", xkeyInfo[1] = 0x" - + Integer.toHexString((keyInfo[1]) & 0x0000000FF) - ); - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" - + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) - ); - if (nistSP800_108KdfUseCuidAsKdd == true) { - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); - } else { - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); - } - // conform to the set-an-error-flag mentality - } catch (Exception e) { - missingSettingException = e; - CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " - + e.toString()); - } - - } - - String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if (mappingValue == null) { - selectedToken = - CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - if (st.hasMoreTokens()) - selectedToken = st.nextToken(); - if (st.hasMoreTokens()) - keyNickName = st.nextToken(); - } - - keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx - try { - mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - } catch (EBaseException e1) { - - e1.printStackTrace(); - } - if (mappingValue == null) { - try { - selectedToken = - CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - } catch (EBaseException e) { - - e.printStackTrace(); - } - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - if (st.hasMoreTokens()) - selectedToken = st.nextToken(); - if (st.hasMoreTokens()) - keyNickName = st.nextToken(); - } - - CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); - String useSoftToken_s = null; - try { - useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - } catch (EBaseException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - } - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; - - String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); - if (rServersideKeygen.equals("true")) { - CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); - serversideKeygen = true; - } else { - CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); - } - - transportKeyName = null; - try { - transportKeyName = getSharedSecretName(sconfig); - } catch (EBaseException e1) { - // TODO Auto-generated catch block - e1.printStackTrace(); - CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); - - } - - CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); - - try { - isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); - } catch (EBaseException eee) { - } - - byte macKeyArray[] = null; - byte sequenceCounter[] = null; - byte derivationConstant[] = null; - - boolean errorFound = false; - - String dek_wrapped_desKeyString = null; - String keycheck_s = null; - - if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { - try { - macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".mac_key")); - - sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); - derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); - - //Use old style for the moment. - //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey - //Perform in next ticket to fully implement nistXP800 - - session_key = SessionKey.ComputeSessionKeySCP02( - selectedToken, keyNickName, - keyInfo, - nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value - nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, - useSoftToken_s, keySet, - transportKeyName); - - if (session_key == null) { - CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); - throw new EBaseException("Can't compute session key for SCP02!"); - - } - - //Only do this for the dekSessionKey and if we are in the server side keygen case. - if (derivationConstant[0] == DEKDerivationConstant[0] - && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { - - CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); - - /** - * 0. generate des key - * 1. encrypt des key with dek key - * 2. encrypt des key with DRM transport key - * These two wrapped items are to be sent back to - * TPS. 2nd item is to DRM - **/ - - PK11SymKey desKey = null; - PK11SymKey dekKey = null; - - /*generate it on whichever token the master key is at*/ - if (useSoftToken_s.equals("true")) { - CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); - - desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); - - } else { - CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " - + selectedToken); - desKey = SessionKey.GenerateSymkey(selectedToken); - } - if (desKey != null) - CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); - else { - CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " - + rCUID); - throw new EBaseException( - "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); - } - - CryptoToken token = null; - if (useSoftToken_s.equals("true")) { - token = CryptoUtil.getCryptoToken(null); - } else { - token = CryptoUtil.getCryptoToken(selectedToken); - } - - //Now we have to create a sym key object for the wrapped session_key (dekKey) - // session_key wrapped by the shared Secret - - PK11SymKey sharedSecret = getSharedSecretKey(); - - if (sharedSecret == null) { - throw new EBaseException( - "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); - } - - dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, - session_key); - - if (dekKey == null) { - throw new EBaseException( - "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); - } - - /* - * ECBencrypt actually takes the 24 byte DES2 key - * and discard the last 8 bytes before it encrypts. - * This is done so that the applet can digest it - */ - byte[] encDesKey = - SessionKey.ECBencrypt(dekKey, - desKey); - - if (encDesKey == null) { - throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); - } - - dek_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); - - byte[] keycheck = - SessionKey.ComputeKeyCheck(desKey); - - if (keycheck == null) { - throw new EBaseException( - "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); - } - - keycheck_s = - com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); - - //use DRM transport cert to wrap desKey - String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); - - if ((drmTransNickname == null) || (drmTransNickname == "")) { - CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); - throw new EBaseException("can't find DRM transport certificate nickname"); - } else { - CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); - } - - X509Certificate drmTransCert = null; - drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); - // wrap kek session key with DRM transport public key - - PublicKey pubKey = drmTransCert.getPublicKey(); - String pubKeyAlgo = pubKey.getAlgorithm(); - - KeyWrapper keyWrapper = null; - //For wrapping symmetric keys don't need IV, use ECB - if (pubKeyAlgo.equals("EC")) { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); - keyWrapper.initWrap(pubKey, null); - } else { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - keyWrapper.initWrap(pubKey, null); - } - - drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); - CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); - - CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); - - } - - } catch (Exception e) { - CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); - errorFound = true; - - } - - } - - String status = "0"; - String value = ""; - String outputString = ""; - - boolean statusDeclared = false; - - if (session_key != null && session_key.length > 0 && errorFound == false) { - outputString = - com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); - } else { - - status = "1"; - statusDeclared = true; - } - - if (selectedToken == null || keyNickName == null) { - if (!statusDeclared) { - status = "4"; - statusDeclared = true; - } - } - - if (missingSettingException != null) { - if (!statusDeclared) { - status = "6"; - statusDeclared = true; - } - } - - if (missingParam) { - status = "3"; - } - - String drm_trans_wrapped_desKeyString = null; - - if (!status.equals("0")) { - if (status.equals("1")) { - errorMsg = "Problem generating session key info."; - } - - if (status.equals("4")) { - errorMsg = "Problem obtaining token information."; - } - - if (status.equals("3")) { - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters :" + badParams; - } - - if (status.equals("6")) { - errorMsg = "Problem reading required configuration value."; - } - - } else { - - if (serversideKeygen == true) { - - if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { - drm_trans_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); - } - - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); - sb.append(outputString); - - //Now add the trans wrapped des key - - if (drm_trans_wrapped_desKeyString != null) { - sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); - sb.append(drm_trans_wrapped_desKeyString); - } - - if (dek_wrapped_desKeyString != null) { - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); - sb.append(dek_wrapped_desKeyString); - } - - if (keycheck_s != null) { - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); - sb.append(keycheck_s); - } - - value = sb.toString(); - } else { - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); - sb.append(outputString); - value = sb.toString(); - } - - } - - //CMS.debug("TokenServlet:outputString.encode " + value); - - try { - resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " + value.length()); - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (IOException e) { - CMS.debug("TokenServlet: " + e.toString()); - } - - if (status.equals("0")) { - - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.SUCCESS, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { - - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.FAILURE, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - } - - audit(auditMessage); - - } - - private void processComputeSessionKey(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD - - // AC: KDF SPEC CHANGE - new config file values (needed for symkey) - byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; - boolean nistSP800_108KdfUseCuidAsKdd = false; - - byte[] card_crypto, host_cryptogram, input_card_crypto; - byte[] xcard_challenge, xhost_challenge; - byte[] enc_session_key, xkeyInfo; - String auditMessage = null; - String errorMsg = ""; - String badParams = ""; - String transportKeyName = ""; - String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - String rKDD = req.getParameter("KDD"); - if ((rKDD == null) || (rKDD.length() == 0)) { - // KDF phase1: default to rCUID if not present - CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); - rKDD = rCUID; - } - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("keySet selected: " + keySet); - - boolean serversideKeygen = false; - byte[] drm_trans_wrapped_desKey = null; - SymmetricKey desKey = null; - // PK11SymKey kek_session_key; - SymmetricKey kek_key; - - IConfigStore sconfig = CMS.getConfigStore(); - boolean isCryptoValidate = true; - boolean missingParam = false; - - // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting - Exception missingSetting_exception = null; - - session_key = null; - card_crypto = null; - host_cryptogram = null; - enc_session_key = null; - // kek_session_key = null; - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, - agentId); - - audit(auditMessage); - - String kek_wrapped_desKeyString = null; - String keycheck_s = null; - - CMS.debug("processComputeSessionKey:"); - String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; - - String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); - if (rServersideKeygen.equals("true")) { - CMS.debug("TokenServlet: serversideKeygen requested"); - serversideKeygen = true; - } else { - CMS.debug("TokenServlet: serversideKeygen not requested"); - } - - try { - isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); - } catch (EBaseException eee) { - } - - transportKeyName = getSharedSecretName(sconfig); - - String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); - String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); - String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); - if ((rCUID == null) || (rCUID.equals(""))) { - CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); - badParams += " CUID,"; - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - if ((rKDD == null) || (rKDD.length() == 0)) { - CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); - badParams += " KDD,"; - missingParam = true; - } - - if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { - badParams += " card_challenge,"; - CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); - missingParam = true; - } - - if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { - badParams += " host_challenge,"; - CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); - missingParam = true; - } - - if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { - badParams += " KeyInfo,"; - CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); - missingParam = true; - } - - String selectedToken = null; - String keyNickName = null; - boolean sameCardCrypto = true; - - // AC: KDF SPEC CHANGE - xCUID = null; // avoid errors about non-initialization - xKDD = null; // avoid errors about non-initialization - xkeyInfo = null; // avoid errors about non-initialization - - if (!missingParam) { - - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); - if (xKDD == null || xKDD.length != 10) { - badParams += " KDD length,"; - CMS.debug("TokenServlet: Invalid KDD length"); - missingParam = true; - } - - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - if (xkeyInfo == null || xkeyInfo.length != 2) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length."); - missingParam = true; - } - xcard_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); - if (xcard_challenge == null || xcard_challenge.length != 8) { - badParams += " card_challenge length,"; - CMS.debug("TokenServlet: Invalid card challenge length."); - missingParam = true; - } - - xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); - if (xhost_challenge == null || xhost_challenge.length != 8) { - badParams += " host_challenge length,"; - CMS.debug("TokenServlet: Invalid host challenge length"); - missingParam = true; - } - - } - - if (!missingParam) { - card_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); - - host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); - keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - - // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) - //ToDo: Will use these values after completing next ticket - try { - nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); - nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); - - // log settings read in to debug log along with xkeyInfo - CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" - + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) - + ", xkeyInfo[1] = 0x" - + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) - ); - CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" - + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) - ); - if (nistSP800_108KdfUseCuidAsKdd == true) { - CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); - } else { - CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); - } - // conform to the set-an-error-flag mentality - } catch (Exception e) { - missingSetting_exception = e; - CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " - + e.toString()); - } - - String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if (mappingValue == null) { - selectedToken = - CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - if (st.hasMoreTokens()) - selectedToken = st.nextToken(); - if (st.hasMoreTokens()) - keyNickName = st.nextToken(); - } - - if (selectedToken != null && keyNickName != null - // AC: KDF SPEC CHANGE - check for error flag - && missingSetting_exception == null) { - - try { - - byte macKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".mac_key")); - CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" - + selectedToken + " keyNickName=" + keyNickName); - - SecureChannelProtocol protocol = new SecureChannelProtocol(); - SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, - selectedToken, - keyNickName, card_challenge, - host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, - xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); - - session_key = protocol.wrapSessionKey(selectedToken, macKey, null); - - if (session_key == null) { - CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); - throw new Exception("Can't compute session key!"); - - } - - byte encKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".auth_key")); - SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, - selectedToken, - keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, - nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, - transportKeyName); - - enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); - - if (enc_session_key == null) { - CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); - throw new Exception("Can't compute enc session key!"); - - } - - if (serversideKeygen == true) { - - /** - * 0. generate des key - * 1. encrypt des key with kek key - * 2. encrypt des key with DRM transport key - * These two wrapped items are to be sent back to - * TPS. 2nd item is to DRM - **/ - CMS.debug("TokenServlet: calling ComputeKekKey"); - - byte kekKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".kek_key")); - - kek_key = protocol.computeKEKKey_SCP01(selectedToken, - keyNickName, - keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, - xCUID, - xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); - - CMS.debug("TokenServlet: called ComputeKekKey"); - - if (kek_key == null) { - CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); - throw new Exception("Can't compute kek key!"); - - } - // now use kek key to wrap kek session key.. - CMS.debug("computeSessionKey:kek key len =" + - kek_key.getLength()); - - // (1) generate DES key - /* applet does not support DES3 - org.mozilla.jss.crypto.KeyGenerator kg = - internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); - desKey = kg.generate();*/ - - /* - * GenerateSymkey firt generates a 16 byte DES2 key. - * It then pads it into a 24 byte key with last - * 8 bytes copied from the 1st 8 bytes. Effectively - * making it a 24 byte DES2 key. We need this for - * wrapping private keys on DRM. - */ - /*generate it on whichever token the master key is at*/ - if (useSoftToken_s.equals("true")) { - CMS.debug("TokenServlet: key encryption key generated on internal"); - //cfu audit here? sym key gen - - desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); - //cfu audit here? sym key gen done - } else { - CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); - desKey = protocol.generateSymKey(selectedToken); - } - if (desKey != null) { - // AC: KDF SPEC CHANGE - Output using CUID and KDD - CMS.debug("TokenServlet: key encryption key generated for CUID=" + - trim(pp.toHexString(xCUID)) + - ", KDD=" + - trim(pp.toHexString(xKDD))); - } else { - // AC: KDF SPEC CHANGE - Output using CUID and KDD - CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + - trim(pp.toHexString(xCUID)) + - ", KDD=" + - trim(pp.toHexString(xKDD))); - - throw new Exception("can't generate key encryption key"); - } - - /* - * ECBencrypt actually takes the 24 byte DES2 key - * and discard the last 8 bytes before it encrypts. - * This is done so that the applet can digest it - */ - - byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); - - /* - CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); - CMS.debug(encDesKey); - */ - - kek_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); - - // get keycheck - - byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); - /* - CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); - CMS.debug(keycheck); - */ - keycheck_s = - com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); - - //use DRM transport cert to wrap desKey - String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); - - if ((drmTransNickname == null) || (drmTransNickname == "")) { - CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); - throw new Exception("can't find DRM transport certificate nickname"); - } else { - CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); - } - - X509Certificate drmTransCert = null; - drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); - // wrap kek session key with DRM transport public key - CryptoToken token = null; - if (useSoftToken_s.equals("true")) { - token = CryptoUtil.getCryptoToken(null); - } else { - token = CryptoUtil.getCryptoToken(selectedToken); - } - PublicKey pubKey = drmTransCert.getPublicKey(); - String pubKeyAlgo = pubKey.getAlgorithm(); - CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); - KeyWrapper keyWrapper = null; - //For wrapping symmetric keys don't need IV, use ECB - if (pubKeyAlgo.equals("EC")) { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); - keyWrapper.initWrap(pubKey, null); - } else { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - keyWrapper.initWrap(pubKey, null); - } - CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); - drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); - CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); - - } // if (serversideKeygen == true) - - byte authKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".auth_key")); - - host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, - host_challenge, - xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, - authKeyArray, useSoftToken_s, keySet, transportKeyName); - - if (host_cryptogram == null) { - CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); - throw new Exception("Can't compute host cryptogram!"); - - } - - card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, - host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, - xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); - - if (card_crypto == null) { - CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); - throw new Exception("Can't compute card cryptogram!"); - - } - - if (isCryptoValidate) { - if (rcard_cryptogram == null) { - CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); - throw new Exception("Missing card cryptogram"); - } - input_card_crypto = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); - - //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); - //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); - - if (card_crypto.length == input_card_crypto.length) { - for (int i = 0; i < card_crypto.length; i++) { - if (card_crypto[i] != input_card_crypto[i]) { - sameCardCrypto = false; - break; - } - } - } else { - // different length; must be different - sameCardCrypto = false; - } - } - - // AC: KDF SPEC CHANGE - print both KDD and CUID - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO, "processComputeSessionKey for CUID=" + - trim(pp.toHexString(xCUID)) + - ", KDD=" + - trim(pp.toHexString(xKDD))); - } catch (Exception e) { - CMS.debug(e); - CMS.debug("TokenServlet Computing Session Key: " + e.toString()); - if (isCryptoValidate) - sameCardCrypto = false; - } - } - } // ! missingParam - - String value = ""; - - resp.setContentType("text/html"); - - String outputString = ""; - String encSessionKeyString = ""; - String drm_trans_wrapped_desKeyString = ""; - String cryptogram = ""; - String status = "0"; - if (session_key != null && session_key.length > 0) { - outputString = - com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); - } else { - - status = "1"; - } - - if (enc_session_key != null && enc_session_key.length > 0) { - encSessionKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); - } else { - status = "1"; - } - - if (serversideKeygen == true) { - if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) - drm_trans_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); - else { - status = "1"; - } - } - - if (host_cryptogram != null && host_cryptogram.length > 0) { - cryptogram = - com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); - } else { - // AC: Bugfix: Don't override status's value if an error was already flagged - if (status.equals("0") == true) { - status = "2"; - } - } - - if (selectedToken == null || keyNickName == null) { - // AC: Bugfix: Don't override status's value if an error was already flagged - if (status.equals("0") == true) { - status = "4"; - } - } - - if (!sameCardCrypto) { - // AC: Bugfix: Don't override status's value if an error was already flagged - if (status.equals("0") == true) { - // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues - status = "5"; - } - } - - // AC: KDF SPEC CHANGE - check for settings file issue (flag) - if (missingSetting_exception != null) { - // AC: Intentionally override previous errors if config file settings were missing. - status = "6"; - } - - if (missingParam) { - // AC: Intentionally override previous errors if parameters were missing. - status = "3"; - } - - if (!status.equals("0")) { - - if (status.equals("1")) { - errorMsg = "Problem generating session key info."; - } - - if (status.equals("2")) { - errorMsg = "Problem creating host_cryptogram."; - } - - // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues - if (status.equals("5")) { - errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; - } - - if (status.equals("4")) { - errorMsg = "Problem obtaining token information."; - } - - // AC: KDF SPEC CHANGE - handle missing configuration item - if (status.equals("6")) { - errorMsg = "Problem reading required configuration value."; - } - - if (status.equals("3")) { - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters :" + badParams; - } - - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } else { - if (serversideKeygen == true) { - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); - sb.append(outputString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); - sb.append(cryptogram); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); - sb.append(encSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); - sb.append(kek_wrapped_desKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); - sb.append(keycheck_s); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); - sb.append(drm_trans_wrapped_desKeyString); - value = sb.toString(); - } else { - - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); - sb.append(outputString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); - sb.append(cryptogram); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); - sb.append(encSessionKeyString); - value = sb.toString(); - } - - } - //CMS.debug("TokenServlet:outputString.encode " + value); - - try { - resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " + value.length()); - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (IOException e) { - CMS.debug("TokenServlet: " + e.toString()); - } - - if (status.equals("0")) { - // AC: KDF SPEC CHANGE - Log both CUID and KDD. - // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.SUCCESS, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.FAILURE, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - - } - - audit(auditMessage); - } - - // This method will return the shared secret name. In new 10.1 subsystems, this - // name will be stored in tps.X.nickname. - // - // Until multiple TKS/TPS connections is fully supported, this method will just - // return the first shared secret nickname found, on the assumption that only - // one nickname will be configured. This will have to be changed to return the correct - // key based on some parameter in the request in future. - // - // On legacy systems, this method just returns what was previously returned. - private String getSharedSecretName(IConfigStore cs) throws EBaseException { - boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); - - if (useNewNames) { - String tpsList = cs.getString("tps.list", ""); - String firstSharedSecretName = null; - if (!tpsList.isEmpty()) { - for (String tpsID : tpsList.split(",")) { - String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); - - // This one will be a fall back in case we can't get a specific one - if (firstSharedSecretName == null) { - firstSharedSecretName = sharedSecretName; - } - - if (!sharedSecretName.isEmpty()) { - if (mCurrentUID != null) { - String csUid = cs.getString("tps." + tpsID + ".userid", ""); - - if (mCurrentUID.equalsIgnoreCase(csUid)) { - CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); - return sharedSecretName; - } - } - } - } - - if (firstSharedSecretName != null) { - //Return the first in the list if we couldn't isolate one - return firstSharedSecretName; - } - } - CMS.debug("getSharedSecretName: no shared secret has been configured"); - throw new EBaseException("No shared secret has been configured"); - } - - // legacy system - return as before - return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); - } - - //Accepts protocol param and supports scp03. - private void processDiversifyKey(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - - String method = "TokenServlet.processDiversifyKey: "; - byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD - - // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. - String oldKeyNickName = null; - String newKeyNickName = null; - - // AC: KDF SPEC CHANGE - new config file values (needed for symkey) - byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; - boolean nistSP800_108KdfUseCuidAsKdd = false; - - // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. - byte[] xkeyInfo = null, xnewkeyInfo = null; - - // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting - Exception missingSetting_exception = null; - - boolean missingParam = false; - String errorMsg = ""; - String badParams = ""; - byte[] xWrappedDekKey = null; - - IConfigStore sconfig = CMS.getConfigStore(); - String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); - String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); - String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - String rKDD = req.getParameter("KDD"); - if ((rKDD == null) || (rKDD.length() == 0)) { - // temporarily make it friendly before TPS change - CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); - rKDD = rCUID; - } - - String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); - String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); - - CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); - - int protocol = 1; - String auditMessage = ""; - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("keySet selected: " + keySet); - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - auditMessage = CMS.getLogMessage( - AuditEvent.DIVERSIFY_KEY_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, - agentId, - oldMasterKeyName, - newMasterKeyName); - - audit(auditMessage); - - if ((rCUID == null) || (rCUID.equals(""))) { - badParams += " CUID,"; - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - if ((rKDD == null) || (rKDD.length() == 0)) { - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); - badParams += " KDD,"; - missingParam = true; - } - - if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { - badParams += " newKeyInfo,"; - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); - missingParam = true; - } - if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { - badParams += " KeyInfo,"; - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - xCUID = null; // avoid errors about non-initialization - xKDD = null; // avoid errors about non-initialization - xkeyInfo = null; // avoid errors about non-initialization - xnewkeyInfo = null; // avoid errors about non-initialization - - if (!missingParam) { - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); - if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length"); - missingParam = true; - } - xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); - if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { - badParams += " NewKeyInfo length,"; - CMS.debug("TokenServlet: Invalid new key info length"); - missingParam = true; - } - - if (rProtocol != null) { - try { - protocol = Integer.parseInt(rProtocol); - } catch (NumberFormatException e) { - protocol = 1; - } - } - CMS.debug("process DiversifyKey: protocol value: " + protocol); - - if (protocol == 2) { - if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { - badParams += " WrappedDekKey,"; - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); - missingParam = true; - } else { - - CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); - xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); - } - - } - } - String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; - - KeySetData = null; - if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); - if (xKDD == null || xKDD.length != 10) { - badParams += " KDD length,"; - CMS.debug("TokenServlet: Invalid KDD length"); - missingParam = true; - } - } - if (!missingParam) { - // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. - - // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) - - //ToDo: Refactor this, this same block occurs several times in the file - try { - nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); - nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); - - // log settings read in to debug log along with xkeyInfo and xnewkeyInfo - CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" - + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) - + ", xkeyInfo[1] (old) = 0x" - + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) - + ", xnewkeyInfo[0] = 0x" - + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) - + ", xnewkeyInfo[1] = 0x" - + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) - ); - CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" - + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) - ); - if (nistSP800_108KdfUseCuidAsKdd == true) { - CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); - } else { - CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); - } - // conform to the set-an-error-flag mentality - } catch (Exception e) { - missingSetting_exception = e; - CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " - + e.toString()); - } - - if (mKeyNickName != null) - oldMasterKeyName = mKeyNickName; - if (mNewKeyNickName != null) - newMasterKeyName = mNewKeyNickName; - - String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - - // Get the first 6 characters, since scp03 gives us extra characters. - tokKeyInfo = tokKeyInfo.substring(0,6); - String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx - CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); - String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); - String oldSelectedToken = null; - if (oldMappingValue == null) { - oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - } else { - StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); - oldSelectedToken = st.nextToken(); - oldKeyNickName = st.nextToken(); - } - - - String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx - CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); - String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); - String newSelectedToken = null; - if (newMappingValue == null) { - newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - newKeyNickName = rnewKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(newMappingValue, ":"); - newSelectedToken = st.nextToken(); - newKeyNickName = st.nextToken(); - } - - CMS.debug("process DiversifyKey for oldSelectedToke=" + - oldSelectedToken + " newSelectedToken=" + newSelectedToken + - " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + - newKeyNickName); - - byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); - byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); - byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); - - // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); - - //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset - // passed down to the SecureChannelProtocol functions that deal with SCP03 - - GPParams gp3Params = readGPSettings(keySet); - - SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); - // AC: KDF SPEC CHANGE - check for error reading settings - if (missingSetting_exception == null) { - if (protocol == 1 || protocol == 3) { - KeySetData = secProtocol.diversifyKey(oldSelectedToken, - newSelectedToken, oldKeyNickName, - newKeyNickName, - xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use - xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] - nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value - nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value - xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' - xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use - kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); - - } else if (protocol == 2) { - KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, - newKeyNickName, xkeyInfo, - xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, - (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); - } - //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); - CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); - - if (KeySetData == null || KeySetData.length <= 1) { - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); - } - - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO, - "process DiversifyKey for CUID=" + - trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD - ", KDD=" + - trim(pp.toHexString(xKDD)) - + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName - + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); - - resp.setContentType("text/html"); - - } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file - - } // ! missingParam - - String value = ""; - String status = "0"; - - if (KeySetData != null && KeySetData.length > 1) { - value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + - com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); - //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); - CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); - // AC: KDF SPEC CHANGE - check for settings file issue (flag) - } else if (missingSetting_exception != null) { - status = "6"; - errorMsg = "Problem reading required configuration value."; - value = "status=" + status; - } else if (missingParam) { - status = "3"; - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters: " + badParams; - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } else { - errorMsg = "Problem diversifying key data."; - status = "1"; - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } - - resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " + value.length()); - - try { - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (Exception e) { - CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); - } - - if (status.equals("0")) { - - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.SUCCESS, // Outcome - status, // status - agentId, // AgentID - - // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. - oldKeyNickName, // oldMasterKeyName - newKeyNickName, // newMasterKeyName - - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion - log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; - auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); - } else { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.FAILURE, // Outcome - status, // status - agentId, // AgentID - - // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. - oldKeyNickName, // oldMasterKeyName - newKeyNickName, // newMasterKeyName - - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion - log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; - auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); - } - - audit(auditMessage); - } - - private void processEncryptData(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD - - // AC: KDF SPEC CHANGE - new config file values (needed for symkey) - byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; - boolean nistSP800_108KdfUseCuidAsKdd = false; - - // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting - Exception missingSetting_exception = null; - - boolean missingParam = false; - byte[] data = null; - boolean isRandom = true; // randomly generate the data to be encrypted - - String errorMsg = ""; - String badParams = ""; - IConfigStore sconfig = CMS.getConfigStore(); - encryptedData = null; - String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); - String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - - String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - String rKDD = req.getParameter("KDD"); - if ((rKDD == null) || (rKDD.length() == 0)) { - // temporarily make it friendly before TPS change - CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); - rKDD = rCUID; - } - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - CMS.debug("keySet selected: " + keySet); - - String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); - if (s_isRandom.equalsIgnoreCase("false")) { - CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); - isRandom = false; - } else { - CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); - isRandom = true; - } - - // AC: KDF SPEC CHANGE: Need to log both KDD and CUID - String auditMessage = CMS.getLogMessage( - AuditEvent.ENCRYPT_DATA_REQUEST, - rCUID, - rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. - ILogger.SUCCESS, - agentId, - s_isRandom); - audit(auditMessage); - - GPParams gp3Params = readGPSettings(keySet); - - if (isRandom) { - if ((rdata == null) || (rdata.equals(""))) { - CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); - } else { - CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); - } - try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); - data = new byte[16]; - random.nextBytes(data); - } catch (Exception e) { - CMS.debug("TokenServlet: processEncryptData():" + e.toString()); - badParams += " Random Number,"; - missingParam = true; - } - } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { - CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); - badParams += " data,"; - missingParam = true; - } - - if ((rCUID == null) || (rCUID.equals(""))) { - badParams += " CUID,"; - CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - if ((rKDD == null) || (rKDD.length() == 0)) { - CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); - badParams += " KDD,"; - missingParam = true; - } - - if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { - badParams += " KeyInfo,"; - CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - xCUID = null; // avoid errors about non-initialization - xKDD = null; // avoid errors about non-initialization - xkeyInfo = null; // avoid errors about non-initialization - - if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - - // AC: KDF SPEC CHANGE - read new KDD parameter from TPS - xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); - if (xKDD == null || xKDD.length != 10) { - badParams += " KDD length,"; - CMS.debug("TokenServlet: Invalid KDD length"); - missingParam = true; - } - - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length"); - missingParam = true; - } - } - - String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; - - String selectedToken = null; - String keyNickName = null; - if (!missingParam) { - - // AC: KDF SPEC CHANGE - read new config file values (needed for symkey - try { - nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); - nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); - - // log settings read in to debug log along with xkeyInfo - CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" - + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) - + ", xkeyInfo[1] = 0x" - + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) - ); - CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" - + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) - ); - if (nistSP800_108KdfUseCuidAsKdd == true) { - CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); - } else { - CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); - } - // conform to the set-an-error-flag mentality - } catch (Exception e) { - missingSetting_exception = e; - CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " - + e.toString()); - } - - if (!isRandom) - data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); - keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - - String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - if (mappingValue == null) { - selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - selectedToken = st.nextToken(); - keyNickName = st.nextToken(); - } - - - //calculate the protocol - - int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; - try - { - protocolInt = Integer.parseInt(protocolValue); - } - catch (NumberFormatException nfe) - { - protocolInt = SecureChannelProtocol.PROTOCOL_ONE; - } - - CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); - - //Check for reasonable sanity, leave room for future versions - if(protocolInt <= 0 || protocolInt > 20) { - CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); - protocolInt = 1; - - } - - byte kekKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); - // AC: KDF SPEC CHANGE - check for error reading settings - if (missingSetting_exception == null) { - - - SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); - - if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { - - encryptedData = protocol.encryptData( - selectedToken, keyNickName, data, keyInfo, - nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value - nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value - xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' - xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use - kekKeyArray, useSoftToken_s, keySet); - - } else { - - encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, - nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, - useSoftToken_s, keySet,gp3Params); - - } - - SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); - - // AC: KDF SPEC CHANGE - Log both CUID and KDD - - CMS.getLogger().log(ILogger.EV_AUDIT, - ILogger.S_TKS, - ILogger.LL_INFO, "process EncryptData for CUID=" + - trim(pp.toHexString(xCUID)) + - ", KDD=" + - trim(pp.toHexString(xKDD))); - - } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file - - } // !missingParam - - resp.setContentType("text/html"); - - String value = ""; - String status = "0"; - if (encryptedData != null && encryptedData.length > 0) { - // sending both the pre-encrypted and encrypted data back - value = IRemoteRequest.RESPONSE_STATUS + "=0&" - + IRemoteRequest.TOKEN_DATA + "=" + - com.netscape.cmsutil.util.Utils.SpecialEncode(data) + - "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + - com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); - // AC: KDF SPEC CHANGE - check for settings file issue (flag) - } else if (missingSetting_exception != null) { - status = "6"; - errorMsg = "Problem reading required configuration value."; - value = "status=" + status; - } else if (missingParam) { - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters: " + badParams; - status = "3"; - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } else { - errorMsg = "Problem encrypting data."; - status = "1"; - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } - - //CMS.debug("TokenServlet:process EncryptData.encode " + value); - - try { - resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.lenght " + value.length()); - - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (Exception e) { - CMS.debug("TokenServlet: " + e.toString()); - } - - if (status.equals("0")) { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.SUCCESS, // Outcome - status, // status - agentId, // AgentID - s_isRandom, // isRandom - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd - }; - auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); - } else { - // AC: KDF SPEC CHANGE - Log both CUID and KDD - // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd - // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.FAILURE, // Outcome - status, // status - agentId, // AgentID - s_isRandom, // isRandom - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion - Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd - errorMsg // Error - }; - auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); - } - - audit(auditMessage); - } - - /* - * For EncryptData: - * data=value1 - * CUID=value2 // missing from RA - * versionID=value3 // missing from RA - * - * For ComputeSession: - * card_challenge=value1 - * host_challenge=value2 - - * For DiversifyKey: - * new_master_key_index - * master_key_index - */ - - private void processComputeRandomData(HttpServletRequest req, - HttpServletResponse resp) throws EBaseException { - - byte[] randomData = null; - String status = "0"; - String errorMsg = ""; - String badParams = ""; - boolean missingParam = false; - int dataSize = 0; - - CMS.debug("TokenServlet::processComputeRandomData"); - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); - - if (sDataSize == null || sDataSize.equals("")) { - CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); - badParams += " Random Data size, "; - missingParam = true; - status = "1"; - } else { - try { - dataSize = Integer.parseInt(sDataSize.trim()); - } catch (NumberFormatException nfe) { - CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); - badParams += " Random Data size, "; - missingParam = true; - status = "1"; - } - - } - - CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); - - String auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, - ILogger.SUCCESS, - agentId); - - audit(auditMessage); - - if (!missingParam) { - try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); - randomData = new byte[dataSize]; - random.nextBytes(randomData); - } catch (Exception e) { - CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); - errorMsg = "Can't generate random data!"; - status = "2"; - } - } - - String randomDataOut = ""; - if (status.equals("0")) { - if (randomData != null && randomData.length == dataSize) { - randomDataOut = - com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); - } else { - status = "2"; - errorMsg = "Can't convert random data!"; - } - } - - if (status.equals("1") && missingParam) { - - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters :" + badParams; - } - - resp.setContentType("text/html"); - String value = ""; - - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - if (status.equals("0")) { - value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; - } - - try { - resp.setContentLength(value.length()); - CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); - - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (Exception e) { - CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); - } - - if (status.equals("0")) { - auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, - ILogger.SUCCESS, - status, - agentId); - } else { - auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, - ILogger.FAILURE, - status, - agentId, - errorMsg); - } - - audit(auditMessage); - } - - public void process(CMSRequest cmsReq) throws EBaseException { - HttpServletRequest req = cmsReq.getHttpReq(); - HttpServletResponse resp = cmsReq.getHttpResp(); - - IAuthToken authToken = authenticate(cmsReq); - AuthzToken authzToken = null; - - mCurrentUID = (String) authToken.get(IAuthToken.UID) ; - - try { - authzToken = authorize(mAclMethod, authToken, - mAuthzResourceName, "execute"); - } catch (Exception e) { - } - - if (authzToken == null) { - - try { - resp.setContentType("text/html"); - String value = "unauthorized="; - CMS.debug("TokenServlet: Unauthorized"); - - resp.setContentLength(value.length()); - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (Exception e) { - CMS.debug("TokenServlet: " + e.toString()); - } - - // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); - return; - } - - String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); - String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); - String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); - //CMS.debug("Protocol: " + protocol + " temp: " + temp); - - setDefaultSlotAndKeyName(req); - if (temp != null && protocol == null) { - processComputeSessionKey(req, resp); - } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { - processEncryptData(req, resp); - } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { - processDiversifyKey(req, resp); - } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { - processComputeRandomData(req, resp); - } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { - //SCP02 compute one session key. - processComputeSessionKeySCP02(req, resp); - - } else if (protocol != null && protocol.contains("3") ) { - processComputeSessionKeysSCP03(req,resp); - } else { - throw new EBaseException("Process: Can't decide upon function to call!"); - } - } - - //Create all the session keys for scp03 at once and return. - //ToDo: calcualte the optional rmac key - private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { - String method = "processComputeSessionKeysSCP03:"; - CMS.debug(method + " entering ..."); - - byte[] card_challenge, host_challenge, xCUID, xKDD; - byte[] card_crypto, host_cryptogram, input_card_crypto; - byte[] xcard_challenge, xhost_challenge; - byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; - String auditMessage = null; - String errorMsg = ""; - String badParams = ""; - String transportKeyName = ""; - String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); - - String rKDD = req.getParameter("KDD"); - if ((rKDD == null) || (rKDD.length() == 0)) { - // KDF phase1: default to rCUID if not present - CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); - rKDD = rCUID; - } - - String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); - if (keySet == null || keySet.equals("")) { - keySet = "defKeySet"; - } - CMS.debug("keySet selected: " + keySet); - - GPParams gp3Params = readGPSettings(keySet); - - boolean serversideKeygen = false; - - IConfigStore sconfig = CMS.getConfigStore(); - boolean isCryptoValidate = true; - boolean missingParam = false; - - Exception missingSetting_exception = null; - - mac_session_key = null; - kek_session_key = null; - card_crypto = null; - host_cryptogram = null; - enc_session_key = null; - - SessionContext sContext = SessionContext.getContext(); - - String agentId = ""; - if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); - } - - auditMessage = CMS.getLogMessage( - AuditEvent.COMPUTE_SESSION_KEY_REQUEST, - rCUID, - rKDD, - ILogger.SUCCESS, - agentId); - - audit(auditMessage); - - String kek_wrapped_desKeyString = null; - String keycheck_s = null; - - String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); - if (!useSoftToken_s.equalsIgnoreCase("true")) - useSoftToken_s = "false"; - - CMS.debug(method + " useSoftToken: " + useSoftToken_s); - - String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); - if (rServersideKeygen.equals("true")) { - - serversideKeygen = true; - } - - CMS.debug(method + " serversideKeygen: " + serversideKeygen); - - try { - isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); - } catch (EBaseException eee) { - } - - CMS.debug(method + " Do crypto validation: " + isCryptoValidate); - - transportKeyName = getSharedSecretName(sconfig); - - String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); - String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); - String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); - String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); - - if ((rCUID == null) || (rCUID.equals(""))) { - CMS.debug(method + " missing request parameter: CUID"); - badParams += " CUID,"; - missingParam = true; - } - - if ((rKDD == null) || (rKDD.length() == 0)) { - CMS.debug(method + " missing request parameter: KDD"); - badParams += " KDD,"; - missingParam = true; - } - - if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { - badParams += " card_challenge,"; - CMS.debug(method + " missing request parameter: card challenge"); - missingParam = true; - } - - if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { - badParams += " host_challenge,"; - CMS.debug(method + " missing request parameter: host challenge"); - missingParam = true; - } - - if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { - badParams += " card_cryptogram,"; - CMS.debug(method + " missing request parameter: card_cryptogram"); - missingParam = true; - } - - if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { - badParams += " KeyInfo,"; - CMS.debug(method + "missing request parameter: key info"); - missingParam = true; - } - - String selectedToken = null; - String keyNickName = null; - boolean sameCardCrypto = true; - - xCUID = null; - xKDD = null; - xkeyInfo = null; - xcard_challenge = null; - xhost_challenge = null; - - if (!missingParam) { - xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); - if (xCUID == null || xCUID.length != 10) { - badParams += " CUID length,"; - CMS.debug("TokenServlet: Invalid CUID length"); - missingParam = true; - } - - xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); - if (xKDD == null || xKDD.length != 10) { - badParams += " KDD length,"; - CMS.debug("TokenServlet: Invalid KDD length"); - missingParam = true; - } - - xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); - if (xkeyInfo == null || xkeyInfo.length != 3) { - badParams += " KeyInfo length,"; - CMS.debug("TokenServlet: Invalid key info length."); - missingParam = true; - } - xcard_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); - if (xcard_challenge == null || xcard_challenge.length != 8) { - badParams += " card_challenge length,"; - CMS.debug("TokenServlet: Invalid card challenge length."); - missingParam = true; - } - - xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); - if (xhost_challenge == null || xhost_challenge.length != 8) { - badParams += " host_challenge length,"; - CMS.debug("TokenServlet: Invalid host challenge length"); - missingParam = true; - } - } - - ArrayList serverSideValues = null; - - if (!missingParam) { - card_challenge = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); - - host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); - - String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx - String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); - - - if (mappingValue == null) { - selectedToken = - CMS.getConfigStore().getString("tks.defaultSlot", "internal"); - keyNickName = rKeyInfo; - } else { - StringTokenizer st = new StringTokenizer(mappingValue, ":"); - if (st.hasMoreTokens()) - selectedToken = st.nextToken(); - if (st.hasMoreTokens()) - keyNickName = st.nextToken(); - } - - CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); - - SymmetricKey macSessionKey = null; - SymmetricKey encSessionKey = null; - SymmetricKey kekSessionKey = null; - - if (selectedToken != null && keyNickName != null - && missingSetting_exception == null) { - - try { - - byte macKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".mac_key")); - CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" - + selectedToken + " keyNickName=" + keyNickName); - - SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); - - macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, - SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, - transportKeyName,gp3Params); - - mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); - - if (mac_session_key == null) { - CMS.debug(method + " Can't get mac session key bytes"); - throw new Exception(method + " Can't get mac session key bytes"); - - } - - byte encKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".auth_key")); - - encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, - SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, - transportKeyName,gp3Params); - - enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); - - if (enc_session_key == null) { - CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); - throw new Exception("Can't compute enc session key!"); - - } - - byte kekKeyArray[] = - com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + ".kek_key")); - - kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, - SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, - xcard_challenge, - transportKeyName,gp3Params); - - kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); - - - //Offload some of the tedious params gathering to another method - //ToDo, create a method that reads all this stuff at once for all major methods - if (serversideKeygen) { - try { - serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, - kekSessionKey, protocol); - } catch (EBaseException e) { - - CMS.debug(method + " Can't calcualte server side keygen required values..."); - - } - } - - try { - isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); - } catch (EBaseException eee) { - } - - ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); - try { - contextStream.write(host_challenge); - contextStream.write(card_challenge); - } catch (IOException e) { - throw new EBaseException(method + " Error calculating derivation data!"); - } - - host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); - SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); - - - if( isCryptoValidate) { - if (rcard_cryptogram == null) { - CMS.debug(method + " missing card cryptogram"); - throw new Exception(method + "Missing card cryptogram"); - } - input_card_crypto = - com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); - card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); - SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); - SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); - - if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { - throw new Exception(method + "Card cryptogram mismatch!"); - } - - } - } catch (Exception e) { - CMS.debug(e); - CMS.debug("TokenServlet Computing Session Key: " + e.toString()); - if (isCryptoValidate) - sameCardCrypto = false; - } - } - } // ! missingParam - - String value = ""; - - resp.setContentType("text/html"); - - String encSessionKeyString = ""; - String macSessionKeyString = ""; - String kekSessionKeyString = ""; - - String drm_trans_wrapped_desKeyString = ""; - String cryptogram = ""; - String status = "0"; - - if (enc_session_key != null && enc_session_key.length > 0) { - encSessionKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); - } else { - status = "1"; - } - - if (mac_session_key != null && mac_session_key.length > 0) { - macSessionKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); - } else { - status = "1"; - } - - if (kek_session_key != null && kek_session_key.length > 0) { - kekSessionKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); - } else { - status = "1"; - } - - if (serversideKeygen == true) { - if (serverSideValues.size() == 3) { - drm_trans_wrapped_desKeyString = serverSideValues.get(2); - kek_wrapped_desKeyString = serverSideValues.get(0); - keycheck_s = serverSideValues.get(1); - } - else { - status = "1"; - } - } - - if (host_cryptogram != null && host_cryptogram.length > 0) { - cryptogram = - com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); - } else { - if (status.equals("0") == true) { - status = "2"; - } - } - - if (selectedToken == null || keyNickName == null) { - // AC: Bugfix: Don't override status's value if an error was already flagged - if (status.equals("0") == true) { - status = "4"; - } - } - - if (!sameCardCrypto) { - if (status.equals("0") == true) { - status = "5"; - } - } - - if (missingSetting_exception != null) { - status = "6"; - } - - if (missingParam) { - status = "3"; - } - - if (!status.equals("0")) { - - if (status.equals("1")) { - errorMsg = "Problem generating session key info."; - } - - if (status.equals("2")) { - errorMsg = "Problem creating host_cryptogram."; - } - - if (status.equals("5")) { - errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; - } - - if (status.equals("4")) { - errorMsg = "Problem obtaining token information."; - } - - if (status.equals("6")) { - errorMsg = "Problem reading required configuration value."; - } - - if (status.equals("3")) { - if (badParams.endsWith(",")) { - badParams = badParams.substring(0, badParams.length() - 1); - } - errorMsg = "Missing input parameters :" + badParams; - } - - value = IRemoteRequest.RESPONSE_STATUS + "=" + status; - } else { - if (serversideKeygen == true) { - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); - sb.append(macSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); - sb.append(cryptogram); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); - sb.append(encSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); - sb.append(kekSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); - sb.append(kek_wrapped_desKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); - sb.append(keycheck_s); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); - sb.append(drm_trans_wrapped_desKeyString); - value = sb.toString(); - } else { - StringBuffer sb = new StringBuffer(); - sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); - sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); - sb.append(macSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); - sb.append(cryptogram); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); - sb.append(encSessionKeyString); - sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); - value = sb.toString(); - } - - } - //CMS.debug(method + "outputString.encode " + value); - - try { - resp.setContentLength(value.length()); - CMS.debug("TokenServlet:outputString.length " + value.length()); - OutputStream ooss = resp.getOutputStream(); - ooss.write(value.getBytes()); - ooss.flush(); - mRenderResult = false; - } catch (IOException e) { - CMS.debug("TokenServlet: " + e.toString()); - } - - if (status.equals("0")) { - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.SUCCESS, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, - logParams); - - } else { - String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded - log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded - ILogger.FAILURE, // Outcome - status, // status - agentId, // AgentID - isCryptoValidate ? "true" : "false", // IsCryptoValidate - serversideKeygen ? "true" : "false", // IsServerSideKeygen - selectedToken, // SelectedToken - keyNickName, // KeyNickName - keySet, // TKSKeyset - log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion - errorMsg // Error - }; - auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, - logParams); - - } - - audit(auditMessage); - - } - - /** - * Serves HTTP admin request. - * - * @param req HTTP request - * @param resp HTTP response - */ - public void service(HttpServletRequest req, HttpServletResponse resp) - throws ServletException, IOException { - super.service(req, resp); - } - - private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { - - IConfigStore configStore = CMS.getConfigStore(); - String sharedSecretName = null; - try { - - sharedSecretName = getSharedSecretName(configStore); - - } catch (EBaseException e) { - throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " - + e); - - } - - CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); - - String symmKeys = null; - boolean keyPresent = false; - try { - symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); - CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); - } catch (Exception e) { - // TODO Auto-generated catch block - CMS.debug(e); - } - - for (String keyName : symmKeys.split(",")) { - if (sharedSecretName.equals(keyName)) { - CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); - keyPresent = true; - break; - } - - } - - if (!keyPresent) { - throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); - } - - // We know for now that shared secret is on this token - String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; - PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); - - CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); - - return sharedSecret; - - } - - //returns ArrayList of following values - // 0 : Kek wrapped des key - // 1 : keycheck value - // 2 : trans wrapped des key - private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, - SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { - - SymmetricKey desKey = null; - String method = "TokenServlet.calculateSErverSideKeygenValues: "; - ArrayList values = new ArrayList(); - - /** - * 0. generate des key - * 1. encrypt des key with kek key - * 2. encrypt des key with DRM transport key - * These two wrapped items are to be sent back to - * TPS. 2nd item is to DRM - **/ - CMS.debug(method + " entering..."); - - // (1) generate DES key - /* applet does not support DES3 - org.mozilla.jss.crypto.KeyGenerator kg = - internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); - desKey = kg.generate();*/ - - /* - * GenerateSymkey firt generates a 16 byte DES2 key. - * It then pads it into a 24 byte key with last - * 8 bytes copied from the 1st 8 bytes. Effectively - * making it a 24 byte DES2 key. We need this for - * wrapping private keys on DRM. - */ - /*generate it on whichever token the master key is at*/ - - if (useSoftToken.equals("true")) { - CMS.debug(method + " key encryption key generated on internal"); - desKey = protocol.generateSymKey("internal"); - //cfu audit here? sym key gen done - } else { - CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); - desKey = protocol.generateSymKey(selectedToken); - } - if (desKey == null) { - throw new EBaseException(method + "can't generate key encryption key"); - } - - /* - * ECBencrypt actually takes the 24 byte DES2 key - * and discard the last 8 bytes before it encrypts. - * This is done so that the applet can digest it - */ - - - // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) - - byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); - - String kek_wrapped_desKeyString = - com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); - - CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); - - values.add(kek_wrapped_desKeyString); - - // get keycheck - - byte[] keycheck = null; - - keycheck = protocol.computeKeyCheck(desKey, selectedToken); - - String keycheck_s = - com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); - - CMS.debug(method + "keycheck_s " + keycheck_s); - - values.add(keycheck_s); - - //use DRM transport cert to wrap desKey - String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); - - if ((drmTransNickname == null) || (drmTransNickname == "")) { - CMS.debug(method + " did not find DRM transport certificate nickname"); - throw new EBaseException(method + "can't find DRM transport certificate nickname"); - } else { - CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); - } - - X509Certificate drmTransCert = null; - try { - - drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); - // wrap kek session key with DRM transport public key - CryptoToken token = null; - if (useSoftToken.equals("true")) { - //token = CryptoManager.getInstance().getTokenByName(selectedToken); - token = CryptoManager.getInstance().getInternalCryptoToken(); - } else { - token = CryptoManager.getInstance().getTokenByName(selectedToken); - } - PublicKey pubKey = drmTransCert.getPublicKey(); - String pubKeyAlgo = pubKey.getAlgorithm(); - CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); - KeyWrapper keyWrapper = null; - //For wrapping symmetric keys don't need IV, use ECB - if (pubKeyAlgo.equals("EC")) { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); - keyWrapper.initWrap(pubKey, null); - } else { - keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); - keyWrapper.initWrap(pubKey, null); - } - CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); - byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); - - String drmWrappedDesStr = - com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); - - CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); - values.add(drmWrappedDesStr); - - } catch (Exception e) { - throw new EBaseException(e); - } - - return values; - } - - private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { - boolean sameCardCrypto = true; - - if (original_cryptogram == null || calculated_cryptogram == null) { - return false; - } - if (original_cryptogram.length == calculated_cryptogram.length) { - for (int i = 0; i < original_cryptogram.length; i++) { - if (original_cryptogram[i] != calculated_cryptogram[i]) { - sameCardCrypto = false; - break; - } - } - } else { - // different length; must be different - sameCardCrypto = false; - } - - return sameCardCrypto; - } - - //For now only used for scp03 - - static GPParams readGPSettings(String keySet) { - GPParams params = new GPParams(); - - String method = "TokenServlet.readGPSettings: "; - String gp3Settings = "tks." + keySet + ".prot3"; - - String divers = "emv"; - try { - divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); - } catch (EBaseException e) { - } - - params.setDiversificationScheme(divers); - - CMS.debug(method + " Divers: " + divers); - - String diversVer1Keys = "emv"; - - try { - diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); - } catch (EBaseException e) { - } - - params.setVersion1DiversificationScheme(diversVer1Keys); - CMS.debug(method + " Version 1 keys Divers: " + divers); - - String keyType = null; - try { - keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); - } catch (EBaseException e) { - } - - CMS.debug(method + " devKeyType: " + keyType); - - params.setDevKeyType(keyType); - - try { - keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); - } catch (EBaseException e) { - } - - params.setMasterKeyType(keyType); - - CMS.debug(method + " masterKeyType: " + keyType); - - - return params; - } - - private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { - byte devKeyArray[] = null; - try { - devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." - + keySet + "." + keyType)); - } catch (Exception e) { - throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); - } - - return devKeyArray; - } - - -} diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml index 18c85a3..ddbea88 100644 --- a/base/tks/shared/webapps/tks/WEB-INF/web.xml +++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml @@ -108,7 +108,7 @@ tksEncryptData - com.netscape.cms.servlet.tks.TokenServlet + org.dogtagpki.server.tks.servlet.TokenServlet GetClientCert true AuthzMgr @@ -125,7 +125,7 @@ tksCreateKeySetData - com.netscape.cms.servlet.tks.TokenServlet + org.dogtagpki.server.tks.servlet.TokenServlet GetClientCert true AuthzMgr @@ -142,7 +142,7 @@ tksSessionKey - com.netscape.cms.servlet.tks.TokenServlet + org.dogtagpki.server.tks.servlet.TokenServlet GetClientCert true AuthzMgr @@ -159,7 +159,7 @@ tksRandomData - com.netscape.cms.servlet.tks.TokenServlet + org.dogtagpki.server.tks.servlet.TokenServlet GetClientCert true AuthzMgr diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java new file mode 100644 index 0000000..c8150a9 --- /dev/null +++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java @@ -0,0 +1,3226 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2007 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package org.dogtagpki.server.tks.servlet; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.OutputStream; +import java.security.PublicKey; +import java.security.SecureRandom; +import java.util.ArrayList; +import java.util.StringTokenizer; + +import javax.servlet.ServletConfig; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.dogtagpki.server.connector.IRemoteRequest; +import org.mozilla.jss.CryptoManager; +import org.mozilla.jss.CryptoManager.NotInitializedException; +import org.mozilla.jss.crypto.CryptoToken; +import org.mozilla.jss.crypto.KeyWrapAlgorithm; +import org.mozilla.jss.crypto.KeyWrapper; +import org.mozilla.jss.crypto.SymmetricKey; +import org.mozilla.jss.crypto.X509Certificate; +import org.mozilla.jss.pkcs11.PK11SymKey; + +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authorization.AuthzToken; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.IConfigStore; +import com.netscape.certsrv.base.IPrettyPrintFormat; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.cms.servlet.base.CMSServlet; +import com.netscape.cms.servlet.common.CMSRequest; +import com.netscape.cms.servlet.tks.GPParams; +import com.netscape.cms.servlet.tks.NistSP800_108KDF; +import com.netscape.cms.servlet.tks.SecureChannelProtocol; +import com.netscape.cmsutil.crypto.CryptoUtil; +import com.netscape.symkey.SessionKey; + +/** + * A class representings an administration servlet for Token Key + * Service Authority. This servlet is responsible to serve + * tks administrative operation such as configuration + * parameter updates. + * + * @version $Revision$, $Date$ + */ +public class TokenServlet extends CMSServlet { + /** + * + */ + private static final long serialVersionUID = 8687436109695172791L; + protected static final String PROP_ENABLED = "enabled"; + protected static final String TRANSPORT_KEY_NAME = "sharedSecret"; + private final static String INFO = "TokenServlet"; + public static int ERROR = 1; + String mKeyNickName = null; + String mNewKeyNickName = null; + String mCurrentUID = null; + IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); + + // Derivation Constants for SCP02 + public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 }; + public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 }; + public final static byte[] DEKDerivationConstant = { 0x01, (byte) 0x81 }; + public final static byte[] R_MACDerivationConstant = { 0x01, 0x02 }; + + /** + * Constructs tks servlet. + */ + public TokenServlet() { + super(); + + } + + public static String trim(String a) { + StringBuffer newa = new StringBuffer(); + StringTokenizer tokens = new StringTokenizer(a, "\n"); + while (tokens.hasMoreTokens()) { + newa.append(tokens.nextToken()); + } + return newa.toString(); + } + + public void init(ServletConfig config) throws ServletException { + super.init(config); + } + + /** + * Returns serlvet information. + * + * @return name of this servlet + */ + public String getServletInfo() { + return INFO; + } + + /** + * Process the HTTP request. + * + * @param s The URL to decode. + */ + protected String URLdecode(String s) { + if (s == null) + return null; + ByteArrayOutputStream out = new ByteArrayOutputStream(s.length()); + + for (int i = 0; i < s.length(); i++) { + int c = s.charAt(i); + + if (c == '+') { + out.write(' '); + } else if (c == '%') { + int c1 = Character.digit(s.charAt(++i), 16); + int c2 = Character.digit(s.charAt(++i), 16); + + out.write((char) (c1 * 16 + c2)); + } else { + out.write(c); + } + } // end for + return out.toString(); + } + + private void setDefaultSlotAndKeyName(HttpServletRequest req) { + try { + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("keySet selected: " + keySet); + + String masterKeyPrefix = CMS.getConfigStore().getString("tks.master_key_prefix", null); + String temp = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); //#xx#xx + String keyInfoMap = "tks." + keySet + ".mk_mappings." + temp; + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue != null) { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + int tokenNumber = 0; + while (st.hasMoreTokens()) { + + String currentToken = st.nextToken(); + if (tokenNumber == 1) + mKeyNickName = currentToken; + tokenNumber++; + + } + } + if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) // for diversification + { + temp = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); //#xx#xx + String newKeyInfoMap = "tks." + keySet + ".mk_mappings." + temp; + String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); + if (newMappingValue != null) { + StringTokenizer st = new StringTokenizer(newMappingValue, ":"); + int tokenNumber = 0; + while (st.hasMoreTokens()) { + String currentToken = st.nextToken(); + if (tokenNumber == 1) + mNewKeyNickName = currentToken; + tokenNumber++; + + } + } + } + + CMS.debug("Setting masteter keky prefix to: " + masterKeyPrefix); + + SecureChannelProtocol.setDefaultPrefix(masterKeyPrefix); + /*SessionKey.SetDefaultPrefix(masterKeyPrefix);*/ + + } catch (Exception e) { + e.printStackTrace(); + CMS.debug("Exception in TokenServlet::setDefaultSlotAndKeyName"); + } + + } + + // AC: KDF SPEC CHANGE - read new setting value from config file + // (This value allows configuration of which master keys use the NIST SP800-108 KDF and which use the original KDF for backwards compatibility) + // CAREFUL: Result returned may be negative due to java's lack of unsigned types. + // Negative values need to be treated as higher key numbers than positive key numbers. + private static byte read_setting_nistSP800_108KdfOnKeyVersion(String keySet) throws Exception { + String nistSP800_108KdfOnKeyVersion_map = "tks." + keySet + ".nistSP800-108KdfOnKeyVersion"; + // KDF phase1: default to 00 + String nistSP800_108KdfOnKeyVersion_value = + CMS.getConfigStore().getString(nistSP800_108KdfOnKeyVersion_map, "00" /*null*/); + short nistSP800_108KdfOnKeyVersion_short = 0; + // if value does not exist in file + if (nistSP800_108KdfOnKeyVersion_value == null) { + // throw + // (we want admins to pay attention to this configuration item rather than guessing for them) + throw new Exception("Required configuration value \"" + nistSP800_108KdfOnKeyVersion_map + + "\" missing from configuration file."); + } + // convert setting value (in ASCII-hex) to short + try { + nistSP800_108KdfOnKeyVersion_short = Short.parseShort(nistSP800_108KdfOnKeyVersion_value, 16); + if ((nistSP800_108KdfOnKeyVersion_short < 0) || (nistSP800_108KdfOnKeyVersion_short > (short) 0x00FF)) { + throw new Exception("Out of range."); + } + } catch (Throwable t) { + throw new Exception("Configuration value \"" + nistSP800_108KdfOnKeyVersion_map + + "\" is in incorrect format. " + + "Correct format is \"" + nistSP800_108KdfOnKeyVersion_map + + "=xx\" where xx is key version specified in ASCII-HEX format.", t); + } + // convert to byte (anything higher than 0x7F is represented as a negative) + byte nistSP800_108KdfOnKeyVersion_byte = (byte) nistSP800_108KdfOnKeyVersion_short; + return nistSP800_108KdfOnKeyVersion_byte; + } + + // AC: KDF SPEC CHANGE - read new setting value from config file + // (This value allows configuration of the NIST SP800-108 KDF: + // If "true" we use the CUID parameter within the NIST SP800-108 KDF. + // If "false" we use the KDD parameter within the NIST SP800-108 KDF. + private static boolean read_setting_nistSP800_108KdfUseCuidAsKdd(String keySet) throws Exception { + String setting_map = "tks." + keySet + ".nistSP800-108KdfUseCuidAsKdd"; + // KDF phase1: default to "false" + String setting_str = + CMS.getConfigStore().getString(setting_map, "false" /*null*/); + boolean setting_boolean = false; + // if value does not exist in file + if (setting_str == null) { + // throw + // (we want admins to pay attention to this configuration item rather than guessing for them) + throw new Exception("Required configuration value \"" + setting_map + "\" missing from configuration file."); + } + // convert setting value to boolean + try { + setting_boolean = Boolean.parseBoolean(setting_str); + } catch (Throwable t) { + throw new Exception("Configuration value \"" + setting_map + + "\" is in incorrect format. Should be either \"true\" or \"false\".", t); + } + return setting_boolean; + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Converts a byte array to an ASCII-hex string. + // We implemented this ourselves rather than using this.pp.toHexArray() because + // the team preferred CUID and KDD strings to be without ":" separators every byte. + final char[] bytesToHex_hexArray = "0123456789ABCDEF".toCharArray(); + + private String bytesToHex(byte[] bytes) { + char[] hexChars = new char[bytes.length * 2]; + for (int i = 0; i < bytes.length; i++) { + int thisChar = bytes[i] & 0x000000FF; + hexChars[i * 2] = bytesToHex_hexArray[thisChar >>> 4]; // div 16 + hexChars[i * 2 + 1] = bytesToHex_hexArray[thisChar & 0x0F]; + } + return new String(hexChars); + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Safely converts a keyInfo byte array to a Key version hex string in the format: 0xa + // Since key version is always the first byte, this function returns the unsigned hex string representation of parameter[0]. + // Returns "null" if parameter is null. + // Returns "invalid" if parameter.length < 1 + private String log_string_from_keyInfo(byte[] xkeyInfo) { + return (xkeyInfo == null) ? "null" : (xkeyInfo.length < 1 ? "invalid" : "0x" + + Integer.toHexString((xkeyInfo[0]) & 0x000000FF)); + } + + // AC: KDF SPEC CHANGE - Audit logging helper functions. + // Safely converts a byte array containing specialDecoded information to an ASCII-hex string. + // Parameters: + // specialDecoded - byte array containing data. May be null. + // Returns: + // if specialDecoded is blank, returns "null" + // if specialDecoded != null, returns + private String log_string_from_specialDecoded_byte_array(byte[] specialDecoded) { + if (specialDecoded == null) { + return "null"; + } else { + return bytesToHex(specialDecoded); + } + } + + /* Compute Session Key for SCP02 + * For simplicity compute just one session key,unless it is the DEK key case. + */ + + private void processComputeSessionKeySCP02(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { + + CMS.debug("TokenServlet.processComputeSessionKeySCP02 entering.."); + String auditMessage = null; + String errorMsg = ""; + String badParams = ""; + String transportKeyName = ""; + boolean missingParam = false; + String selectedToken = null; + String keyNickName = null; + byte[] drm_trans_wrapped_desKey = null; + + byte[] xKDD = null; + byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + IConfigStore sconfig = CMS.getConfigStore(); + + boolean isCryptoValidate = false; + byte[] keyInfo, xCUID = null, session_key = null; + + Exception missingSettingException = null; + + String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + String rKDD = req.getParameter(IRemoteRequest.TOKEN_KDD); + + String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; + CMS.debug("TokenServlet: processComputeSessionKeySCP02(): missing request parameter: key info"); + missingParam = true; + } + + keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("TokenServlet.processComputeSessionKeySCP02: keySet selected: " + keySet + " keyInfo: " + rKeyInfo); + + boolean serversideKeygen = false; + + String rDerivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); + String rSequenceCounter = req.getParameter(IRemoteRequest.SEQUENCE_COUNTER); + + if ((rDerivationConstant == null) || (rDerivationConstant.equals(""))) { + badParams += " derivation_constant,"; + CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: derivation constant."); + missingParam = true; + } + + if ((rSequenceCounter == null) || (rSequenceCounter.equals(""))) { + badParams += " sequence_counter,"; + CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: sequence counter."); + missingParam = true; + } + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + if (!missingParam) { + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet.processCompureSessionKeySCP02: Invalid CUID length"); + missingParam = true; + } + + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet.processComputeSessionKeySCP02(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid KDD length"); + missingParam = true; + } + + keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + if (keyInfo == null || keyInfo.length != 2) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet.processComputeSessionKeySCP02: Invalid key info length."); + missingParam = true; + } + + try { + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo + CMS.debug("TokenServlet: ComputeSessionKeySCP02(): keyInfo[0] = 0x" + + Integer.toHexString((keyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] = 0x" + + Integer.toHexString((keyInfo[1]) & 0x0000000FF) + ); + CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true) { + CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + } else { + CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + } catch (Exception e) { + missingSettingException = e; + CMS.debug("TokenServlet: ComputeSessionKeySCP02(): Exception reading Nist SP800-108 KDF config values: " + + e.toString()); + } + + } + + String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue == null) { + selectedToken = + CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + if (st.hasMoreTokens()) + selectedToken = st.nextToken(); + if (st.hasMoreTokens()) + keyNickName = st.nextToken(); + } + + keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx + try { + mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + } catch (EBaseException e1) { + + e1.printStackTrace(); + } + if (mappingValue == null) { + try { + selectedToken = + CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + } catch (EBaseException e) { + + e.printStackTrace(); + } + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + if (st.hasMoreTokens()) + selectedToken = st.nextToken(); + if (st.hasMoreTokens()) + keyNickName = st.nextToken(); + } + + CMS.debug("TokenServlet: processComputeSessionKeySCP02(): final keyNickname: " + keyNickName); + String useSoftToken_s = null; + try { + useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + } catch (EBaseException e1) { + // TODO Auto-generated catch block + e1.printStackTrace(); + } + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; + + String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); + if (rServersideKeygen.equals("true")) { + CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen requested"); + serversideKeygen = true; + } else { + CMS.debug("TokenServlet.processComputeSessionKeySCP02: serversideKeygen not requested"); + } + + transportKeyName = null; + try { + transportKeyName = getSharedSecretName(sconfig); + } catch (EBaseException e1) { + // TODO Auto-generated catch block + e1.printStackTrace(); + CMS.debug("TokenServlet.processComputeSessionKeySCP02: Can't find transport key name!"); + + } + + CMS.debug("TokenServlet: processComputeSessionKeySCP02(): tksSharedSymKeyName: " + transportKeyName); + + try { + isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); + } catch (EBaseException eee) { + } + + byte macKeyArray[] = null; + byte sequenceCounter[] = null; + byte derivationConstant[] = null; + + boolean errorFound = false; + + String dek_wrapped_desKeyString = null; + String keycheck_s = null; + + if (selectedToken != null && keyNickName != null && transportKeyName != null && missingSettingException == null) { + try { + macKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".mac_key")); + + sequenceCounter = com.netscape.cmsutil.util.Utils.SpecialDecode(rSequenceCounter); + derivationConstant = com.netscape.cmsutil.util.Utils.SpecialDecode(rDerivationConstant); + + //Use old style for the moment. + //ToDo: We need to use the nistXP800 params we have collected and send them down to symkey + //Perform in next ticket to fully implement nistXP800 + + session_key = SessionKey.ComputeSessionKeySCP02( + selectedToken, keyNickName, + keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, macKeyArray, sequenceCounter, derivationConstant, + useSoftToken_s, keySet, + transportKeyName); + + if (session_key == null) { + CMS.debug("TokenServlet.computeSessionKeySCP02:Tried ComputeSessionKey, got NULL "); + throw new EBaseException("Can't compute session key for SCP02!"); + + } + + //Only do this for the dekSessionKey and if we are in the server side keygen case. + if (derivationConstant[0] == DEKDerivationConstant[0] + && derivationConstant[1] == DEKDerivationConstant[1] && serversideKeygen == true) { + + CMS.debug("TokenServlet.computeSessionKeySCP02: We have the server side keygen case while generating the dek session key, wrap and return symkeys for the drm and token."); + + /** + * 0. generate des key + * 1. encrypt des key with dek key + * 2. encrypt des key with DRM transport key + * These two wrapped items are to be sent back to + * TPS. 2nd item is to DRM + **/ + + PK11SymKey desKey = null; + PK11SymKey dekKey = null; + + /*generate it on whichever token the master key is at*/ + if (useSoftToken_s.equals("true")) { + CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on internal"); + + desKey = SessionKey.GenerateSymkey(CryptoUtil.INTERNAL_TOKEN_NAME); + + } else { + CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated on " + + selectedToken); + desKey = SessionKey.GenerateSymkey(selectedToken); + } + if (desKey != null) + CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generated for " + rCUID); + else { + CMS.debug("TokenServlet.computeSessionKeySCP02: key encryption key generation failed for " + + rCUID); + throw new EBaseException( + "TokenServlet.computeSessionKeySCP02: can't generate key encryption key"); + } + + CryptoToken token = null; + if (useSoftToken_s.equals("true")) { + token = CryptoUtil.getCryptoToken(null); + } else { + token = CryptoUtil.getCryptoToken(selectedToken); + } + + //Now we have to create a sym key object for the wrapped session_key (dekKey) + // session_key wrapped by the shared Secret + + PK11SymKey sharedSecret = getSharedSecretKey(); + + if (sharedSecret == null) { + throw new EBaseException( + "TokenServlet.computeSessionKeySCP02: Can't find share secret sym key!"); + } + + dekKey = SessionKey.UnwrapSessionKeyWithSharedSecret(token.getName(), sharedSecret, + session_key); + + if (dekKey == null) { + throw new EBaseException( + "TokenServlet.computeSessionKeySCP02: Can't unwrap DEK key onto the token!"); + } + + /* + * ECBencrypt actually takes the 24 byte DES2 key + * and discard the last 8 bytes before it encrypts. + * This is done so that the applet can digest it + */ + byte[] encDesKey = + SessionKey.ECBencrypt(dekKey, + desKey); + + if (encDesKey == null) { + throw new EBaseException("TokenServlet.computeSessionKeySCP02: Can't encrypt DEK key!"); + } + + dek_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); + + byte[] keycheck = + SessionKey.ComputeKeyCheck(desKey); + + if (keycheck == null) { + throw new EBaseException( + "TokenServlet.computeSessionKeySCP02: Can't compute key check for encrypted DEK key!"); + } + + keycheck_s = + com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); + + //use DRM transport cert to wrap desKey + String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); + + if ((drmTransNickname == null) || (drmTransNickname == "")) { + CMS.debug("TokenServlet.computeSessionKeySCP02:did not find DRM transport certificate nickname"); + throw new EBaseException("can't find DRM transport certificate nickname"); + } else { + CMS.debug("TokenServlet.computeSessionKeySCP02:drmtransport_cert_nickname=" + drmTransNickname); + } + + X509Certificate drmTransCert = null; + drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); + // wrap kek session key with DRM transport public key + + PublicKey pubKey = drmTransCert.getPublicKey(); + String pubKeyAlgo = pubKey.getAlgorithm(); + + KeyWrapper keyWrapper = null; + //For wrapping symmetric keys don't need IV, use ECB + if (pubKeyAlgo.equals("EC")) { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); + keyWrapper.initWrap(pubKey, null); + } else { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); + keyWrapper.initWrap(pubKey, null); + } + + drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); + CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey wrapped with drm transportation key."); + + CMS.debug("computeSessionKey.computeSessionKeySCP02:desKey: Just unwrapped the dekKey onto the token to be wrapped on the way out."); + + } + + } catch (Exception e) { + CMS.debug("TokenServlet.computeSessionKeySCP02 Computing Session Key: " + e.toString()); + errorFound = true; + + } + + } + + String status = "0"; + String value = ""; + String outputString = ""; + + boolean statusDeclared = false; + + if (session_key != null && session_key.length > 0 && errorFound == false) { + outputString = + com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); + } else { + + status = "1"; + statusDeclared = true; + } + + if (selectedToken == null || keyNickName == null) { + if (!statusDeclared) { + status = "4"; + statusDeclared = true; + } + } + + if (missingSettingException != null) { + if (!statusDeclared) { + status = "6"; + statusDeclared = true; + } + } + + if (missingParam) { + status = "3"; + } + + String drm_trans_wrapped_desKeyString = null; + + if (!status.equals("0")) { + if (status.equals("1")) { + errorMsg = "Problem generating session key info."; + } + + if (status.equals("4")) { + errorMsg = "Problem obtaining token information."; + } + + if (status.equals("3")) { + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters :" + badParams; + } + + if (status.equals("6")) { + errorMsg = "Problem reading required configuration value."; + } + + } else { + + if (serversideKeygen == true) { + + if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) { + drm_trans_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); + } + + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); + sb.append(outputString); + + //Now add the trans wrapped des key + + if (drm_trans_wrapped_desKeyString != null) { + sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); + sb.append(drm_trans_wrapped_desKeyString); + } + + if (dek_wrapped_desKeyString != null) { + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); + sb.append(dek_wrapped_desKeyString); + } + + if (keycheck_s != null) { + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); + sb.append(keycheck_s); + } + + value = sb.toString(); + } else { + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); + sb.append(outputString); + value = sb.toString(); + } + + } + + //CMS.debug("TokenServlet:outputString.encode " + value); + + try { + resp.setContentLength(value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (IOException e) { + CMS.debug("TokenServlet: " + e.toString()); + } + + if (status.equals("0")) { + + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { + + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + } + + audit(auditMessage); + + } + + private void processComputeSessionKey(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + byte[] card_challenge, host_challenge, keyInfo, xCUID, session_key, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + byte[] card_crypto, host_cryptogram, input_card_crypto; + byte[] xcard_challenge, xhost_challenge; + byte[] enc_session_key, xkeyInfo; + String auditMessage = null; + String errorMsg = ""; + String badParams = ""; + String transportKeyName = ""; + String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // KDF phase1: default to rCUID if not present + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("keySet selected: " + keySet); + + boolean serversideKeygen = false; + byte[] drm_trans_wrapped_desKey = null; + SymmetricKey desKey = null; + // PK11SymKey kek_session_key; + SymmetricKey kek_key; + + IConfigStore sconfig = CMS.getConfigStore(); + boolean isCryptoValidate = true; + boolean missingParam = false; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + + session_key = null; + card_crypto = null; + host_cryptogram = null; + enc_session_key = null; + // kek_session_key = null; + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + String kek_wrapped_desKeyString = null; + String keycheck_s = null; + + CMS.debug("processComputeSessionKey:"); + String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; + + String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); + if (rServersideKeygen.equals("true")) { + CMS.debug("TokenServlet: serversideKeygen requested"); + serversideKeygen = true; + } else { + CMS.debug("TokenServlet: serversideKeygen not requested"); + } + + try { + isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); + } catch (EBaseException eee) { + } + + transportKeyName = getSharedSecretName(sconfig); + + String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); + String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); + String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); + if ((rCUID == null) || (rCUID.equals(""))) { + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: CUID"); + badParams += " CUID,"; + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + + if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { + badParams += " card_challenge,"; + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); + missingParam = true; + } + + if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { + badParams += " host_challenge,"; + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: host challenge"); + missingParam = true; + } + + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; + CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: key info"); + missingParam = true; + } + + String selectedToken = null; + String keyNickName = null; + boolean sameCardCrypto = true; + + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + + if (!missingParam) { + + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + if (xkeyInfo == null || xkeyInfo.length != 2) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length."); + missingParam = true; + } + xcard_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + if (xcard_challenge == null || xcard_challenge.length != 8) { + badParams += " card_challenge length,"; + CMS.debug("TokenServlet: Invalid card challenge length."); + missingParam = true; + } + + xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); + if (xhost_challenge == null || xhost_challenge.length != 8) { + badParams += " host_challenge length,"; + CMS.debug("TokenServlet: Invalid host challenge length"); + missingParam = true; + } + + } + + if (!missingParam) { + card_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + + host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); + keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) + //ToDo: Will use these values after completing next ticket + try { + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo + CMS.debug("TokenServlet: ComputeSessionKey(): xkeyInfo[0] = 0x" + + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] = 0x" + + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) + ); + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true) { + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + } else { + CMS.debug("TokenServlet: ComputeSessionKey(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + } catch (Exception e) { + missingSetting_exception = e; + CMS.debug("TokenServlet: ComputeSessionKey(): Exception reading Nist SP800-108 KDF config values: " + + e.toString()); + } + + String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo; //#xx#xx + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue == null) { + selectedToken = + CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + if (st.hasMoreTokens()) + selectedToken = st.nextToken(); + if (st.hasMoreTokens()) + keyNickName = st.nextToken(); + } + + if (selectedToken != null && keyNickName != null + // AC: KDF SPEC CHANGE - check for error flag + && missingSetting_exception == null) { + + try { + + byte macKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".mac_key")); + CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" + + selectedToken + " keyNickName=" + keyNickName); + + SecureChannelProtocol protocol = new SecureChannelProtocol(); + SymmetricKey macKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.macType, + selectedToken, + keyNickName, card_challenge, + host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, + xKDD, macKeyArray, useSoftToken_s, keySet, transportKeyName); + + session_key = protocol.wrapSessionKey(selectedToken, macKey, null); + + if (session_key == null) { + CMS.debug("TokenServlet:Tried ComputeSessionKey, got NULL "); + throw new Exception("Can't compute session key!"); + + } + + byte encKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".auth_key")); + SymmetricKey encKey = protocol.computeSessionKey_SCP01(SecureChannelProtocol.encType, + selectedToken, + keyNickName, card_challenge, host_challenge, keyInfo, nistSP800_108KdfOnKeyVersion, + nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, encKeyArray, useSoftToken_s, keySet, + transportKeyName); + + enc_session_key = protocol.wrapSessionKey(selectedToken, encKey, null); + + if (enc_session_key == null) { + CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); + throw new Exception("Can't compute enc session key!"); + + } + + if (serversideKeygen == true) { + + /** + * 0. generate des key + * 1. encrypt des key with kek key + * 2. encrypt des key with DRM transport key + * These two wrapped items are to be sent back to + * TPS. 2nd item is to DRM + **/ + CMS.debug("TokenServlet: calling ComputeKekKey"); + + byte kekKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".kek_key")); + + kek_key = protocol.computeKEKKey_SCP01(selectedToken, + keyNickName, + keyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, + xCUID, + xKDD, kekKeyArray, useSoftToken_s, keySet, transportKeyName); + + CMS.debug("TokenServlet: called ComputeKekKey"); + + if (kek_key == null) { + CMS.debug("TokenServlet:Tried ComputeKekKey, got NULL "); + throw new Exception("Can't compute kek key!"); + + } + // now use kek key to wrap kek session key.. + CMS.debug("computeSessionKey:kek key len =" + + kek_key.getLength()); + + // (1) generate DES key + /* applet does not support DES3 + org.mozilla.jss.crypto.KeyGenerator kg = + internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + desKey = kg.generate();*/ + + /* + * GenerateSymkey firt generates a 16 byte DES2 key. + * It then pads it into a 24 byte key with last + * 8 bytes copied from the 1st 8 bytes. Effectively + * making it a 24 byte DES2 key. We need this for + * wrapping private keys on DRM. + */ + /*generate it on whichever token the master key is at*/ + if (useSoftToken_s.equals("true")) { + CMS.debug("TokenServlet: key encryption key generated on internal"); + //cfu audit here? sym key gen + + desKey = protocol.generateSymKey(CryptoUtil.INTERNAL_TOKEN_NAME); + //cfu audit here? sym key gen done + } else { + CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); + desKey = protocol.generateSymKey(selectedToken); + } + if (desKey != null) { + // AC: KDF SPEC CHANGE - Output using CUID and KDD + CMS.debug("TokenServlet: key encryption key generated for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + } else { + // AC: KDF SPEC CHANGE - Output using CUID and KDD + CMS.debug("TokenServlet: key encryption key generation failed for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + + throw new Exception("can't generate key encryption key"); + } + + /* + * ECBencrypt actually takes the 24 byte DES2 key + * and discard the last 8 bytes before it encrypts. + * This is done so that the applet can digest it + */ + + byte[] encDesKey = protocol.ecbEncrypt(kek_key, desKey, selectedToken); + + /* + CMS.debug("computeSessionKey:encrypted desKey size = "+encDesKey.length); + CMS.debug(encDesKey); + */ + + kek_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); + + // get keycheck + + byte[] keycheck = protocol.computeKeyCheck(desKey, selectedToken); + /* + CMS.debug("computeSessionKey:keycheck size = "+keycheck.length); + CMS.debug(keycheck); + */ + keycheck_s = + com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); + + //use DRM transport cert to wrap desKey + String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); + + if ((drmTransNickname == null) || (drmTransNickname == "")) { + CMS.debug("TokenServlet:did not find DRM transport certificate nickname"); + throw new Exception("can't find DRM transport certificate nickname"); + } else { + CMS.debug("TokenServlet:drmtransport_cert_nickname=" + drmTransNickname); + } + + X509Certificate drmTransCert = null; + drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); + // wrap kek session key with DRM transport public key + CryptoToken token = null; + if (useSoftToken_s.equals("true")) { + token = CryptoUtil.getCryptoToken(null); + } else { + token = CryptoUtil.getCryptoToken(selectedToken); + } + PublicKey pubKey = drmTransCert.getPublicKey(); + String pubKeyAlgo = pubKey.getAlgorithm(); + CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); + KeyWrapper keyWrapper = null; + //For wrapping symmetric keys don't need IV, use ECB + if (pubKeyAlgo.equals("EC")) { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); + keyWrapper.initWrap(pubKey, null); + } else { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); + keyWrapper.initWrap(pubKey, null); + } + CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); + drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); + CMS.debug("computeSessionKey:desKey wrapped with drm transportation key."); + + } // if (serversideKeygen == true) + + byte authKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".auth_key")); + + host_cryptogram = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, + host_challenge, + xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, SecureChannelProtocol.HOST_CRYPTOGRAM, + authKeyArray, useSoftToken_s, keySet, transportKeyName); + + if (host_cryptogram == null) { + CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); + throw new Exception("Can't compute host cryptogram!"); + + } + + card_crypto = protocol.computeCryptogram_SCP01(selectedToken, keyNickName, card_challenge, + host_challenge, xkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, + xCUID, xKDD, SecureChannelProtocol.CARD_CRYPTOGRAM, authKeyArray, useSoftToken_s, keySet, transportKeyName); + + if (card_crypto == null) { + CMS.debug("TokenServlet:Tried ComputeCryptogram, got NULL "); + throw new Exception("Can't compute card cryptogram!"); + + } + + if (isCryptoValidate) { + if (rcard_cryptogram == null) { + CMS.debug("TokenServlet: ComputeCryptogram(): missing card cryptogram"); + throw new Exception("Missing card cryptogram"); + } + input_card_crypto = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); + + //SecureChannelProtocol.debugByteArray(input_card_crypto, "input_card_crypto"); + //SecureChannelProtocol.debugByteArray(card_crypto, "card_crypto"); + + if (card_crypto.length == input_card_crypto.length) { + for (int i = 0; i < card_crypto.length; i++) { + if (card_crypto[i] != input_card_crypto[i]) { + sameCardCrypto = false; + break; + } + } + } else { + // different length; must be different + sameCardCrypto = false; + } + } + + // AC: KDF SPEC CHANGE - print both KDD and CUID + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, "processComputeSessionKey for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + } catch (Exception e) { + CMS.debug(e); + CMS.debug("TokenServlet Computing Session Key: " + e.toString()); + if (isCryptoValidate) + sameCardCrypto = false; + } + } + } // ! missingParam + + String value = ""; + + resp.setContentType("text/html"); + + String outputString = ""; + String encSessionKeyString = ""; + String drm_trans_wrapped_desKeyString = ""; + String cryptogram = ""; + String status = "0"; + if (session_key != null && session_key.length > 0) { + outputString = + com.netscape.cmsutil.util.Utils.SpecialEncode(session_key); + } else { + + status = "1"; + } + + if (enc_session_key != null && enc_session_key.length > 0) { + encSessionKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); + } else { + status = "1"; + } + + if (serversideKeygen == true) { + if (drm_trans_wrapped_desKey != null && drm_trans_wrapped_desKey.length > 0) + drm_trans_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); + else { + status = "1"; + } + } + + if (host_cryptogram != null && host_cryptogram.length > 0) { + cryptogram = + com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); + } else { + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true) { + status = "2"; + } + } + + if (selectedToken == null || keyNickName == null) { + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true) { + status = "4"; + } + } + + if (!sameCardCrypto) { + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true) { + // AC: Bugfix: Don't mis-represent host cryptogram mismatch errors as TPS parameter issues + status = "5"; + } + } + + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + if (missingSetting_exception != null) { + // AC: Intentionally override previous errors if config file settings were missing. + status = "6"; + } + + if (missingParam) { + // AC: Intentionally override previous errors if parameters were missing. + status = "3"; + } + + if (!status.equals("0")) { + + if (status.equals("1")) { + errorMsg = "Problem generating session key info."; + } + + if (status.equals("2")) { + errorMsg = "Problem creating host_cryptogram."; + } + + // AC: Bugfix: Don't mis-represent card cryptogram mismatch errors as TPS parameter issues + if (status.equals("5")) { + errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; + } + + if (status.equals("4")) { + errorMsg = "Problem obtaining token information."; + } + + // AC: KDF SPEC CHANGE - handle missing configuration item + if (status.equals("6")) { + errorMsg = "Problem reading required configuration value."; + } + + if (status.equals("3")) { + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters :" + badParams; + } + + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } else { + if (serversideKeygen == true) { + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); + sb.append(outputString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); + sb.append(cryptogram); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); + sb.append(encSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); + sb.append(kek_wrapped_desKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); + sb.append(keycheck_s); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); + sb.append(drm_trans_wrapped_desKeyString); + value = sb.toString(); + } else { + + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_SessionKey + "="); + sb.append(outputString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); + sb.append(cryptogram); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); + sb.append(encSessionKeyString); + value = sb.toString(); + } + + } + //CMS.debug("TokenServlet:outputString.encode " + value); + + try { + resp.setContentLength(value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (IOException e) { + CMS.debug("TokenServlet: " + e.toString()); + } + + if (status.equals("0")) { + // AC: KDF SPEC CHANGE - Log both CUID and KDD. + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + + } + + audit(auditMessage); + } + + // This method will return the shared secret name. In new 10.1 subsystems, this + // name will be stored in tps.X.nickname. + // + // Until multiple TKS/TPS connections is fully supported, this method will just + // return the first shared secret nickname found, on the assumption that only + // one nickname will be configured. This will have to be changed to return the correct + // key based on some parameter in the request in future. + // + // On legacy systems, this method just returns what was previously returned. + private String getSharedSecretName(IConfigStore cs) throws EBaseException { + boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false); + + if (useNewNames) { + String tpsList = cs.getString("tps.list", ""); + String firstSharedSecretName = null; + if (!tpsList.isEmpty()) { + for (String tpsID : tpsList.split(",")) { + String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", ""); + + // This one will be a fall back in case we can't get a specific one + if (firstSharedSecretName == null) { + firstSharedSecretName = sharedSecretName; + } + + if (!sharedSecretName.isEmpty()) { + if (mCurrentUID != null) { + String csUid = cs.getString("tps." + tpsID + ".userid", ""); + + if (mCurrentUID.equalsIgnoreCase(csUid)) { + CMS.debug("TokenServlet.getSharedSecretName: found a match of the user id! " + csUid); + return sharedSecretName; + } + } + } + } + + if (firstSharedSecretName != null) { + //Return the first in the list if we couldn't isolate one + return firstSharedSecretName; + } + } + CMS.debug("getSharedSecretName: no shared secret has been configured"); + throw new EBaseException("No shared secret has been configured"); + } + + // legacy system - return as before + return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME); + } + + //Accepts protocol param and supports scp03. + private void processDiversifyKey(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + + String method = "TokenServlet.processDiversifyKey: "; + byte[] KeySetData, xCUID, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + String oldKeyNickName = null; + String newKeyNickName = null; + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + // AC: BUGFIX for key versions higher than 09: We need to initialize these variables in order for the compiler not to complain when we pass them to DiversifyKey. + byte[] xkeyInfo = null, xnewkeyInfo = null; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + + boolean missingParam = false; + String errorMsg = ""; + String badParams = ""; + byte[] xWrappedDekKey = null; + + IConfigStore sconfig = CMS.getConfigStore(); + String rnewKeyInfo = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); + String newMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO); + String oldMasterKeyName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // temporarily make it friendly before TPS change + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + + String rProtocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); + String rWrappedDekKey = req.getParameter(IRemoteRequest.WRAPPED_DEK_SESSION_KEY); + + CMS.debug(method + "rWrappedDekKey: " + rWrappedDekKey); + + int protocol = 1; + String auditMessage = ""; + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("keySet selected: " + keySet); + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + auditMessage = CMS.getLogMessage( + AuditEvent.DIVERSIFY_KEY_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, + agentId, + oldMasterKeyName, + newMasterKeyName); + + audit(auditMessage); + + if ((rCUID == null) || (rCUID.equals(""))) { + badParams += " CUID,"; + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: CUID"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + + if ((rnewKeyInfo == null) || (rnewKeyInfo.equals(""))) { + badParams += " newKeyInfo,"; + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: newKeyInfo"); + missingParam = true; + } + if ((oldMasterKeyName == null) || (oldMasterKeyName.equals(""))) { + badParams += " KeyInfo,"; + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KeyInfo"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + xnewkeyInfo = null; // avoid errors about non-initialization + + if (!missingParam) { + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(oldMasterKeyName); + if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length"); + missingParam = true; + } + xnewkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(newMasterKeyName); + if (xnewkeyInfo == null || (xnewkeyInfo.length != 2 && xnewkeyInfo.length != 3)) { + badParams += " NewKeyInfo length,"; + CMS.debug("TokenServlet: Invalid new key info length"); + missingParam = true; + } + + if (rProtocol != null) { + try { + protocol = Integer.parseInt(rProtocol); + } catch (NumberFormatException e) { + protocol = 1; + } + } + CMS.debug("process DiversifyKey: protocol value: " + protocol); + + if (protocol == 2) { + if ((rWrappedDekKey == null) || (rWrappedDekKey.equals(""))) { + badParams += " WrappedDekKey,"; + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: WrappedDekKey, with SCP02."); + missingParam = true; + } else { + + CMS.debug("process DiversifyKey: wrappedDekKey value: " + rWrappedDekKey); + xWrappedDekKey = com.netscape.cmsutil.util.Utils.SpecialDecode(rWrappedDekKey); + } + + } + } + String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; + + KeySetData = null; + if (!missingParam) { + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + } + if (!missingParam) { + // CUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); // AC: KDF SPEC CHANGE: Removed duplicative variable/processing. + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey) + + //ToDo: Refactor this, this same block occurs several times in the file + try { + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo and xnewkeyInfo + CMS.debug("TokenServlet: processDiversifyKey(): xkeyInfo[0] (old) = 0x" + + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] (old) = 0x" + + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) + + ", xnewkeyInfo[0] = 0x" + + Integer.toHexString((xnewkeyInfo[0]) & 0x000000FF) + + ", xnewkeyInfo[1] = 0x" + + Integer.toHexString((xnewkeyInfo[1]) & 0x000000FF) + ); + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true) { + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + } else { + CMS.debug("TokenServlet: processDiversifyKey(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + } catch (Exception e) { + missingSetting_exception = e; + CMS.debug("TokenServlet: processDiversifyKey(): Exception reading Nist SP800-108 KDF config values: " + + e.toString()); + } + + if (mKeyNickName != null) + oldMasterKeyName = mKeyNickName; + if (mNewKeyNickName != null) + newMasterKeyName = mNewKeyNickName; + + String tokKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + + // Get the first 6 characters, since scp03 gives us extra characters. + tokKeyInfo = tokKeyInfo.substring(0,6); + String oldKeyInfoMap = "tks." + keySet + ".mk_mappings." + tokKeyInfo; //#xx#xx + CMS.debug(method + " oldKeyInfoMap: " + oldKeyInfoMap); + String oldMappingValue = CMS.getConfigStore().getString(oldKeyInfoMap, null); + String oldSelectedToken = null; + if (oldMappingValue == null) { + oldSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + oldKeyNickName = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + } else { + StringTokenizer st = new StringTokenizer(oldMappingValue, ":"); + oldSelectedToken = st.nextToken(); + oldKeyNickName = st.nextToken(); + } + + + String newKeyInfoMap = "tks.mk_mappings." + rnewKeyInfo.substring(0,6); //#xx#xx + CMS.debug(method + " newKeyInfoMap: " + newKeyInfoMap); + String newMappingValue = CMS.getConfigStore().getString(newKeyInfoMap, null); + String newSelectedToken = null; + if (newMappingValue == null) { + newSelectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + newKeyNickName = rnewKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(newMappingValue, ":"); + newSelectedToken = st.nextToken(); + newKeyNickName = st.nextToken(); + } + + CMS.debug("process DiversifyKey for oldSelectedToke=" + + oldSelectedToken + " newSelectedToken=" + newSelectedToken + + " oldKeyNickName=" + oldKeyNickName + " newKeyNickName=" + + newKeyNickName); + + byte kekKeyArray[] = getDeveKeyArray("kek_key", sconfig, keySet); + byte macKeyArray[] = getDeveKeyArray("auth_key", sconfig, keySet); + byte encKeyArray[] = getDeveKeyArray("mac_key", sconfig, keySet); + + // com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + + //GPParams for scp03 right now, reads some scp03 specific values from the config of a given keyset + // passed down to the SecureChannelProtocol functions that deal with SCP03 + + GPParams gp3Params = readGPSettings(keySet); + + SecureChannelProtocol secProtocol = new SecureChannelProtocol(protocol); + // AC: KDF SPEC CHANGE - check for error reading settings + if (missingSetting_exception == null) { + if (protocol == 1 || protocol == 3) { + KeySetData = secProtocol.diversifyKey(oldSelectedToken, + newSelectedToken, oldKeyNickName, + newKeyNickName, + xkeyInfo, // AC: KDF SPEC CHANGE - pass in old key info so symkey can make decision about which KDF version to use + xnewkeyInfo, // AC: BUGFIX for key versions higher than 09: We need to specialDecode keyInfo parameters before sending them into symkey! This means the parameters must be byte[] + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + kekKeyArray,encKeyArray,macKeyArray, useSoftToken_s, keySet, (byte) protocol,gp3Params); + + } else if (protocol == 2) { + KeySetData = SessionKey.DiversifyKey(oldSelectedToken, newSelectedToken, oldKeyNickName, + newKeyNickName, xkeyInfo, + xnewkeyInfo, nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, + (protocol == 2) ? xWrappedDekKey : kekKeyArray, useSoftToken_s, keySet, (byte) protocol); + } + //SecureChannelProtocol.debugByteArray(KeySetData, " New keyset data: "); + CMS.debug("TokenServlet.processDiversifyKey: New keyset data obtained"); + + if (KeySetData == null || KeySetData.length <= 1) { + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, "process DiversifyKey: Missing MasterKey in Slot"); + } + + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, + "process DiversifyKey for CUID=" + + trim(pp.toHexString(xCUID)) + // AC: KDF SPEC CHANGE: Log both CUID and KDD + ", KDD=" + + trim(pp.toHexString(xKDD)) + + ";from oldMasterKeyName=" + oldSelectedToken + ":" + oldKeyNickName + + ";to newMasterKeyName=" + newSelectedToken + ":" + newKeyNickName); + + resp.setContentType("text/html"); + + } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file + + } // ! missingParam + + String value = ""; + String status = "0"; + + if (KeySetData != null && KeySetData.length > 1) { + value = IRemoteRequest.RESPONSE_STATUS + "=0&" + IRemoteRequest.TKS_RESPONSE_KeySetData + "=" + + com.netscape.cmsutil.util.Utils.SpecialEncode(KeySetData); + //CMS.debug("TokenServlet:process DiversifyKey.encode " + value); + CMS.debug("TokenServlet:process DiversifyKey.encode returning KeySetData"); + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + } else if (missingSetting_exception != null) { + status = "6"; + errorMsg = "Problem reading required configuration value."; + value = "status=" + status; + } else if (missingParam) { + status = "3"; + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters: " + badParams; + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } else { + errorMsg = "Problem diversifying key data."; + status = "1"; + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } + + resp.setContentLength(value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); + + try { + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (Exception e) { + CMS.debug("TokenServlet:process DiversifyKey: " + e.toString()); + } + + if (status.equals("0")) { + + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + oldKeyNickName, // oldMasterKeyName + newKeyNickName, // newMasterKeyName + + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion + log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams); + } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + + // AC: BUGFIX: Record the actual parameters to DiversifyKey in the audit log. + oldKeyNickName, // oldMasterKeyName + newKeyNickName, // newMasterKeyName + + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // OldKeyInfo_KeyVersion + log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams); + } + + audit(auditMessage); + } + + private void processEncryptData(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + byte[] keyInfo, xCUID, encryptedData, xkeyInfo, xKDD; // AC: KDF SPEC CHANGE: removed duplicative 'CUID' variable and added xKDD + + // AC: KDF SPEC CHANGE - new config file values (needed for symkey) + byte nistSP800_108KdfOnKeyVersion = (byte) 0xff; + boolean nistSP800_108KdfUseCuidAsKdd = false; + + // AC: KDF SPEC CHANGE - flag for if there is an error reading our new setting + Exception missingSetting_exception = null; + + boolean missingParam = false; + byte[] data = null; + boolean isRandom = true; // randomly generate the data to be encrypted + + String errorMsg = ""; + String badParams = ""; + IConfigStore sconfig = CMS.getConfigStore(); + encryptedData = null; + String rdata = req.getParameter(IRemoteRequest.TOKEN_DATA); + String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + String protocolValue = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // temporarily make it friendly before TPS change + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + CMS.debug("keySet selected: " + keySet); + + String s_isRandom = sconfig.getString("tks.EncryptData.isRandom", "true"); + if (s_isRandom.equalsIgnoreCase("false")) { + CMS.debug("TokenServlet: processEncryptData(): Random number not to be generated"); + isRandom = false; + } else { + CMS.debug("TokenServlet: processEncryptData(): Random number generation required"); + isRandom = true; + } + + // AC: KDF SPEC CHANGE: Need to log both KDD and CUID + String auditMessage = CMS.getLogMessage( + AuditEvent.ENCRYPT_DATA_REQUEST, + rCUID, + rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD. + ILogger.SUCCESS, + agentId, + s_isRandom); + audit(auditMessage); + + GPParams gp3Params = readGPSettings(keySet); + + if (isRandom) { + if ((rdata == null) || (rdata.equals(""))) { + CMS.debug("TokenServlet: processEncryptData(): no data in request. Generating random number as data"); + } else { + CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); + } + try { + SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + data = new byte[16]; + random.nextBytes(data); + } catch (Exception e) { + CMS.debug("TokenServlet: processEncryptData():" + e.toString()); + badParams += " Random Number,"; + missingParam = true; + } + } else if ((!isRandom) && (((rdata == null) || (rdata.equals(""))))) { + CMS.debug("TokenServlet: processEncryptData(): missing request parameter: data."); + badParams += " data,"; + missingParam = true; + } + + if ((rCUID == null) || (rCUID.equals(""))) { + badParams += " CUID,"; + CMS.debug("TokenServlet: processEncryptData(): missing request parameter: CUID"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug("TokenServlet: processDiversifyKey(): missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; + CMS.debug("TokenServlet: processEncryptData(): missing request parameter: key info"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE + xCUID = null; // avoid errors about non-initialization + xKDD = null; // avoid errors about non-initialization + xkeyInfo = null; // avoid errors about non-initialization + + if (!missingParam) { + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + + // AC: KDF SPEC CHANGE - read new KDD parameter from TPS + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + if (xkeyInfo == null || (xkeyInfo.length != 2 && xkeyInfo.length != 3)) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length"); + missingParam = true; + } + } + + String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; + + String selectedToken = null; + String keyNickName = null; + if (!missingParam) { + + // AC: KDF SPEC CHANGE - read new config file values (needed for symkey + try { + nistSP800_108KdfOnKeyVersion = TokenServlet.read_setting_nistSP800_108KdfOnKeyVersion(keySet); + nistSP800_108KdfUseCuidAsKdd = TokenServlet.read_setting_nistSP800_108KdfUseCuidAsKdd(keySet); + + // log settings read in to debug log along with xkeyInfo + CMS.debug("TokenServlet: processEncryptData(): xkeyInfo[0] = 0x" + + Integer.toHexString((xkeyInfo[0]) & 0x0000000FF) + + ", xkeyInfo[1] = 0x" + + Integer.toHexString((xkeyInfo[1]) & 0x0000000FF) + ); + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF will be used for key versions >= 0x" + + Integer.toHexString((nistSP800_108KdfOnKeyVersion) & 0x0000000FF) + ); + if (nistSP800_108KdfUseCuidAsKdd == true) { + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use CUID instead of KDD."); + } else { + CMS.debug("TokenServlet: processEncryptData(): Nist SP800-108 KDF (if used) will use KDD."); + } + // conform to the set-an-error-flag mentality + } catch (Exception e) { + missingSetting_exception = e; + CMS.debug("TokenServlet: processEncryptData(): Exception reading Nist SP800-108 KDF config values: " + + e.toString()); + } + + if (!isRandom) + data = com.netscape.cmsutil.util.Utils.SpecialDecode(rdata); + keyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + + String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + if (mappingValue == null) { + selectedToken = CMS.getConfigStore().getString("tks.defaultSlot", CryptoUtil.INTERNAL_TOKEN_NAME); + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + selectedToken = st.nextToken(); + keyNickName = st.nextToken(); + } + + + //calculate the protocol + + int protocolInt = SecureChannelProtocol.PROTOCOL_ONE; + try + { + protocolInt = Integer.parseInt(protocolValue); + } + catch (NumberFormatException nfe) + { + protocolInt = SecureChannelProtocol.PROTOCOL_ONE; + } + + CMS.debug( "TokenServerlet.encryptData: protocol input: " + protocolInt); + + //Check for reasonable sanity, leave room for future versions + if(protocolInt <= 0 || protocolInt > 20) { + CMS.debug( "TokenServerlet.encryptData: unfamliar protocl, assume default of 1."); + protocolInt = 1; + + } + + byte kekKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + keySet + ".kek_key")); + // AC: KDF SPEC CHANGE - check for error reading settings + if (missingSetting_exception == null) { + + + SecureChannelProtocol protocol = new SecureChannelProtocol(protocolInt); + + if (protocolInt != SecureChannelProtocol.PROTOCOL_THREE) { + + encryptedData = protocol.encryptData( + selectedToken, keyNickName, data, keyInfo, + nistSP800_108KdfOnKeyVersion, // AC: KDF SPEC CHANGE - pass in configuration file value + nistSP800_108KdfUseCuidAsKdd, // AC: KDF SPEC CHANGE - pass in configuration file value + xCUID, // AC: KDF SPEC CHANGE - removed duplicative 'CUID' variable and replaced with 'xCUID' + xKDD, // AC: KDF SPEC CHANGE - pass in KDD so symkey can make decision about which value (KDD,CUID) to use + kekKeyArray, useSoftToken_s, keySet); + + } else { + + encryptedData = protocol.encryptData_SCP03(selectedToken, keyNickName, data, xkeyInfo, + nistSP800_108KdfOnKeyVersion, nistSP800_108KdfUseCuidAsKdd, xCUID, xKDD, kekKeyArray, + useSoftToken_s, keySet,gp3Params); + + } + + SecureChannelProtocol.debugByteArray(encryptedData, "New Encrypt Data: "); + + // AC: KDF SPEC CHANGE - Log both CUID and KDD + + CMS.getLogger().log(ILogger.EV_AUDIT, + ILogger.S_TKS, + ILogger.LL_INFO, "process EncryptData for CUID=" + + trim(pp.toHexString(xCUID)) + + ", KDD=" + + trim(pp.toHexString(xKDD))); + + } // AC: KDF SPEC CHANGE - endif no error reading settings from settings file + + } // !missingParam + + resp.setContentType("text/html"); + + String value = ""; + String status = "0"; + if (encryptedData != null && encryptedData.length > 0) { + // sending both the pre-encrypted and encrypted data back + value = IRemoteRequest.RESPONSE_STATUS + "=0&" + + IRemoteRequest.TOKEN_DATA + "=" + + com.netscape.cmsutil.util.Utils.SpecialEncode(data) + + "&" + IRemoteRequest.TKS_RESPONSE_EncryptedData + "=" + + com.netscape.cmsutil.util.Utils.SpecialEncode(encryptedData); + // AC: KDF SPEC CHANGE - check for settings file issue (flag) + } else if (missingSetting_exception != null) { + status = "6"; + errorMsg = "Problem reading required configuration value."; + value = "status=" + status; + } else if (missingParam) { + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters: " + badParams; + status = "3"; + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } else { + errorMsg = "Problem encrypting data."; + status = "1"; + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } + + //CMS.debug("TokenServlet:process EncryptData.encode " + value); + + try { + resp.setContentLength(value.length()); + CMS.debug("TokenServlet:outputString.lenght " + value.length()); + + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (Exception e) { + CMS.debug("TokenServlet: " + e.toString()); + } + + if (status.equals("0")) { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + s_isRandom, // isRandom + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd + }; + auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams); + } else { + // AC: KDF SPEC CHANGE - Log both CUID and KDD + // Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd + // Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available. + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + s_isRandom, // isRandom + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion + Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams); + } + + audit(auditMessage); + } + + /* + * For EncryptData: + * data=value1 + * CUID=value2 // missing from RA + * versionID=value3 // missing from RA + * + * For ComputeSession: + * card_challenge=value1 + * host_challenge=value2 + + * For DiversifyKey: + * new_master_key_index + * master_key_index + */ + + private void processComputeRandomData(HttpServletRequest req, + HttpServletResponse resp) throws EBaseException { + + byte[] randomData = null; + String status = "0"; + String errorMsg = ""; + String badParams = ""; + boolean missingParam = false; + int dataSize = 0; + + CMS.debug("TokenServlet::processComputeRandomData"); + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + String sDataSize = req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES); + + if (sDataSize == null || sDataSize.equals("")) { + CMS.debug("TokenServlet::processComputeRandomData missing param dataNumBytes"); + badParams += " Random Data size, "; + missingParam = true; + status = "1"; + } else { + try { + dataSize = Integer.parseInt(sDataSize.trim()); + } catch (NumberFormatException nfe) { + CMS.debug("TokenServlet::processComputeRandomData invalid data size input!"); + badParams += " Random Data size, "; + missingParam = true; + status = "1"; + } + + } + + CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize); + + String auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_RANDOM_DATA_REQUEST, + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + if (!missingParam) { + try { + SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + randomData = new byte[dataSize]; + random.nextBytes(randomData); + } catch (Exception e) { + CMS.debug("TokenServlet::processComputeRandomData:" + e.toString()); + errorMsg = "Can't generate random data!"; + status = "2"; + } + } + + String randomDataOut = ""; + if (status.equals("0")) { + if (randomData != null && randomData.length == dataSize) { + randomDataOut = + com.netscape.cmsutil.util.Utils.SpecialEncode(randomData); + } else { + status = "2"; + errorMsg = "Can't convert random data!"; + } + } + + if (status.equals("1") && missingParam) { + + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters :" + badParams; + } + + resp.setContentType("text/html"); + String value = ""; + + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + if (status.equals("0")) { + value = value + "&" + IRemoteRequest.TKS_RESPONSE_RandomData + "=" + randomDataOut; + } + + try { + resp.setContentLength(value.length()); + CMS.debug("TokenServler::processComputeRandomData :outputString.length " + value.length()); + + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (Exception e) { + CMS.debug("TokenServlet::processComputeRandomData " + e.toString()); + } + + if (status.equals("0")) { + auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS, + ILogger.SUCCESS, + status, + agentId); + } else { + auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE, + ILogger.FAILURE, + status, + agentId, + errorMsg); + } + + audit(auditMessage); + } + + public void process(CMSRequest cmsReq) throws EBaseException { + HttpServletRequest req = cmsReq.getHttpReq(); + HttpServletResponse resp = cmsReq.getHttpResp(); + + IAuthToken authToken = authenticate(cmsReq); + AuthzToken authzToken = null; + + mCurrentUID = (String) authToken.get(IAuthToken.UID) ; + + try { + authzToken = authorize(mAclMethod, authToken, + mAuthzResourceName, "execute"); + } catch (Exception e) { + } + + if (authzToken == null) { + + try { + resp.setContentType("text/html"); + String value = "unauthorized="; + CMS.debug("TokenServlet: Unauthorized"); + + resp.setContentLength(value.length()); + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (Exception e) { + CMS.debug("TokenServlet: " + e.toString()); + } + + // cmsReq.setStatus(CMSRequest.UNAUTHORIZED); + return; + } + + String temp = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); + String protocol = req.getParameter(IRemoteRequest.CHANNEL_PROTOCOL); + String derivationConstant = req.getParameter(IRemoteRequest.DERIVATION_CONSTANT); + //CMS.debug("Protocol: " + protocol + " temp: " + temp); + + setDefaultSlotAndKeyName(req); + if (temp != null && protocol == null) { + processComputeSessionKey(req, resp); + } else if (req.getParameter(IRemoteRequest.TOKEN_DATA) != null) { + processEncryptData(req, resp); + } else if (req.getParameter(IRemoteRequest.TOKEN_NEW_KEYINFO) != null) { + processDiversifyKey(req, resp); + } else if (req.getParameter(IRemoteRequest.TOKEN_DATA_NUM_BYTES) != null) { + processComputeRandomData(req, resp); + } else if (protocol != null && protocol.contains("2") && (derivationConstant != null)) { + //SCP02 compute one session key. + processComputeSessionKeySCP02(req, resp); + + } else if (protocol != null && protocol.contains("3") ) { + processComputeSessionKeysSCP03(req,resp); + } else { + throw new EBaseException("Process: Can't decide upon function to call!"); + } + } + + //Create all the session keys for scp03 at once and return. + //ToDo: calcualte the optional rmac key + private void processComputeSessionKeysSCP03(HttpServletRequest req, HttpServletResponse resp) throws EBaseException { + String method = "processComputeSessionKeysSCP03:"; + CMS.debug(method + " entering ..."); + + byte[] card_challenge, host_challenge, xCUID, xKDD; + byte[] card_crypto, host_cryptogram, input_card_crypto; + byte[] xcard_challenge, xhost_challenge; + byte[] enc_session_key, xkeyInfo,mac_session_key, kek_session_key; + String auditMessage = null; + String errorMsg = ""; + String badParams = ""; + String transportKeyName = ""; + String rCUID = req.getParameter(IRemoteRequest.TOKEN_CUID); + + String rKDD = req.getParameter("KDD"); + if ((rKDD == null) || (rKDD.length() == 0)) { + // KDF phase1: default to rCUID if not present + CMS.debug("TokenServlet: KDD not supplied, set to CUID before TPS change"); + rKDD = rCUID; + } + + String keySet = req.getParameter(IRemoteRequest.TOKEN_KEYSET); + if (keySet == null || keySet.equals("")) { + keySet = "defKeySet"; + } + CMS.debug("keySet selected: " + keySet); + + GPParams gp3Params = readGPSettings(keySet); + + boolean serversideKeygen = false; + + IConfigStore sconfig = CMS.getConfigStore(); + boolean isCryptoValidate = true; + boolean missingParam = false; + + Exception missingSetting_exception = null; + + mac_session_key = null; + kek_session_key = null; + card_crypto = null; + host_cryptogram = null; + enc_session_key = null; + + SessionContext sContext = SessionContext.getContext(); + + String agentId = ""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + + auditMessage = CMS.getLogMessage( + AuditEvent.COMPUTE_SESSION_KEY_REQUEST, + rCUID, + rKDD, + ILogger.SUCCESS, + agentId); + + audit(auditMessage); + + String kek_wrapped_desKeyString = null; + String keycheck_s = null; + + String useSoftToken_s = CMS.getConfigStore().getString("tks.useSoftToken", "true"); + if (!useSoftToken_s.equalsIgnoreCase("true")) + useSoftToken_s = "false"; + + CMS.debug(method + " useSoftToken: " + useSoftToken_s); + + String rServersideKeygen = req.getParameter(IRemoteRequest.SERVER_SIDE_KEYGEN); + if (rServersideKeygen.equals("true")) { + + serversideKeygen = true; + } + + CMS.debug(method + " serversideKeygen: " + serversideKeygen); + + try { + isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); + } catch (EBaseException eee) { + } + + CMS.debug(method + " Do crypto validation: " + isCryptoValidate); + + transportKeyName = getSharedSecretName(sconfig); + + String rcard_challenge = req.getParameter(IRemoteRequest.TOKEN_CARD_CHALLENGE); + String rhost_challenge = req.getParameter(IRemoteRequest.TOKEN_HOST_CHALLENGE); + String rKeyInfo = req.getParameter(IRemoteRequest.TOKEN_KEYINFO); + String rcard_cryptogram = req.getParameter(IRemoteRequest.TOKEN_CARD_CRYPTOGRAM); + + if ((rCUID == null) || (rCUID.equals(""))) { + CMS.debug(method + " missing request parameter: CUID"); + badParams += " CUID,"; + missingParam = true; + } + + if ((rKDD == null) || (rKDD.length() == 0)) { + CMS.debug(method + " missing request parameter: KDD"); + badParams += " KDD,"; + missingParam = true; + } + + if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { + badParams += " card_challenge,"; + CMS.debug(method + " missing request parameter: card challenge"); + missingParam = true; + } + + if ((rhost_challenge == null) || (rhost_challenge.equals(""))) { + badParams += " host_challenge,"; + CMS.debug(method + " missing request parameter: host challenge"); + missingParam = true; + } + + if ((rcard_cryptogram == null) || (rcard_cryptogram.equals(""))) { + badParams += " card_cryptogram,"; + CMS.debug(method + " missing request parameter: card_cryptogram"); + missingParam = true; + } + + if ((rKeyInfo == null) || (rKeyInfo.equals(""))) { + badParams += " KeyInfo,"; + CMS.debug(method + "missing request parameter: key info"); + missingParam = true; + } + + String selectedToken = null; + String keyNickName = null; + boolean sameCardCrypto = true; + + xCUID = null; + xKDD = null; + xkeyInfo = null; + xcard_challenge = null; + xhost_challenge = null; + + if (!missingParam) { + xCUID = com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); + if (xCUID == null || xCUID.length != 10) { + badParams += " CUID length,"; + CMS.debug("TokenServlet: Invalid CUID length"); + missingParam = true; + } + + xKDD = com.netscape.cmsutil.util.Utils.SpecialDecode(rKDD); + if (xKDD == null || xKDD.length != 10) { + badParams += " KDD length,"; + CMS.debug("TokenServlet: Invalid KDD length"); + missingParam = true; + } + + xkeyInfo = com.netscape.cmsutil.util.Utils.SpecialDecode(rKeyInfo); + if (xkeyInfo == null || xkeyInfo.length != 3) { + badParams += " KeyInfo length,"; + CMS.debug("TokenServlet: Invalid key info length."); + missingParam = true; + } + xcard_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + if (xcard_challenge == null || xcard_challenge.length != 8) { + badParams += " card_challenge length,"; + CMS.debug("TokenServlet: Invalid card challenge length."); + missingParam = true; + } + + xhost_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); + if (xhost_challenge == null || xhost_challenge.length != 8) { + badParams += " host_challenge length,"; + CMS.debug("TokenServlet: Invalid host challenge length"); + missingParam = true; + } + } + + ArrayList serverSideValues = null; + + if (!missingParam) { + card_challenge = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); + + host_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rhost_challenge); + + String keyInfoMap = "tks." + keySet + ".mk_mappings." + rKeyInfo.substring(0,6); //#xx#xx + String mappingValue = CMS.getConfigStore().getString(keyInfoMap, null); + + + if (mappingValue == null) { + selectedToken = + CMS.getConfigStore().getString("tks.defaultSlot", "internal"); + keyNickName = rKeyInfo; + } else { + StringTokenizer st = new StringTokenizer(mappingValue, ":"); + if (st.hasMoreTokens()) + selectedToken = st.nextToken(); + if (st.hasMoreTokens()) + keyNickName = st.nextToken(); + } + + CMS.debug(method + " selectedToken: " + selectedToken + " keyNickName: " + keyNickName ); + + SymmetricKey macSessionKey = null; + SymmetricKey encSessionKey = null; + SymmetricKey kekSessionKey = null; + + if (selectedToken != null && keyNickName != null + && missingSetting_exception == null) { + + try { + + byte macKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".mac_key")); + CMS.debug("TokenServlet about to try ComputeSessionKey selectedToken=" + + selectedToken + " keyNickName=" + keyNickName); + + SecureChannelProtocol protocol = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE); + + macSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, + SecureChannelProtocol.macType, macKeyArray, keySet,xCUID, xKDD, xhost_challenge, xcard_challenge, + transportKeyName,gp3Params); + + mac_session_key = protocol.wrapSessionKey(selectedToken, macSessionKey, null); + + if (mac_session_key == null) { + CMS.debug(method + " Can't get mac session key bytes"); + throw new Exception(method + " Can't get mac session key bytes"); + + } + + byte encKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".auth_key")); + + encSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName,xkeyInfo, + SecureChannelProtocol.encType, encKeyArray, keySet, xCUID, xKDD, xhost_challenge, xcard_challenge, + transportKeyName,gp3Params); + + enc_session_key = protocol.wrapSessionKey(selectedToken, encSessionKey, null); + + if (enc_session_key == null) { + CMS.debug("TokenServlet:Tried ComputeEncSessionKey, got NULL "); + throw new Exception("Can't compute enc session key!"); + + } + + byte kekKeyArray[] = + com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + ".kek_key")); + + kekSessionKey = protocol.computeSessionKey_SCP03(selectedToken, keyNickName, xkeyInfo, + SecureChannelProtocol.kekType, kekKeyArray, keySet, xCUID, xKDD, xhost_challenge, + xcard_challenge, + transportKeyName,gp3Params); + + kek_session_key = protocol.wrapSessionKey(selectedToken, kekSessionKey, null); + + + //Offload some of the tedious params gathering to another method + //ToDo, create a method that reads all this stuff at once for all major methods + if (serversideKeygen) { + try { + serverSideValues = calculateServerSideKeygenValues(useSoftToken_s, selectedToken, + kekSessionKey, protocol); + } catch (EBaseException e) { + + CMS.debug(method + " Can't calcualte server side keygen required values..."); + + } + } + + try { + isCryptoValidate = sconfig.getBoolean("cardcryptogram.validate.enable", true); + } catch (EBaseException eee) { + } + + ByteArrayOutputStream contextStream = new ByteArrayOutputStream(); + try { + contextStream.write(host_challenge); + contextStream.write(card_challenge); + } catch (IOException e) { + throw new EBaseException(method + " Error calculating derivation data!"); + } + + host_cryptogram = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.HOST_CRYPTO_KDF_CONSTANT); + SecureChannelProtocol.debugByteArray(host_cryptogram, method + " calculated host crypto: " + host_cryptogram.length); + + + if( isCryptoValidate) { + if (rcard_cryptogram == null) { + CMS.debug(method + " missing card cryptogram"); + throw new Exception(method + "Missing card cryptogram"); + } + input_card_crypto = + com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_cryptogram); + card_crypto = protocol.computeCryptogram_SCP03(macSessionKey, selectedToken, contextStream.toByteArray(),NistSP800_108KDF.CARD_CRYPTO_KDF_CONSTANT); + SecureChannelProtocol.debugByteArray(card_crypto, method + " calculated card crypto: "); + SecureChannelProtocol.debugByteArray(input_card_crypto, method + " original card crypto: "); + + if(!cryptoGramsAreEqual(input_card_crypto, card_crypto)) { + throw new Exception(method + "Card cryptogram mismatch!"); + } + + } + } catch (Exception e) { + CMS.debug(e); + CMS.debug("TokenServlet Computing Session Key: " + e.toString()); + if (isCryptoValidate) + sameCardCrypto = false; + } + } + } // ! missingParam + + String value = ""; + + resp.setContentType("text/html"); + + String encSessionKeyString = ""; + String macSessionKeyString = ""; + String kekSessionKeyString = ""; + + String drm_trans_wrapped_desKeyString = ""; + String cryptogram = ""; + String status = "0"; + + if (enc_session_key != null && enc_session_key.length > 0) { + encSessionKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(enc_session_key); + } else { + status = "1"; + } + + if (mac_session_key != null && mac_session_key.length > 0) { + macSessionKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(mac_session_key); + } else { + status = "1"; + } + + if (kek_session_key != null && kek_session_key.length > 0) { + kekSessionKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(kek_session_key); + } else { + status = "1"; + } + + if (serversideKeygen == true) { + if (serverSideValues.size() == 3) { + drm_trans_wrapped_desKeyString = serverSideValues.get(2); + kek_wrapped_desKeyString = serverSideValues.get(0); + keycheck_s = serverSideValues.get(1); + } + else { + status = "1"; + } + } + + if (host_cryptogram != null && host_cryptogram.length > 0) { + cryptogram = + com.netscape.cmsutil.util.Utils.SpecialEncode(host_cryptogram); + } else { + if (status.equals("0") == true) { + status = "2"; + } + } + + if (selectedToken == null || keyNickName == null) { + // AC: Bugfix: Don't override status's value if an error was already flagged + if (status.equals("0") == true) { + status = "4"; + } + } + + if (!sameCardCrypto) { + if (status.equals("0") == true) { + status = "5"; + } + } + + if (missingSetting_exception != null) { + status = "6"; + } + + if (missingParam) { + status = "3"; + } + + if (!status.equals("0")) { + + if (status.equals("1")) { + errorMsg = "Problem generating session key info."; + } + + if (status.equals("2")) { + errorMsg = "Problem creating host_cryptogram."; + } + + if (status.equals("5")) { + errorMsg = "Card cryptogram mismatch. Token likely has incorrect keys."; + } + + if (status.equals("4")) { + errorMsg = "Problem obtaining token information."; + } + + if (status.equals("6")) { + errorMsg = "Problem reading required configuration value."; + } + + if (status.equals("3")) { + if (badParams.endsWith(",")) { + badParams = badParams.substring(0, badParams.length() - 1); + } + errorMsg = "Missing input parameters :" + badParams; + } + + value = IRemoteRequest.RESPONSE_STATUS + "=" + status; + } else { + if (serversideKeygen == true) { + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); + sb.append(macSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); + sb.append(cryptogram); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); + sb.append(encSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); + sb.append(kekSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KEK_DesKey + "="); + sb.append(kek_wrapped_desKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KeyCheck + "="); + sb.append(keycheck_s); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_DRM_Trans_DesKey + "="); + sb.append(drm_trans_wrapped_desKeyString); + value = sb.toString(); + } else { + StringBuffer sb = new StringBuffer(); + sb.append(IRemoteRequest.RESPONSE_STATUS + "=0&"); + sb.append(IRemoteRequest.TKS_RESPONSE_MacSessionKey + "="); + sb.append(macSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_HostCryptogram + "="); + sb.append(cryptogram); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_EncSessionKey + "="); + sb.append(encSessionKeyString); + sb.append("&" + IRemoteRequest.TKS_RESPONSE_KekSessionKey + "="); + value = sb.toString(); + } + + } + //CMS.debug(method + "outputString.encode " + value); + + try { + resp.setContentLength(value.length()); + CMS.debug("TokenServlet:outputString.length " + value.length()); + OutputStream ooss = resp.getOutputStream(); + ooss.write(value.getBytes()); + ooss.flush(); + mRenderResult = false; + } catch (IOException e) { + CMS.debug("TokenServlet: " + e.toString()); + } + + if (status.equals("0")) { + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.SUCCESS, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, + logParams); + + } else { + String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded + log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded + ILogger.FAILURE, // Outcome + status, // status + agentId, // AgentID + isCryptoValidate ? "true" : "false", // IsCryptoValidate + serversideKeygen ? "true" : "false", // IsServerSideKeygen + selectedToken, // SelectedToken + keyNickName, // KeyNickName + keySet, // TKSKeyset + log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion + errorMsg // Error + }; + auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE, + logParams); + + } + + audit(auditMessage); + + } + + /** + * Serves HTTP admin request. + * + * @param req HTTP request + * @param resp HTTP response + */ + public void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.service(req, resp); + } + + private PK11SymKey getSharedSecretKey() throws EBaseException, NotInitializedException { + + IConfigStore configStore = CMS.getConfigStore(); + String sharedSecretName = null; + try { + + sharedSecretName = getSharedSecretName(configStore); + + } catch (EBaseException e) { + throw new EBaseException("TokenServlet.getSharedSecetKey: Internal error finding config value: " + + e); + + } + + CMS.debug("TokenServlet.getSharedSecretTransportKey: calculated key name: " + sharedSecretName); + + String symmKeys = null; + boolean keyPresent = false; + try { + symmKeys = SessionKey.ListSymmetricKeys(CryptoUtil.INTERNAL_TOKEN_NAME); + CMS.debug("TokenServlet.getSharedSecretTransportKey: symmKeys List: " + symmKeys); + } catch (Exception e) { + // TODO Auto-generated catch block + CMS.debug(e); + } + + for (String keyName : symmKeys.split(",")) { + if (sharedSecretName.equals(keyName)) { + CMS.debug("TokenServlet.getSharedSecret: shared secret key found!"); + keyPresent = true; + break; + } + + } + + if (!keyPresent) { + throw new EBaseException("TokenServlet.getSharedSecret: Can't find shared secret!"); + } + + // We know for now that shared secret is on this token + String tokenName = CryptoUtil.INTERNAL_TOKEN_FULL_NAME; + PK11SymKey sharedSecret = SessionKey.GetSymKeyByName(tokenName, sharedSecretName); + + CMS.debug("TokenServlet.getSharedSecret: SymKey returns: " + sharedSecret); + + return sharedSecret; + + } + + //returns ArrayList of following values + // 0 : Kek wrapped des key + // 1 : keycheck value + // 2 : trans wrapped des key + private ArrayList calculateServerSideKeygenValues(String useSoftToken, String selectedToken, + SymmetricKey kekSessionKey, SecureChannelProtocol protocol) throws EBaseException { + + SymmetricKey desKey = null; + String method = "TokenServlet.calculateSErverSideKeygenValues: "; + ArrayList values = new ArrayList(); + + /** + * 0. generate des key + * 1. encrypt des key with kek key + * 2. encrypt des key with DRM transport key + * These two wrapped items are to be sent back to + * TPS. 2nd item is to DRM + **/ + CMS.debug(method + " entering..."); + + // (1) generate DES key + /* applet does not support DES3 + org.mozilla.jss.crypto.KeyGenerator kg = + internalToken.getKeyGenerator(KeyGenAlgorithm.DES3); + desKey = kg.generate();*/ + + /* + * GenerateSymkey firt generates a 16 byte DES2 key. + * It then pads it into a 24 byte key with last + * 8 bytes copied from the 1st 8 bytes. Effectively + * making it a 24 byte DES2 key. We need this for + * wrapping private keys on DRM. + */ + /*generate it on whichever token the master key is at*/ + + if (useSoftToken.equals("true")) { + CMS.debug(method + " key encryption key generated on internal"); + desKey = protocol.generateSymKey("internal"); + //cfu audit here? sym key gen done + } else { + CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); + desKey = protocol.generateSymKey(selectedToken); + } + if (desKey == null) { + throw new EBaseException(method + "can't generate key encryption key"); + } + + /* + * ECBencrypt actually takes the 24 byte DES2 key + * and discard the last 8 bytes before it encrypts. + * This is done so that the applet can digest it + */ + + + // protocol.wrapSessionKey(tokenName, sessionKey, wrappingKey) + + byte[] encDesKey = protocol.ecbEncrypt(kekSessionKey, desKey, selectedToken); + + String kek_wrapped_desKeyString = + com.netscape.cmsutil.util.Utils.SpecialEncode(encDesKey); + + CMS.debug(method + "kek_wrapped_desKeyString: " + kek_wrapped_desKeyString); + + values.add(kek_wrapped_desKeyString); + + // get keycheck + + byte[] keycheck = null; + + keycheck = protocol.computeKeyCheck(desKey, selectedToken); + + String keycheck_s = + com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck); + + CMS.debug(method + "keycheck_s " + keycheck_s); + + values.add(keycheck_s); + + //use DRM transport cert to wrap desKey + String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", ""); + + if ((drmTransNickname == null) || (drmTransNickname == "")) { + CMS.debug(method + " did not find DRM transport certificate nickname"); + throw new EBaseException(method + "can't find DRM transport certificate nickname"); + } else { + CMS.debug(method + " drmtransport_cert_nickname=" + drmTransNickname); + } + + X509Certificate drmTransCert = null; + try { + + drmTransCert = CryptoManager.getInstance().findCertByNickname(drmTransNickname); + // wrap kek session key with DRM transport public key + CryptoToken token = null; + if (useSoftToken.equals("true")) { + //token = CryptoManager.getInstance().getTokenByName(selectedToken); + token = CryptoManager.getInstance().getInternalCryptoToken(); + } else { + token = CryptoManager.getInstance().getTokenByName(selectedToken); + } + PublicKey pubKey = drmTransCert.getPublicKey(); + String pubKeyAlgo = pubKey.getAlgorithm(); + CMS.debug("Transport Cert Key Algorithm: " + pubKeyAlgo); + KeyWrapper keyWrapper = null; + //For wrapping symmetric keys don't need IV, use ECB + if (pubKeyAlgo.equals("EC")) { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.AES_ECB); + keyWrapper.initWrap(pubKey, null); + } else { + keyWrapper = token.getKeyWrapper(KeyWrapAlgorithm.RSA); + keyWrapper.initWrap(pubKey, null); + } + CMS.debug("desKey token " + desKey.getOwningToken().getName() + " token: " + token.getName()); + byte[] drm_trans_wrapped_desKey = keyWrapper.wrap(desKey); + + String drmWrappedDesStr = + com.netscape.cmsutil.util.Utils.SpecialEncode(drm_trans_wrapped_desKey); + + CMS.debug(method + " drmWrappedDesStr: " + drmWrappedDesStr); + values.add(drmWrappedDesStr); + + } catch (Exception e) { + throw new EBaseException(e); + } + + return values; + } + + private boolean cryptoGramsAreEqual(byte[] original_cryptogram, byte[] calculated_cryptogram) { + boolean sameCardCrypto = true; + + if (original_cryptogram == null || calculated_cryptogram == null) { + return false; + } + if (original_cryptogram.length == calculated_cryptogram.length) { + for (int i = 0; i < original_cryptogram.length; i++) { + if (original_cryptogram[i] != calculated_cryptogram[i]) { + sameCardCrypto = false; + break; + } + } + } else { + // different length; must be different + sameCardCrypto = false; + } + + return sameCardCrypto; + } + + //For now only used for scp03 + + static GPParams readGPSettings(String keySet) { + GPParams params = new GPParams(); + + String method = "TokenServlet.readGPSettings: "; + String gp3Settings = "tks." + keySet + ".prot3"; + + String divers = "emv"; + try { + divers = CMS.getConfigStore().getString(gp3Settings + ".divers", "emv"); + } catch (EBaseException e) { + } + + params.setDiversificationScheme(divers); + + CMS.debug(method + " Divers: " + divers); + + String diversVer1Keys = "emv"; + + try { + diversVer1Keys = CMS.getConfigStore().getString(gp3Settings + ".diversVer1Keys","emv"); + } catch (EBaseException e) { + } + + params.setVersion1DiversificationScheme(diversVer1Keys); + CMS.debug(method + " Version 1 keys Divers: " + divers); + + String keyType = null; + try { + keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3"); + } catch (EBaseException e) { + } + + CMS.debug(method + " devKeyType: " + keyType); + + params.setDevKeyType(keyType); + + try { + keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3"); + } catch (EBaseException e) { + } + + params.setMasterKeyType(keyType); + + CMS.debug(method + " masterKeyType: " + keyType); + + + return params; + } + + private byte[] getDeveKeyArray(String keyType,IConfigStore sconfig,String keySet) throws EBaseException { + byte devKeyArray[] = null; + try { + devKeyArray = com.netscape.cmsutil.util.Utils.SpecialDecode(sconfig.getString("tks." + + keySet + "." + keyType)); + } catch (Exception e) { + throw new EBaseException("Can't read static developer key array: " + keySet + ": " + keyType); + } + + return devKeyArray; + } + + +} -- 1.8.3.1 From fd149624a7ace41c75c5034345503c0d412f7aa3 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Tue, 23 May 2017 22:25:32 +0200 Subject: [PATCH 11/38] Updated log messages in OCSPProcessor. The OCSPProcessor has been modified to log the OCSP response to help troubleshooting. https://pagure.io/dogtagpki/issue/2695 Change-Id: I9c880def083221af26cac902ff6d7852d0555a8f --- base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java index 3b72130..c7a40f7 100644 --- a/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java +++ b/base/util/src/com/netscape/cmsutil/ocsp/OCSPProcessor.java @@ -134,8 +134,8 @@ public class OCSPProcessor { byte[] requestData = os.toByteArray(); if (verbose) { - System.out.println("Data Length: " + requestData.length); - System.out.println("Data: " + Utils.base64encode(requestData)); + System.out.println("Request Length: " + requestData.length); + System.out.println("Request: " + Utils.base64encode(requestData)); } ByteArrayEntity requestEntity = new ByteArrayEntity(requestData); @@ -156,8 +156,16 @@ public class OCSPProcessor { } // construct OCSP response + + byte[] responseData = buffer.toByteArray(); + + if (verbose) { + System.out.println("Response Length: " + responseData.length); + System.out.println("Response: " + Utils.base64encode(responseData)); + } + return (OCSPResponse)OCSPResponse.getTemplate().decode( - new ByteArrayInputStream(buffer.toByteArray())); + new ByteArrayInputStream(responseData)); } finally { EntityUtils.consume(responseEntity); -- 1.8.3.1 From b9f906eb1f26cf3d82262bc9894785742f451cd9 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 23 May 2017 11:12:06 -0400 Subject: [PATCH 12/38] Fix failing audit log As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643 --- base/kra/shared/conf/CS.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 4b6ff74..69d9382 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 -- 1.8.3.1 From de9f890133e3acc660b985e8ef5950507d341a03 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Tue, 23 May 2017 12:14:06 -0400 Subject: [PATCH 13/38] Make sure archivalID is passed through archival There was some confusion in the previous commit for archival logging. The archivalID is the id provided by the CA for the archival and is its requestID. This allows the cert request operation to be tracked through the archival. Made sure therefore, that we have two fields - one for the archivalID and one for the requestId (which is the KRA archival request ID) In addition, some of the archival events occur in the CA component just before the request id sent to the KRA. These events will not be displayed unless the audit event is added to the CA CS.cfg. Change-Id: I3904d42ae677d5916385e0120f0e25311b4d9d08 --- base/ca/shared/conf/CS.cfg | 4 +- base/ca/src/com/netscape/ca/CAService.java | 22 +++++++-- .../logging/event/SecurityDataArchivalEvent.java | 16 +------ .../event/SecurityDataArchivalProcessedEvent.java | 2 + .../src/com/netscape/kra/EnrollmentService.java | 53 ++++++++++++++++------ .../src/com/netscape/kra/KeyRecoveryAuthority.java | 11 +++-- .../src/com/netscape/kra/NetkeyKeygenService.java | 5 +- .../com/netscape/kra/SecurityDataProcessor.java | 1 + .../server/kra/rest/KeyRequestService.java | 1 + .../cms/profile/common/CAEnrollProfile.java | 23 +++++++--- base/server/cmsbundle/src/LogMessages.properties | 16 +++++-- 11 files changed, 104 insertions(+), 50 deletions(-) diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 8f9af5c..4e881dc 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java index 45fae66..c9eacfe 100644 --- a/base/ca/src/com/netscape/ca/CAService.java +++ b/base/ca/src/com/netscape/ca/CAService.java @@ -58,6 +58,7 @@ import com.netscape.certsrv.profile.IProfile; import com.netscape.certsrv.profile.IProfileSubsystem; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.cmscore.base.SubsystemRegistry; import com.netscape.cmscore.connector.HttpConnector; import com.netscape.cmscore.connector.LocalConnector; @@ -371,6 +372,7 @@ public class CAService implements ICAService, IService { public boolean serviceRequest(IRequest request) { String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); + RequestId requestId = request.getRequestId(); boolean completed = false; @@ -422,7 +424,9 @@ public class CAService implements ICAService, IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID)); + auditRequesterID, + requestId, + null)); boolean sendStatus = mKRAConnector.send(request); @@ -437,7 +441,9 @@ public class CAService implements ICAService, IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); return true; } else { @@ -451,7 +457,9 @@ public class CAService implements ICAService, IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); return true; } @@ -474,7 +482,9 @@ public class CAService implements ICAService, IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); } return true; @@ -490,7 +500,9 @@ public class CAService implements ICAService, IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID)); + auditRequesterID, + requestId, + null)); } return completed; diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java index 43f7525..adc8d5b 100644 --- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalEvent.java @@ -30,6 +30,7 @@ public class SecurityDataArchivalEvent extends AuditEvent { public SecurityDataArchivalEvent( String subjectID, String outcome, + String archivalID, RequestId requestID, String clientKeyID) { @@ -38,22 +39,9 @@ public class SecurityDataArchivalEvent extends AuditEvent { setParameters(new Object[] { subjectID, outcome, + archivalID, requestID, clientKeyID }); } - - public SecurityDataArchivalEvent( - String subjectID, - String outcome, - String requestID) { - super(LOGGING_PROPERTY); - - setParameters(new Object[] { - subjectID, - outcome, - requestID, - null - }); - } } \ No newline at end of file diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java index eb4f6b3..0ec21ae 100644 --- a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataArchivalProcessedEvent.java @@ -30,6 +30,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { public SecurityDataArchivalProcessedEvent( String subjectID, String outcome, + String archivalRequestId, RequestId requestID, String clientKeyID, KeyId keyID, @@ -41,6 +42,7 @@ public class SecurityDataArchivalProcessedEvent extends AuditEvent { setParameters(new Object[] { subjectID, outcome, + archivalRequestId, requestID, clientKeyID, keyID, diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java index b28fbc6..4cf36d1 100644 --- a/base/kra/src/com/netscape/kra/EnrollmentService.java +++ b/base/kra/src/com/netscape/kra/EnrollmentService.java @@ -56,6 +56,7 @@ import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.certsrv.util.IStatsSubsystem; @@ -158,6 +159,7 @@ public class EnrollmentService implements IService { String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(); String auditPublicKey = ILogger.UNIDENTIFIED; + RequestId requestId = request.getRequestId(); if (CMS.debugOn()) CMS.debug("EnrollmentServlet: KRA services enrollment request"); @@ -198,7 +200,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); @@ -243,7 +247,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); @@ -276,7 +282,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); @@ -315,7 +323,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e); } @@ -333,7 +343,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException( CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY")); @@ -355,7 +367,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } @@ -387,7 +401,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY")); } @@ -411,7 +427,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD")); } @@ -458,7 +476,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -477,7 +497,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -492,7 +514,9 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -546,14 +570,17 @@ public class EnrollmentService implements IService { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID)); + auditRequesterID, + requestId, + null)); // store a message in the signed audit log file auditPublicKey = auditPublicKey(rec); audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.SUCCESS, - request.getRequestId(), + auditRequesterID, + requestId, null, new KeyId(rec.getSerialNumber()), null, diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 3c29bbf..ed20394 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -766,18 +766,21 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r = queue.newRequest(KRAService.ENROLLMENT); - // store a message in the signed audit log file audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID)); + auditRequesterID, + r.getRequestId(), + null)); } catch (EBaseException eAudit1) { // store a message in the signed audit log file audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + null /* requestId */, + null /*clientKeyId */)); throw eAudit1; } @@ -792,6 +795,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.SUCCESS, + auditRequesterID, r.getRequestId(), null, new KeyId(rec.getSerialNumber()), @@ -801,6 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove audit(new SecurityDataArchivalProcessedEvent( auditSubjectID, ILogger.FAILURE, + auditRequesterID, r.getRequestId(), null, new KeyId(rec.getSerialNumber()), diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index df42a4f..947377a 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -397,7 +397,9 @@ public class NetkeyKeygenService implements IService { audit( new SecurityDataArchivalEvent( agentId, ILogger.SUCCESS, - auditSubjectID)); + auditSubjectID, + request.getRequestId(), + null)); CMS.debug("KRA encrypts private key to put on internal ldap db"); byte privateKeyData[] = null; @@ -487,6 +489,7 @@ public class NetkeyKeygenService implements IService { audit(new SecurityDataArchivalProcessedEvent( agentId, ILogger.SUCCESS, + auditSubjectID, request.getRequestId(), null, new KeyId(serialNo), diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index a44eb2f..326630c 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -873,6 +873,7 @@ public class SecurityDataProcessor { audit(new SecurityDataArchivalProcessedEvent( subjectID, status, + null, requestID, clientKeyID, keyID, diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 12040e0..8ec69a7 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -357,6 +357,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes audit(new SecurityDataArchivalEvent( getRequestor(), status, + null, requestId, clientKeyID)); } diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java index 85db2cb..ec9f86b 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java @@ -36,6 +36,7 @@ import com.netscape.certsrv.profile.EProfileException; import com.netscape.certsrv.profile.ERejectException; import com.netscape.certsrv.profile.IProfileUpdater; import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import netscape.security.x509.X500Name; @@ -82,10 +83,10 @@ public class CAEnrollProfile extends EnrollProfile { String auditSubjectID = auditSubjectID(); String auditRequesterID = auditRequesterID(request); - String id = request.getRequestId().toString(); + RequestId requestId = request.getRequestId(); - CMS.debug("CAEnrollProfile: execute request ID " + id); + CMS.debug("CAEnrollProfile: execute request ID " + requestId.toString()); ICertificateAuthority ca = (ICertificateAuthority) getAuthority(); @@ -115,7 +116,9 @@ public class CAEnrollProfile extends EnrollProfile { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); } else { CMS.debug("CAEnrollProfile: execute send request"); kraConnector.send(request); @@ -125,7 +128,9 @@ public class CAEnrollProfile extends EnrollProfile { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); if (request.getError(getLocale(request)) != null && (request.getError(getLocale(request))).equals(CMS.getUserMessage("CMS_KRA_INVALID_TRANSPORT_CERT"))) { @@ -140,7 +145,9 @@ public class CAEnrollProfile extends EnrollProfile { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.SUCCESS, - auditRequesterID)); + auditRequesterID, + requestId, + null)); } } catch (Exception e) { @@ -153,7 +160,9 @@ public class CAEnrollProfile extends EnrollProfile { audit(new SecurityDataArchivalEvent( auditSubjectID, ILogger.FAILURE, - auditRequesterID)); + auditRequesterID, + requestId, + null)); throw new EProfileException(e); } @@ -179,7 +188,7 @@ public class CAEnrollProfile extends EnrollProfile { X509CertImpl theCert; try { theCert = caService.issueX509Cert( - aid, info, getId() /* profileId */, id /* requestId */); + aid, info, getId() /* profileId */, requestId.toString()); } catch (EBaseException e) { CMS.debug(e); throw new EProfileException(e); diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 44eec23..66a7fd0 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2414,17 +2414,23 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=:[AuditEv # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED # - used when user security data archive request is processed # this is when DRM receives and processed the request -# Client ID must be the user supplied client ID associated with +# ArchivalRequestID is the requestID provided by the CA through the connector +# It is used to track the request through from CA to KRA. +# RequestId is the KRA archival request ID +# ClientKeyID must be the user supplied client ID associated with # the security data to be archived # -LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}][PubKey={6}] security data archival request processed +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}][KeyID={5}][FailureReason={6}][PubKey={7}] security data archival request processed # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST # - used when security data recovery request is made -# RecoveryID must be the recovery request ID -# CientID is the ID of the security data to be archived +# ArchivalRequestID is the requestID provided by the CA through the connector +# It is used to track the request through from CA to KRA. +# RequestId is the KRA archival request ID +# ClientKeyID must be the user supplied client ID associated with +# the security data to be archived # -LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][ClientKeyID={3}] security data archival request made +LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST][SubjectID={0}][Outcome={1}][ArchivalRequestID={2}][RequestId={3}][ClientKeyID={4}] security data archival request made # # # LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED -- 1.8.3.1 From 1d6860b20970dae43b81e9f943fb49575f377099 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 24 May 2017 11:15:03 -0400 Subject: [PATCH 14/38] Simplify recovery audit logging Currently, when we use the retrieveKey() REST interface, there are two logs generated for the processing of a recovery request. To rectify this, logging has been removed from the lower level in the SecurityDataProcessor and is delegated to the higher level. This necessitated adding audit logging to the SecurityDataRecoveryService, which processes recovery events asynchronously. In addition, the logging in retrieveKey() has been pushed down to the retrieveKeyImpl, because there is at least one success exit point in retrieveKeyImpl where a recovery request is created, but no key is exported. Hence in this case, a KeyRetrieve success event is not warranted. Change-Id: I0725e6fe82046ae666bf6c81d6a6ba58261dfc87 --- .../com/netscape/kra/SecurityDataProcessor.java | 32 ----------- .../netscape/kra/SecurityDataRecoveryService.java | 67 +++++++++++++++++++++- .../org/dogtagpki/server/kra/rest/KeyService.java | 11 ++-- 3 files changed, 72 insertions(+), 38 deletions(-) diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 326630c..2899f32 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -42,7 +42,6 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; -import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.profile.IEnrollProfile; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.RequestId; @@ -322,20 +321,13 @@ public class SecurityDataProcessor { throw new EBaseException(CMS.getUserMessage("CMS_BASE_CERT_ERROR", e.toString())); } - String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); - String auditSubjectID = requestor; - Hashtable params = kra.getVolatileRequest( request.getRequestId()); KeyId keyId = new KeyId(request.getExtDataInBigInteger(ATTR_SERIALNO)); request.setExtData(ATTR_KEY_RECORD, keyId.toBigInteger()); - RequestId requestID = request.getRequestId(); - String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (params == null) { CMS.debug("SecurityDataProcessor.recover(): Can't get volatile params."); - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, - "cannot get volatile params", approvers); throw new EBaseException("Can't obtain volatile params!"); } @@ -457,8 +449,6 @@ public class SecurityDataProcessor { iv != null? new IVParameterSpec(iv): null, iv_wrap != null? new IVParameterSpec(iv_wrap): null); } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, - "Cannot generate wrapping params", approvers); throw new EBaseException("Cannot generate wrapping params: " + e, e); } } @@ -514,8 +504,6 @@ public class SecurityDataProcessor { params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, - "Cannot unwrap passphrase", approvers); throw new EBaseException("Cannot unwrap passphrase: " + e, e); } finally { @@ -556,8 +544,6 @@ public class SecurityDataProcessor { } } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, - "Cannot wrap symmetric key", approvers); throw new EBaseException("Cannot wrap symmetric key: " + e, e); } @@ -574,8 +560,6 @@ public class SecurityDataProcessor { wrapParams.getPayloadEncryptionAlgorithm(), wrapParams.getPayloadEncryptionIV()); } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, - keyId, "Cannot encrypt passphrase", approvers); throw new EBaseException("Cannot encrypt passphrase: " + e, e); } @@ -606,8 +590,6 @@ public class SecurityDataProcessor { } } catch (Exception e) { - auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, keyId, - "Cannot wrap private key", approvers); throw new EBaseException("Cannot wrap private key: " + e, e); } } @@ -640,9 +622,6 @@ public class SecurityDataProcessor { } params.put(IRequest.SECURITY_DATA_TYPE, dataType); - - auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, keyId, - null, approvers); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); return false; //return true ? TODO @@ -857,17 +836,6 @@ public class SecurityDataProcessor { audit(message); } - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, - KeyId keyID, String reason, String recoveryAgents) { - audit(new SecurityDataRecoveryProcessedEvent( - subjectID, - status, - requestID, - keyID, - reason, - recoveryAgents)); - } - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, KeyId keyID, String reason) { audit(new SecurityDataArchivalProcessedEvent( diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java index 0c7b4b7..da82e97 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java @@ -19,9 +19,14 @@ package com.netscape.kra; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import netscape.security.util.DerValue; import netscape.security.x509.X509Key; /** * This implementation services SecurityData Recovery requests. @@ -33,6 +38,7 @@ public class SecurityDataRecoveryService implements IService { private IKeyRecoveryAuthority kra = null; private SecurityDataProcessor processor = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { this.kra = kra; @@ -57,8 +63,65 @@ public class SecurityDataRecoveryService implements IService { throws EBaseException { CMS.debug("SecurityDataRecoveryService.serviceRequest()"); - processor.recover(request); - kra.getRequestQueue().updateRequest(request); + + // parameters for auditing + String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + KeyId keyId = new KeyId(request.getExtDataInBigInteger("serialNumber")); + RequestId requestID = request.getRequestId(); + String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + + try { + processor.recover(request); + kra.getRequestQueue().updateRequest(request); + auditRecoveryRequestProcessed( + auditSubjectID, + ILogger.SUCCESS, + requestID, + keyId, + null, + approvers); + } catch (EBaseException e) { + auditRecoveryRequestProcessed( + auditSubjectID, + ILogger.FAILURE, + requestID, + keyId, + e.getMessage(), + approvers); + throw e; + } return false; //TODO: return true? } + + private void audit(AuditEvent event) { + + String template = event.getMessage(); + Object[] params = event.getParameters(); + + String message = CMS.getLogMessage(template, params); + + audit(message); + } + + private void audit(String msg) { + if (signedAuditLogger == null) + return; + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, + KeyId keyID, String reason, String recoveryAgents) { + audit(new SecurityDataRecoveryProcessedEvent( + subjectID, + status, + requestID, + keyID, + reason, + recoveryAgents)); + } } diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index 52799e6..8edb928 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -117,13 +117,10 @@ public class KeyService extends SubsystemService implements KeyResource { public Response retrieveKey(KeyRecoveryRequest data) { try { Response response = retrieveKeyImpl(data); - auditRetrieveKey(ILogger.SUCCESS); return response; } catch(RuntimeException e) { - auditRetrieveKeyError(e.getMessage()); throw e; } catch (Exception e) { - auditRetrieveKeyError(e.getMessage()); throw new PKIException(e.getMessage(), e); } } @@ -137,6 +134,7 @@ public class KeyService extends SubsystemService implements KeyResource { CMS.debug(auditInfo); if (data == null) { + auditRetrieveKeyError("Bad Request: Missing key Recovery Request"); throw new BadRequestException("Missing key Recovery Request"); } @@ -152,10 +150,12 @@ public class KeyService extends SubsystemService implements KeyResource { try { request = queue.findRequest(requestId); } catch (EBaseException e) { + auditRetrieveKeyError(e.getMessage()); throw new PKIException(e.getMessage(), e); } if (request == null) { + auditRetrieveKeyError("Bad Request: No request found"); throw new BadRequestException("No request found"); } @@ -166,7 +166,8 @@ public class KeyService extends SubsystemService implements KeyResource { } else { keyId = data.getKeyId(); if (keyId == null) { - throw new BadRequestException("Missing key Recovery Request"); + auditRetrieveKeyError("Bad Request: Missing key recovery request and key_id"); + throw new BadRequestException("Missing recovery request and key id"); } auditInfo += ";keyID=" + keyId.toString(); @@ -186,6 +187,7 @@ public class KeyService extends SubsystemService implements KeyResource { request = reqDAO.createRecoveryRequest(data, uriInfo, getRequestor(), getAuthToken(), ephemeral); } catch (EBaseException e) { + auditRetrieveKeyError("Unable to create recovery request: " + e.getMessage()); throw new PKIException(e.getMessage(), e); } @@ -248,6 +250,7 @@ public class KeyService extends SubsystemService implements KeyResource { auditRecoveryRequestProcessed(ILogger.SUCCESS, null); CMS.debug("KeyService: key retrieved"); + auditRetrieveKey(ILogger.SUCCESS); return createOKResponse(keyData); } -- 1.8.3.1 From f6cc8db2fbd9ab509c4285e944306b31cf068a5f Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 May 2017 06:38:50 +0200 Subject: [PATCH 15/38] Cleaned up DefStore.processRequest() (part 1). An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ib506bdac88e017197b2a192e952b54be1456eac0 --- .../cms/src/com/netscape/cms/ocsp/DefStore.java | 121 +++++++++++---------- 1 file changed, 62 insertions(+), 59 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java index 217c568..9882acd 100644 --- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java @@ -27,11 +27,6 @@ import java.util.Hashtable; import java.util.Locale; import java.util.Vector; -import netscape.security.x509.RevokedCertificate; -import netscape.security.x509.X509CRLImpl; -import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509Key; - import org.mozilla.jss.asn1.ASN1Util; import org.mozilla.jss.asn1.GeneralizedTime; import org.mozilla.jss.asn1.INTEGER; @@ -73,6 +68,11 @@ import com.netscape.cmsutil.ocsp.SingleResponse; import com.netscape.cmsutil.ocsp.TBSRequest; import com.netscape.cmsutil.ocsp.UnknownInfo; +import netscape.security.x509.RevokedCertificate; +import netscape.security.x509.X509CRLImpl; +import netscape.security.x509.X509CertImpl; +import netscape.security.x509.X509Key; + /** * This is the default OCSP store that stores revocation information * as certificate record (CMS internal data structure). @@ -481,77 +481,80 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { incReqCount(theRec.getId()); } + if (theCert == null) { + return null; + } + // check the serial number - if (theCert != null) { - INTEGER serialNo = cid.getSerialNumber(); + INTEGER serialNo = cid.getSerialNumber(); - log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); - CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); - CertStatus certStatus = null; - GeneralizedTime thisUpdate = null; + log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); + CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); + CertStatus certStatus = null; + GeneralizedTime thisUpdate = null; + if (theRec == null) { + thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); + } else { + thisUpdate = new GeneralizedTime( + theRec.getThisUpdate()); + } + GeneralizedTime nextUpdate = null; + + if (includeNextUpdate()) { + // this is an optional field if (theRec == null) { - thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); + nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); } else { - thisUpdate = new GeneralizedTime( - theRec.getThisUpdate()); - } - GeneralizedTime nextUpdate = null; - - if (includeNextUpdate()) { - // this is an optional field - if (theRec == null) { - nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); - } else { - nextUpdate = new GeneralizedTime( - theRec.getNextUpdate()); - } + nextUpdate = new GeneralizedTime( + theRec.getNextUpdate()); } + } - if (theCRL == null) { - certStatus = new UnknownInfo(); - - // if crl is not available, we can try crl cache - if (theRec != null) { - CMS.debug("DefStore: evaluating crl cache"); - Hashtable cache = theRec.getCRLCacheNoClone(); - if (cache != null) { - RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); - if (rc == null) { - if (isNotFoundGood()) { - certStatus = new GoodInfo(); - } else { - certStatus = new UnknownInfo(); - } + if (theCRL == null) { + certStatus = new UnknownInfo(); + + // if crl is not available, we can try crl cache + if (theRec != null) { + CMS.debug("DefStore: evaluating crl cache"); + Hashtable cache = theRec.getCRLCacheNoClone(); + if (cache != null) { + RevokedCertificate rc = cache.get(new BigInteger(serialNo.toString())); + if (rc == null) { + if (isNotFoundGood()) { + certStatus = new GoodInfo(); } else { - - certStatus = new RevokedInfo( - new GeneralizedTime( - rc.getRevocationDate())); + certStatus = new UnknownInfo(); } + } else { + + certStatus = new RevokedInfo( + new GeneralizedTime( + rc.getRevocationDate())); } } + } - } else { - CMS.debug("DefStore: evaluating x509 crl impl"); - X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); + } else { + CMS.debug("DefStore: evaluating x509 crl impl"); + X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); - if (crlentry == null) { - // good or unknown - if (isNotFoundGood()) { - certStatus = new GoodInfo(); - } else { - certStatus = new UnknownInfo(); - } + if (crlentry == null) { + // good or unknown + if (isNotFoundGood()) { + certStatus = new GoodInfo(); } else { - certStatus = new RevokedInfo(new GeneralizedTime( - crlentry.getRevocationDate())); - + certStatus = new UnknownInfo(); } + } else { + certStatus = new RevokedInfo(new GeneralizedTime( + crlentry.getRevocationDate())); + } - return new SingleResponse(cid, certStatus, thisUpdate, - nextUpdate); } + return new SingleResponse(cid, certStatus, thisUpdate, + nextUpdate); + } catch (Exception e) { // error log CMS.debug("DefStore: failed processing request e=" + e); -- 1.8.3.1 From 4511646ecec5b99dfb0ab31fc604a8765313941e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 May 2017 06:48:58 +0200 Subject: [PATCH 16/38] Cleaned up DefStore.processRequest() (part 2). An if-statement in DefStore.processRequest() has been modified to return early for clarity. The code indentation has been adjusted accordingly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ife5a1e3c2d4a09a687acc2714948b670fd31bfe3 --- .../cms/src/com/netscape/cms/ocsp/DefStore.java | 31 ++++++++++++---------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java index 9882acd..0b29b08 100644 --- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java @@ -535,23 +535,26 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { } } - } else { - CMS.debug("DefStore: evaluating x509 crl impl"); - X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); - - if (crlentry == null) { - // good or unknown - if (isNotFoundGood()) { - certStatus = new GoodInfo(); - } else { - certStatus = new UnknownInfo(); - } - } else { - certStatus = new RevokedInfo(new GeneralizedTime( - crlentry.getRevocationDate())); + return new SingleResponse(cid, certStatus, thisUpdate, + nextUpdate); + } + + CMS.debug("DefStore: evaluating x509 crl impl"); + X509CRLEntry crlentry = theCRL.getRevokedCertificate(new BigInteger(serialNo.toString())); + if (crlentry == null) { + // good or unknown + if (isNotFoundGood()) { + certStatus = new GoodInfo(); + } else { + certStatus = new UnknownInfo(); } + } else { + certStatus = new RevokedInfo(new GeneralizedTime( + crlentry.getRevocationDate())); + } + return new SingleResponse(cid, certStatus, thisUpdate, nextUpdate); -- 1.8.3.1 From 7d39f6ecfe4c29c14948e4b5d30fde93d7f0f8e6 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 May 2017 18:07:42 +0200 Subject: [PATCH 17/38] Cleaned up DefStore.processRequest() (part 3). Some nested if-statements in DefStore.processRequest() has been merged for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Iedbda7d884cd4735a9c591a57d05b1086b4cb36d --- .../cms/src/com/netscape/cms/ocsp/DefStore.java | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java index 0b29b08..676257b 100644 --- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java @@ -499,16 +499,18 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { thisUpdate = new GeneralizedTime( theRec.getThisUpdate()); } - GeneralizedTime nextUpdate = null; - if (includeNextUpdate()) { - // this is an optional field - if (theRec == null) { - nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); - } else { - nextUpdate = new GeneralizedTime( - theRec.getNextUpdate()); - } + // this is an optional field + GeneralizedTime nextUpdate; + + if (!includeNextUpdate()) { + nextUpdate = null; + + } else if (theRec == null) { + nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); + + } else { + nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); } if (theCRL == null) { -- 1.8.3.1 From 9d74c8f2f6291e9bac433c950168d68fa5fc90c8 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 May 2017 05:06:31 +0200 Subject: [PATCH 18/38] Updated OCSP log messages. Some log messages in OCSP-related code have been updated for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39 --- base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java | 10 +++++--- .../cms/src/com/netscape/cms/ocsp/DefStore.java | 27 ++++++++++++++++------ .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 7 ++++-- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java index 09b85b4..14dd338 100644 --- a/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java +++ b/base/ocsp/src/com/netscape/ocsp/OCSPAuthority.java @@ -415,6 +415,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, */ public BasicOCSPResponse sign(ResponseData rd) throws EBaseException { + try (DerOutputStream out = new DerOutputStream()) { DerOutputStream tmp = new DerOutputStream(); @@ -424,9 +425,11 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, if (rd_data != null) { mTotalData += rd_data.length; } + rd.encode(tmp); AlgorithmId.get(algname).encode(tmp); - CMS.debug("adding signature"); + + CMS.debug("OCSPAuthority: adding signature"); byte[] signature = mSigningUnit.sign(rd_data, algname); tmp.putBitString(signature); @@ -440,6 +443,7 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, for (int i = 0; i < chains.length; i++) { tmpChain.putDerValue(new DerValue(chains[i].getEncoded())); } + tmp1.write(DerValue.tag_Sequence, tmpChain); tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte) 0), tmp1); @@ -449,9 +453,9 @@ public class OCSPAuthority implements IOCSPAuthority, IOCSPService, ISubsystem, BasicOCSPResponse response = new BasicOCSPResponse(out.toByteArray()); return response; + } catch (Exception e) { - e.printStackTrace(); - // error e + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_OCSP_SIGN_RESPONSE", e.toString())); return null; } diff --git a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java index 676257b..ea095ba 100644 --- a/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java +++ b/base/server/cms/src/com/netscape/cms/ocsp/DefStore.java @@ -409,8 +409,9 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { long endTime = CMS.getCurrentDate().getTime(); mOCSPAuthority.incTotalTime(endTime - startTime); return response; + } catch (Exception e) { - CMS.debug("DefStore: validation failed " + e.toString()); + CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_REQUEST_FAILURE", e.toString())); return null; } @@ -449,6 +450,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { log(ILogger.LL_FAILURE, CMS.getLogMessage("OCSP_DECODE_CERT", e.toString())); return null; } + MessageDigest md = MessageDigest.getInstance(cid.getDigestName()); X509Key key = (X509Key) cert.getPublicKey(); byte digest[] = md.digest(key.getKey()); @@ -474,6 +476,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { break; } } + } else { theCert = matched.getX509CertImpl(); theRec = matched.getCRLIssuingPointRecord(); @@ -490,16 +493,19 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Checked Status of certificate 0x" + serialNo.toString(16)); CMS.debug("DefStore: process request 0x" + serialNo.toString(16)); - CertStatus certStatus = null; - GeneralizedTime thisUpdate = null; + + GeneralizedTime thisUpdate; if (theRec == null) { thisUpdate = new GeneralizedTime(CMS.getCurrentDate()); } else { - thisUpdate = new GeneralizedTime( - theRec.getThisUpdate()); + Date d = theRec.getThisUpdate(); + CMS.debug("DefStore: CRL record this update: " + d); + thisUpdate = new GeneralizedTime(d); } + CMS.debug("DefStore: this update: " + thisUpdate.toDate()); + // this is an optional field GeneralizedTime nextUpdate; @@ -510,9 +516,15 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { nextUpdate = new GeneralizedTime(CMS.getCurrentDate()); } else { - nextUpdate = new GeneralizedTime(theRec.getNextUpdate()); + Date d = theRec.getNextUpdate(); + CMS.debug("DefStore: CRL record next update: " + d); + nextUpdate = new GeneralizedTime(d); } + CMS.debug("DefStore: next update: " + (nextUpdate == null ? null : nextUpdate.toDate())); + + CertStatus certStatus; + if (theCRL == null) { certStatus = new UnknownInfo(); @@ -551,10 +563,10 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { } else { certStatus = new UnknownInfo(); } + } else { certStatus = new RevokedInfo(new GeneralizedTime( crlentry.getRevocationDate())); - } return new SingleResponse(cid, certStatus, thisUpdate, @@ -564,6 +576,7 @@ public class DefStore implements IDefStore, IExtendedPluginInfo { // error log CMS.debug("DefStore: failed processing request e=" + e); } + return null; } diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java index 940bf65..5fde89d 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java +++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/OCSPServlet.java @@ -198,16 +198,19 @@ public class OCSPServlet extends CMSServlet { throw new Exception("OCSPServlet: OCSP request is " + "empty or malformed"); } + ocspReq = (OCSPRequest) reqTemplate.decode(is); + if ((ocspReq == null) || (ocspReq.toString().equals(""))) { throw new Exception("OCSPServlet: Decoded OCSP request " + "is empty or malformed"); } + response = ((IOCSPService) mAuthority).validate(ocspReq); + } catch (Exception e) { - ; - CMS.debug("OCSPServlet: " + e.toString()); + CMS.debug(e); } if (response != null) { -- 1.8.3.1 From 84f3958dc9c1c5bfab4a8789e621d621a28cbdd6 Mon Sep 17 00:00:00 2001 From: Jack Magne Date: Mon, 10 Apr 2017 11:27:12 -0700 Subject: [PATCH 19/38] Now the program can create and import shared secret keys while under FIPS mode. --- base/native-tools/src/tkstool/key.c | 102 ++++++++++++++++++++++++++------ base/native-tools/src/tkstool/tkstool.c | 4 +- base/native-tools/src/tkstool/tkstool.h | 3 +- 3 files changed, 87 insertions(+), 22 deletions(-) diff --git a/base/native-tools/src/tkstool/key.c b/base/native-tools/src/tkstool/key.c index 4fd3796..e63da93 100644 --- a/base/native-tools/src/tkstool/key.c +++ b/base/native-tools/src/tkstool/key.c @@ -19,6 +19,11 @@ #include "tkstool.h" +secuPWData pwdata = { PW_NONE, + 0 }; + + + /*******************************/ /** local private functions **/ /*******************************/ @@ -534,16 +539,26 @@ TKS_ComputeAndDisplayKCV( PRUint8 *newKey, goto done; } - key = PK11_ImportSymKeyWithFlags( - /* slot */ slot, - /* mechanism type */ CKM_DES3_ECB, - /* origin */ PK11_OriginGenerated, - /* operation */ CKA_ENCRYPT, - /* key */ &keyItem, - /* flags */ CKF_ENCRYPT, - /* isPerm */ PR_FALSE, - /* wincx */ 0 ); + key = TKS_ImportSymmetricKey( NULL, + slot, + CKM_DES3_ECB, + CKA_ENCRYPT, + &keyItem, + &pwdata, PR_FALSE ); + + + + /* key = PK11_ImportSymKeyWithFlags( + slot, + CKM_DES3_ECB, + PK11_OriginGenerated, + CKA_ENCRYPT, + &keyItem, + CKF_ENCRYPT, + PR_FALSE, + 0 ); + */ if( ! key ) { PR_fprintf( PR_STDERR, "ERROR: Failed to import %s key!\n\n\n", @@ -1062,10 +1077,18 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, CK_MECHANISM_TYPE mechanism, CK_ATTRIBUTE_TYPE operation, SECItem *sessionKeyShare, - secuPWData *pwdata ) + secuPWData *pwdata, PRBool isPerm ) { PK11Origin origin = PK11_OriginGenerated; PK11SymKey *symKey = NULL; + PK11SymKey *sessKey = NULL; + PK11Context *context = NULL; + static SECItem noParams = { siBuffer, NULL, 0 }; + SECItem wrappeditem = { siBuffer, NULL, 0 }; + + int len = 0; + unsigned char wrappedkey[DES_LENGTH * 3]; + SECStatus s = SECSuccess; if( slot == NULL ) { return NULL; @@ -1077,15 +1100,56 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, "Generating %s symmetric key . . .\n\n", symmetricKeyName ); - symKey = PK11_ImportSymKeyWithFlags( - /* slot */ slot, - /* mechanism type */ mechanism, - /* origin */ origin, - /* operation */ operation, - /* key */ sessionKeyShare, - /* flags */ 0, - /* isPerm */ PR_FALSE, - /* wincx */ pwdata ); + sessKey = PK11_TokenKeyGenWithFlags(slot, // slot handle + CKM_DES3_KEY_GEN, // mechanism type + NULL, // pointer to params (SECItem structure) + 0, // keySize (per documentation in pk11skey.c, must be 0 for fixed key length algorithms) + 0, // pointer to keyid (SECItem structure) + CKF_WRAP | CKF_UNWRAP | CKF_ENCRYPT | CKF_DECRYPT, // opFlags + PK11_ATTR_PRIVATE | PK11_ATTR_UNEXTRACTABLE | PK11_ATTR_SENSITIVE, // attrFlags (AC: this is my "best guess" as to what flags should be set) + NULL); + + if( sessKey == NULL ) { + goto cleanup; + } + + // Import the key onto the token using the temp session key and the key data. + // + + context = PK11_CreateContextBySymKey(CKM_DES3_ECB, CKA_ENCRYPT, + sessKey, + &noParams); + + if (context == NULL) { + goto cleanup; + } + + len = sessionKeyShare->len; + /* encrypt the key with the master key */ + s = PK11_CipherOp(context, wrappedkey, &len, DES_LENGTH * 3 , sessionKeyShare->data ,DES_LENGTH * 3 ); + if (s != SECSuccess) + { + goto cleanup; + } + + wrappeditem.data = wrappedkey; + wrappeditem.len = len; + + symKey = PK11_UnwrapSymKeyWithFlagsPerm(sessKey, CKM_DES3_ECB, &noParams, + &wrappeditem, CKM_DES3_KEY_GEN, CKA_DECRYPT, DES_LENGTH * 3, + (CKA_ENCRYPT | CKA_DECRYPT) & CKF_KEY_OPERATION_FLAGS, isPerm ); + +cleanup: + if( sessKey != NULL) { + PK11_FreeSymKey( sessKey ); + sessKey = NULL; + } + + if( context ) { + PK11_DestroyContext( + /* context */ context, + /* free it */ PR_TRUE ); + } return symKey; } diff --git a/base/native-tools/src/tkstool/tkstool.c b/base/native-tools/src/tkstool/tkstool.c index 6fd2a97..53781e4 100644 --- a/base/native-tools/src/tkstool/tkstool.c +++ b/base/native-tools/src/tkstool/tkstool.c @@ -1417,14 +1417,14 @@ main( int argc, char **argv ) CKM_DES3_KEY_GEN, CKA_ENCRYPT, &paddedFirstSessionKeyShare, - &pwdata ); + &pwdata, PR_FALSE ); #else firstSymmetricKey = TKS_ImportSymmetricKey( FIRST_SYMMETRIC_KEY, internalSlot, CKM_DES2_KEY_GEN, CKA_ENCRYPT, &firstSessionKeyShare, - &pwdata ); + &pwdata , PR_FALSE ); #endif if( firstSymmetricKey == NULL ) { PR_fprintf( PR_STDERR, diff --git a/base/native-tools/src/tkstool/tkstool.h b/base/native-tools/src/tkstool/tkstool.h index 4c276b0..80fdafd 100644 --- a/base/native-tools/src/tkstool/tkstool.h +++ b/base/native-tools/src/tkstool/tkstool.h @@ -124,6 +124,7 @@ "and press enter to continue " \ "(or ^C to break): " +#define CKF_KEY_OPERATION_FLAGS 0x000e7b00UL /**************************************/ /** external function declarations **/ @@ -222,7 +223,7 @@ TKS_ImportSymmetricKey( char *symmetricKeyName, CK_MECHANISM_TYPE mechanism, CK_ATTRIBUTE_TYPE operation, SECItem *sessionKeyShare, - secuPWData *pwdata ); + secuPWData *pwdata, PRBool isPerm ); PK11SymKey * TKS_DeriveSymmetricKey( char *symmetricKeyName, -- 1.8.3.1 From 3ddc916954d712f6fe25497789925fecebef20fc Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 24 May 2017 12:31:45 -0400 Subject: [PATCH 20/38] Encapsulate symmetric and asymmetric keygen audit events Change-Id: Ifc8d05bd1d2d34bb0ef25877f838731bed58d00e --- .../com/netscape/certsrv/logging/AuditEvent.java | 8 ---- .../logging/event/AsymKeyGenerationEvent.java | 45 +++++++++++++++++++ .../event/AsymKeyGenerationProcessedEvent.java | 51 ++++++++++++++++++++++ .../logging/event/SymKeyGenerationEvent.java | 45 +++++++++++++++++++ .../event/SymKeyGenerationProcessedEvent.java | 50 +++++++++++++++++++++ .../src/com/netscape/kra/AsymKeyGenService.java | 20 ++++----- .../kra/src/com/netscape/kra/SymKeyGenService.java | 16 +++---- .../server/kra/rest/KeyRequestService.java | 19 ++++---- base/server/cmsbundle/src/LogMessages.properties | 8 ++-- 9 files changed, 221 insertions(+), 41 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index 891398d..beedb9f 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -166,14 +166,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String KEY_STATUS_CHANGE = "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; - public final static String SYMKEY_GENERATION_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6"; - public static final String SYMKEY_GENERATION_REQUEST = - "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4"; - public static final String ASYMKEY_GENERATION_REQUEST = - "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4"; - public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED = - "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6"; public final static String TOKEN_CERT_ENROLLMENT = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java new file mode 100644 index 0000000..f3236d6 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationEvent.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class AsymKeyGenerationEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST"; + + public AsymKeyGenerationEvent( + String subjectID, + String outcome, + RequestId requestID, + String clientKeyID) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID + }); + } +} diff --git a/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java new file mode 100644 index 0000000..ba242de --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/AsymKeyGenerationProcessedEvent.java @@ -0,0 +1,51 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class AsymKeyGenerationProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED"; + + public AsymKeyGenerationProcessedEvent( + String subjectID, + String outcome, + RequestId requestID, + String clientKeyID, + KeyId keyID, + String failureReason) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID, + keyID, + failureReason + }); + } +} + diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java new file mode 100644 index 0000000..c1b8652 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationEvent.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SymKeyGenerationEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST"; + + public SymKeyGenerationEvent( + String subjectID, + String outcome, + RequestId requestID, + String clientKeyID) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID + }); + } +} \ No newline at end of file diff --git a/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java new file mode 100644 index 0000000..ad36d44 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SymKeyGenerationProcessedEvent.java @@ -0,0 +1,50 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class SymKeyGenerationProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; + + public SymKeyGenerationProcessedEvent( + String subjectID, + String outcome, + RequestId requestID, + String clientKeyID, + KeyId keyID, + String failureReason) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + requestID, + clientKeyID, + keyID, + failureReason + }); + } +} diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java index cfee504..ea1d0cc 100644 --- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -28,11 +28,13 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.AsymKeyGenerationRequest; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.AsymKeyGenerationProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.request.RequestId; @@ -144,8 +146,8 @@ public class AsymKeyGenService implements IService { } catch (EBaseException e) { CMS.debugStackTrace(); auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), - clientKeyId, null, "Failed to generate Asymmetric key"); - throw new EBaseException("Errors in generating Asymmetric key: " + e); + clientKeyId, null, "Failed to generate asymmetric key: " + e.getMessage()); + throw new EBaseException("Errors in generating Asymmetric key: " + e, e); } if (kp == null) { @@ -205,7 +207,7 @@ public class AsymKeyGenService implements IService { storage.addKeyRecord(record); auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), - clientKeyId, serialNo.toString(), "None"); + clientKeyId, new KeyId(serialNo), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); kra.getRequestQueue().updateRequest(request); return true; @@ -234,15 +236,13 @@ public class AsymKeyGenService implements IService { private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( - AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED, + KeyId keyID, String reason) { + audit(new AsymKeyGenerationProcessedEvent( subjectID, status, - requestID.toString(), + requestID, clientKeyID, - keyID != null ? keyID : "None", - reason); - audit(auditMessage); + keyID, + reason)); } } diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index bf350d5..a4613c2 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -32,11 +32,13 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; +import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.key.SymKeyGenerationRequest; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SymKeyGenerationProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; import com.netscape.certsrv.request.RequestId; @@ -232,7 +234,7 @@ public class SymKeyGenService implements IService { storage.addKeyRecord(rec); auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), - clientKeyId, serialNo.toString(), "None"); + clientKeyId, new KeyId(serialNo), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); mKRA.getRequestQueue().updateRequest(request); @@ -262,15 +264,13 @@ public class SymKeyGenService implements IService { } private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, - String keyID, String reason) { - String auditMessage = CMS.getLogMessage( - AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED, + KeyId keyID, String reason) { + audit(new SymKeyGenerationProcessedEvent( subjectID, status, - requestID.toString(), + requestID, clientKeyID, - keyID != null ? keyID : "None", - reason); - audit(auditMessage); + keyID, + reason)); } } \ No newline at end of file diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 8ec69a7..4e21f12 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -48,11 +48,12 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.key.KeyRequestResponse; import com.netscape.certsrv.key.SymKeyGenerationRequest; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.AsymKeyGenerationEvent; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryStateChangeEvent; +import com.netscape.certsrv.logging.event.SymKeyGenerationEvent; import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestNotFoundException; import com.netscape.cms.realm.PKIPrincipal; @@ -363,23 +364,19 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes } public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( - AuditEvent.SYMKEY_GENERATION_REQUEST, + audit(new SymKeyGenerationEvent( getRequestor(), status, - requestId != null ? requestId.toString() : "null", - clientKeyID); - auditor.log(msg); + requestId, + clientKeyID)); } public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) { - String msg = CMS.getLogMessage( - AuditEvent.ASYMKEY_GENERATION_REQUEST, + audit(new AsymKeyGenerationEvent( getRequestor(), status, - requestId != null ? requestId.toString() : "null", - clientKeyID); - auditor.log(msg); + requestId, + clientKeyID)); } @Override diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 66a7fd0..4a44134 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2492,22 +2492,22 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KE # Client ID must be the user supplied client ID associated with # the symmetric key to be generated and archived # -LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed +LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] symkey generation request processed # # LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST # - used when symmetric key generation request is made # ClientKeyID is the ID of the symmetirc key to be generated and archived # -LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made +LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=:[AuditEvent=SYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] symkey generation request made # # LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST # - used when asymmetric key generation request is made -LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made +LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=:[AuditEvent=ASYMKEY_GENERATION_REQUEST][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}] Asymkey generation request made # # LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED # - used when a request to generate asymmetric keys received by the DRM # is processed. -LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed +LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][GenerationRequestID={2}][ClientKeyID={3}][KeyID={4}][FailureReason={5}] Asymkey generation request processed # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT # - used for TPS when token certificate enrollment request is made -- 1.8.3.1 From 468cacf6d6ec4f46bd4e60255105da3a585c4f6d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 May 2017 01:28:06 +0200 Subject: [PATCH 21/38] Replaced random number generator in SecurityDataProcessor. The SecurityDataProcessor has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Ibca684a2165266456c4b28cba5eae4136940d189 --- .../com/netscape/kra/SecurityDataProcessor.java | 25 ++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java index 2899f32..ec848be 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java +++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java @@ -48,6 +48,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Utils; @@ -640,7 +641,7 @@ public class SecurityDataProcessor { * (ie. algorithm is unknown) */ private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception { - int numBytes = 0; + EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)): defaultAlg; @@ -651,8 +652,14 @@ public class SecurityDataProcessor { if (alg.getParameterClasses() == null) return null; - numBytes = alg.getIVLength(); - return (new SecureRandom()).generateSeed(numBytes); + int numBytes = alg.getIVLength(); + byte[] bytes = new byte[numBytes]; + + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + random.nextBytes(bytes); + + return bytes; } /*** @@ -668,7 +675,7 @@ public class SecurityDataProcessor { * (ie. algorithm is unknown) */ private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception { - int numBytes = 0; + KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) : defaultAlg; @@ -679,8 +686,14 @@ public class SecurityDataProcessor { if (alg.getParameterClasses() == null) return null; - numBytes = alg.getBlockSize(); - return (new SecureRandom()).generateSeed(numBytes); + int numBytes = alg.getBlockSize(); + byte[] bytes = new byte[numBytes]; + + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + random.nextBytes(bytes); + + return bytes; } public SymmetricKey recoverSymKey(KeyRecord keyRecord) -- 1.8.3.1 From eed550a9a7330d707f35ce8a9946573df68ff01b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 May 2017 01:40:18 +0200 Subject: [PATCH 22/38] Replaced random number generator in RequestQueue. The RequestQueue has been modified to use the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id93f769d1fca154ee385a3dcebee55b13a65d38e --- .../cmscore/src/com/netscape/cmscore/request/RequestQueue.java | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java index d7e7c6e..cd0f890 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java +++ b/base/server/cmscore/src/com/netscape/cmscore/request/RequestQueue.java @@ -42,6 +42,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.request.RequestStatus; import com.netscape.certsrv.request.ldap.IRequestMod; import com.netscape.cmscore.dbs.DBSubsystem; +import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmscore.util.Debug; public class RequestQueue @@ -60,9 +61,11 @@ public class RequestQueue } protected RequestId newEphemeralRequestId() { - long id = System.currentTimeMillis() * 10000 + new SecureRandom().nextInt(10000); - RequestId rid = new RequestId(id); - return rid; + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); + + long id = System.currentTimeMillis() * 10000 + random.nextInt(10000); + return new RequestId(id); } protected IRequest readRequest(RequestId id) { -- 1.8.3.1 From 14e4e7a992c9537b9bf0403e6d94f316009923d0 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 24 May 2017 20:25:54 +0200 Subject: [PATCH 23/38] Added CRLIssuingPoint.generateCRLExtensions(). The code that generates CRLExtensions in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateCRLExtensions() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I33d7477ccb8b408c54d9c026dea070a7198beffd --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 45 ++++++++++++------------ 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index 64101d7..de733eb 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -2630,17 +2630,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mLastCRLNumber = mCRLNumber; - CRLExtensions ext = new CRLExtensions(); - Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); - for (int i = 0; i < extNames.size(); i++) { - String extName = extNames.elementAt(i); - - if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && - (!extName.equals(FreshestCRLExtension.NAME))) { - mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); - } - } mSplits[1] += System.currentTimeMillis(); X509CRLImpl newX509DeltaCRL = null; @@ -2791,20 +2782,11 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mNextCRLNumber = mNextDeltaCRLNumber; } - CRLExtensions ext = null; - + CRLExtensions ext; if (mAllowExtensions) { - ext = new CRLExtensions(); - Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); - - for (int i = 0; i < extNames.size(); i++) { - String extName = extNames.elementAt(i); - - if (mCMSCRLExtensions.isCRLExtensionEnabled(extName) && - (!extName.equals(DeltaCRLIndicatorExtension.NAME))) { - mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); - } - } + ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); + } else { + ext = null; } mSplits[6] += System.currentTimeMillis(); // for audit log @@ -2965,6 +2947,23 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { notifyAll(); } + CRLExtensions generateCRLExtensions(String excludedExtension) { + + CRLExtensions ext = new CRLExtensions(); + Vector extNames = mCMSCRLExtensions.getCRLExtensionNames(); + + for (int i = 0; i < extNames.size(); i++) { + String extName = extNames.elementAt(i); + + if (extName.equals(excludedExtension)) continue; + if (!mCMSCRLExtensions.isCRLExtensionEnabled(extName)) continue; + + mCMSCRLExtensions.addToCRLExtensions(ext, extName, null); + } + + return ext; + } + /** * publish CRL. called from updateCRLNow() and init(). */ -- 1.8.3.1 From 9af1f0d3b48d6dd358a4c63f938f2c5d0e119d7a Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 25 May 2017 00:36:45 +0200 Subject: [PATCH 24/38] Added CRLIssuingPoint.generateDeltaCRL(). The code that generates delta CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateDeltaCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I494524ba3fffd89e4edd995c2fa32b9f55104c4a --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 160 +++++++++++++---------- 1 file changed, 93 insertions(+), 67 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index de733eb..317294b 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -2634,73 +2634,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[1] += System.currentTimeMillis(); - X509CRLImpl newX509DeltaCRL = null; - - try { - mSplits[2] -= System.currentTimeMillis(); - byte[] newDeltaCRL; - - // #56123 - dont generate CRL if no revoked certificates - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { - if (deltaCRLCerts.size() == 0) { - CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "No Revoked Certificates")); - } - } - X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), - AlgorithmId.get(signingAlgorithm), - thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); - - newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); - newDeltaCRL = newX509DeltaCRL.getEncoded(); - mSplits[2] += System.currentTimeMillis(); - - mSplits[3] -= System.currentTimeMillis(); - mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, - Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); - mSplits[3] += System.currentTimeMillis(); - - mDeltaCRLSize = deltaCRLCerts.size(); - - long totalTime = 0; - StringBuffer splitTimes = new StringBuffer(" ("); - for (int i = 1; i < mSplits.length && i < 5; i++) { - totalTime += mSplits[i]; - if (i > 1) - splitTimes.append(","); - splitTimes.append(String.valueOf(mSplits[i])); - } - splitTimes.append(")"); - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), - new Object[] { - getId(), - getNextCRLNumber(), - getCRLNumber(), - getLastUpdate(), - getNextDeltaUpdate(), - Long.toString(mDeltaCRLSize), - Long.toString(totalTime) + splitTimes.toString() - } - ); - } catch (EBaseException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); - mDeltaCRLSize = -1; - } catch (NoSuchAlgorithmException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - } catch (CRLException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - } catch (X509ExtensionException e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - } catch (OutOfMemoryError e) { - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - } + X509CRLImpl newX509DeltaCRL = generateDeltaCRL( + deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); try { mSplits[4] -= System.currentTimeMillis(); @@ -2964,6 +2899,97 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { return ext; } + X509CRLImpl generateDeltaCRL( + Hashtable deltaCRLCerts, + String signingAlgorithm, + Date thisUpdate, + Date nextDeltaUpdate, + CRLExtensions ext) { + + X509CRLImpl newX509DeltaCRL = null; + + try { + mSplits[2] -= System.currentTimeMillis(); + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (deltaCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); + } + } + + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextDeltaUpdate, deltaCRLCerts, ext); + + newX509DeltaCRL = mCA.sign(crl, signingAlgorithm); + + byte[] newDeltaCRL = newX509DeltaCRL.getEncoded(); + + mSplits[2] += System.currentTimeMillis(); + + mSplits[3] -= System.currentTimeMillis(); + mCRLRepository.updateDeltaCRL(mId, mNextDeltaCRLNumber, + Long.valueOf(deltaCRLCerts.size()), mNextDeltaUpdate, newDeltaCRL); + mSplits[3] += System.currentTimeMillis(); + + mDeltaCRLSize = deltaCRLCerts.size(); + + long totalTime = 0; + StringBuffer splitTimes = new StringBuffer(" ("); + for (int i = 1; i < mSplits.length && i < 5; i++) { + totalTime += mSplits[i]; + if (i > 1) + splitTimes.append(","); + splitTimes.append(String.valueOf(mSplits[i])); + } + splitTimes.append(")"); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_DELTA_CRL_UPDATED"), + new Object[] { + getId(), + getNextCRLNumber(), + getCRLNumber(), + getLastUpdate(), + getNextDeltaUpdate(), + Long.toString(mDeltaCRLSize), + Long.toString(totalTime) + splitTimes.toString() + } + ); + + } catch (EBaseException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); + mDeltaCRLSize = -1; + + } catch (NoSuchAlgorithmException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + + } catch (CRLException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + + } catch (X509ExtensionException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + + } catch (OutOfMemoryError e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); + mDeltaCRLSize = -1; + } + + return newX509DeltaCRL; + } + /** * publish CRL. called from updateCRLNow() and init(). */ -- 1.8.3.1 From f3cc4462e3fd353a78c6a174c93ef3f81c014ce8 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 25 May 2017 00:58:03 +0200 Subject: [PATCH 25/38] Added CRLIssuingPoint.generateFullCRL(). The code that generates full CRL in updateCRLNow() in CRLIssuingPoint has been refactored into a separate generateFullCRL() method for clarity. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4356f3ba71e523cb0f8fa8aa25c34a7a6b6ac49e --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 254 ++++++++++++----------- 1 file changed, 134 insertions(+), 120 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index 317294b..3764adf 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -2726,126 +2726,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[6] += System.currentTimeMillis(); // for audit log - X509CRLImpl newX509CRL; - - try { - byte[] newCRL; - - CMS.debug("Making CRL with algorithm " + - signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); - - mSplits[7] -= System.currentTimeMillis(); - - // #56123 - dont generate CRL if no revoked certificates - if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { - if (mCRLCerts.size() == 0) { - CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "No Revoked Certificates")); - } - } - CMS.debug("before new X509CRLImpl"); - X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), - AlgorithmId.get(signingAlgorithm), - thisUpdate, nextUpdate, mCRLCerts, ext); - - CMS.debug("before sign"); - newX509CRL = mCA.sign(crl, signingAlgorithm); - - CMS.debug("before getEncoded()"); - newCRL = newX509CRL.getEncoded(); - CMS.debug("after getEncoded()"); - mSplits[7] += System.currentTimeMillis(); - - mSplits[8] -= System.currentTimeMillis(); - - Date nextUpdateDate = mNextUpdate; - if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || - (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { - nextUpdateDate = mNextDeltaUpdate; - } - if (mSaveMemory) { - mCRLRepository.updateCRLIssuingPointRecord( - mId, newCRL, thisUpdate, nextUpdateDate, - mNextCRLNumber, Long.valueOf(mCRLCerts.size())); - updateCRLCacheRepository(); - } else { - mCRLRepository.updateCRLIssuingPointRecord( - mId, newCRL, thisUpdate, nextUpdateDate, - mNextCRLNumber, Long.valueOf(mCRLCerts.size()), - mRevokedCerts, mUnrevokedCerts, mExpiredCerts); - mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; - } - - mSplits[8] += System.currentTimeMillis(); - - mCRLSize = mCRLCerts.size(); - mCRLNumber = mNextCRLNumber; - mDeltaCRLNumber = mCRLNumber; - mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); - mNextDeltaCRLNumber = mNextCRLNumber; - - CMS.debug("Logging CRL Update to transaction log"); - long totalTime = 0; - long crlTime = 0; - long deltaTime = 0; - StringBuilder splitTimes = new StringBuilder(" ("); - for (int i = 0; i < mSplits.length; i++) { - totalTime += mSplits[i]; - if (i > 0 && i < 5) { - deltaTime += mSplits[i]; - } else { - crlTime += mSplits[i]; - } - if (i > 0) - splitTimes.append(","); - splitTimes.append(mSplits[i]); - } - splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); - mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, - AuditFormat.LEVEL, - CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), - new Object[] { - getId(), - getCRLNumber(), - getLastUpdate(), - getNextUpdate(), - Long.toString(mCRLSize), - Long.toString(totalTime), - Long.toString(crlTime), - Long.toString(deltaTime) + splitTimes - } - ); - CMS.debug("Finished Logging CRL Update to transaction log"); - - } catch (EBaseException e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - if (Debug.on()) - Debug.printStackTrace(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } catch (NoSuchAlgorithmException e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } catch (CRLException e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } catch (X509ExtensionException e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } catch (OutOfMemoryError e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - } + X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); try { mSplits[9] -= System.currentTimeMillis(); @@ -2990,6 +2871,139 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { return newX509DeltaCRL; } + X509CRLImpl generateFullCRL( + String signingAlgorithm, + Date thisUpdate, + Date nextUpdate, + CRLExtensions ext) throws EBaseException { + + try { + CMS.debug("Making CRL with algorithm " + + signingAlgorithm + " " + AlgorithmId.get(signingAlgorithm)); + + mSplits[7] -= System.currentTimeMillis(); + + // #56123 - dont generate CRL if no revoked certificates + if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { + if (mCRLCerts.size() == 0) { + CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); + throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", + "No Revoked Certificates")); + } + } + + CMS.debug("CRLIssuingPoint: creating CRL object"); + X509CRLImpl crl = new X509CRLImpl(mCA.getCRLX500Name(), + AlgorithmId.get(signingAlgorithm), + thisUpdate, nextUpdate, mCRLCerts, ext); + + CMS.debug("CRLIssuingPoint: signing CRL"); + X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); + + CMS.debug("CRLIssuingPoint: encoding CRL"); + byte[] newCRL = newX509CRL.getEncoded(); + + mSplits[7] += System.currentTimeMillis(); + + mSplits[8] -= System.currentTimeMillis(); + + Date nextUpdateDate = mNextUpdate; + if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || + (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { + nextUpdateDate = mNextDeltaUpdate; + } + + if (mSaveMemory) { + mCRLRepository.updateCRLIssuingPointRecord( + mId, newCRL, thisUpdate, nextUpdateDate, + mNextCRLNumber, Long.valueOf(mCRLCerts.size())); + updateCRLCacheRepository(); + + } else { + mCRLRepository.updateCRLIssuingPointRecord( + mId, newCRL, thisUpdate, nextUpdateDate, + mNextCRLNumber, Long.valueOf(mCRLCerts.size()), + mRevokedCerts, mUnrevokedCerts, mExpiredCerts); + mFirstUnsaved = ICRLIssuingPointRecord.CLEAN_CACHE; + } + + mSplits[8] += System.currentTimeMillis(); + + mCRLSize = mCRLCerts.size(); + mCRLNumber = mNextCRLNumber; + mDeltaCRLNumber = mCRLNumber; + mNextCRLNumber = mCRLNumber.add(BigInteger.ONE); + mNextDeltaCRLNumber = mNextCRLNumber; + + CMS.debug("CRLIssuingPoint: Logging CRL Update to transaction log"); + long totalTime = 0; + long crlTime = 0; + long deltaTime = 0; + StringBuilder splitTimes = new StringBuilder(" ("); + for (int i = 0; i < mSplits.length; i++) { + totalTime += mSplits[i]; + if (i > 0 && i < 5) { + deltaTime += mSplits[i]; + } else { + crlTime += mSplits[i]; + } + if (i > 0) + splitTimes.append(","); + splitTimes.append(mSplits[i]); + } + splitTimes.append(String.format(",%d,%d,%d)",deltaTime,crlTime,totalTime)); + + mLogger.log(ILogger.EV_AUDIT, ILogger.S_OTHER, + AuditFormat.LEVEL, + CMS.getLogMessage("CMSCORE_CA_CA_CRL_UPDATED"), + new Object[] { + getId(), + getCRLNumber(), + getLastUpdate(), + getNextUpdate(), + Long.toString(mCRLSize), + Long.toString(totalTime), + Long.toString(crlTime), + Long.toString(deltaTime) + splitTimes + } + ); + + CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); + + return newX509CRL; + + } catch (EBaseException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + + } catch (NoSuchAlgorithmException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + + } catch (CRLException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + + } catch (X509ExtensionException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + + } catch (OutOfMemoryError e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + } + } + /** * publish CRL. called from updateCRLNow() and init(). */ -- 1.8.3.1 From c88ad697138778c597cf8ce361f8ee1761bee0ab Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 24 May 2017 22:49:24 -0400 Subject: [PATCH 26/38] Encapsulate key status change audit logs Change-Id: I57b30cdff571056d0a95436858308872a8dc007b --- .../com/netscape/certsrv/logging/AuditEvent.java | 3 -- .../event/SecurityDataStatusChangeEvent.java | 49 ++++++++++++++++++++++ .../org/dogtagpki/server/kra/rest/KeyService.java | 16 ++++--- base/server/cmsbundle/src/LogMessages.properties | 2 +- 4 files changed, 57 insertions(+), 13 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index beedb9f..348ea09 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -164,9 +164,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String CONFIG_SERIAL_NUMBER = "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1"; - public final static String KEY_STATUS_CHANGE = - "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6"; - public final static String TOKEN_CERT_ENROLLMENT = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; public final static String TOKEN_CERT_RENEWAL = diff --git a/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java new file mode 100644 index 0000000..082516c --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/SecurityDataStatusChangeEvent.java @@ -0,0 +1,49 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.dbs.keydb.KeyId; +import com.netscape.certsrv.logging.AuditEvent; + +public class SecurityDataStatusChangeEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE"; + + public SecurityDataStatusChangeEvent( + String subjectID, + String outcome, + KeyId keyID, + String oldStatus, + String newStatus, + String info) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + keyID, + oldStatus, + newStatus, + info + }); + } +} \ No newline at end of file diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index 8edb928..642367c 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -60,12 +60,12 @@ import com.netscape.certsrv.key.KeyRecoveryRequest; import com.netscape.certsrv.key.KeyResource; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.kra.IKeyService; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataExportEvent; import com.netscape.certsrv.logging.event.SecurityDataInfoEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryEvent; import com.netscape.certsrv.logging.event.SecurityDataRecoveryProcessedEvent; +import com.netscape.certsrv.logging.event.SecurityDataStatusChangeEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IRequestQueue; import com.netscape.certsrv.request.RequestId; @@ -657,17 +657,15 @@ public class KeyService extends SubsystemService implements KeyResource { auditKeyInfo(keyId, clientKeyId, ILogger.FAILURE, message); } - public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus, + public void auditKeyStatusChange(String status, KeyId keyID, String oldKeyStatus, String newKeyStatus, String info) { - String msg = CMS.getLogMessage( - AuditEvent.KEY_STATUS_CHANGE, + audit(new SecurityDataStatusChangeEvent( servletRequest.getUserPrincipal().getName(), status, keyID, oldKeyStatus, newKeyStatus, - info); - auditor.log(msg); + info)); } public void auditRecoveryRequest(String status) { @@ -809,20 +807,20 @@ public class KeyService extends SubsystemService implements KeyResource { mods.add(IKeyRecord.ATTR_STATUS, Modification.MOD_REPLACE, status); repo.modifyKeyRecord(keyId.toBigInteger(), mods); - auditKeyStatusChange(ILogger.SUCCESS, keyId.toString(), + auditKeyStatusChange(ILogger.SUCCESS, keyId, (info!=null)?info.getStatus():null, status, auditInfo); return createNoContentResponse(); } catch (EDBRecordNotFoundException e) { auditInfo = auditInfo + ":" + e.getMessage(); CMS.debug(auditInfo); - auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), + auditKeyStatusChange(ILogger.FAILURE, keyId, (info!=null)?info.getStatus():null, status, auditInfo); throw new KeyNotFoundException(keyId, "key not found to modify", e); } catch (Exception e) { auditInfo = auditInfo + ":" + e.getMessage(); CMS.debug(auditInfo); - auditKeyStatusChange(ILogger.FAILURE, keyId.toString(), + auditKeyStatusChange(ILogger.FAILURE, keyId, (info!=null)?info.getStatus():null, status, auditInfo); e.printStackTrace(); throw new PKIException(e.getMessage(), e); diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 4a44134..3ac23d5 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2484,7 +2484,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=:[AuditEvent=SE # oldStatus is the old status to change from # newStatus is the new status to change to # -LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change +LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=:[AuditEvent=KEY_STATUS_CHANGE][SubjectID={0}][Outcome={1}][KeyID={2}][OldStatus={3}][NewStatus={4}][Info={5}] Key Status Change # # LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED # - used when symmetric key generation request is processed -- 1.8.3.1 From 2a947446b81d21758ffadbae905a49e8c4e900ef Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Wed, 24 May 2017 23:42:41 -0400 Subject: [PATCH 27/38] Encapsulate server side keygen audit events This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf --- .../com/netscape/certsrv/logging/AuditEvent.java | 6 --- .../logging/event/ServerSideKeyGenEvent.java | 45 +++++++++++++++++++++ .../event/ServerSideKeyGenProcessedEvent.java | 47 ++++++++++++++++++++++ base/kra/shared/conf/CS.cfg | 4 +- .../src/com/netscape/kra/NetkeyKeygenService.java | 34 +++++++--------- base/server/cmsbundle/src/LogMessages.properties | 14 ++----- 6 files changed, 113 insertions(+), 37 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java index 348ea09..1d94dad 100644 --- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java +++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java @@ -72,12 +72,6 @@ public class AuditEvent implements IBundleLogEvent { public final static String LOG_PATH_CHANGE = "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4"; - public final static String SERVER_SIDE_KEYGEN_REQUEST = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3"; - public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4"; - public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE = - "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3"; public final static String KEY_RECOVERY_AGENT_LOGIN = "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4"; public final static String KEY_GEN_ASYMMETRIC = diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java new file mode 100644 index 0000000..0894716 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenEvent.java @@ -0,0 +1,45 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class ServerSideKeyGenEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST"; + + public ServerSideKeyGenEvent( + String subjectID, + String outcome, + String entityID, + RequestId requestID) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + entityID, + requestID + }); + } +} diff --git a/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java new file mode 100644 index 0000000..71ed3ed --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/ServerSideKeyGenProcessedEvent.java @@ -0,0 +1,47 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.request.RequestId; + +public class ServerSideKeyGenProcessedEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + private static final String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED"; + + public ServerSideKeyGenProcessedEvent( + String subjectID, + String outcome, + String entityID, + RequestId requestID, + String pubKey) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + outcome, + entityID, + requestID, + pubKey + }); + } +} \ No newline at end of file diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg index 69d9382..c08e56e 100644 --- a/base/kra/shared/conf/CS.cfg +++ b/base/kra/shared/conf/CS.cfg @@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 947377a..e54c58a 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -53,8 +53,11 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent; import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent; import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.logging.event.ServerSideKeyGenEvent; +import com.netscape.certsrv.logging.event.ServerSideKeyGenProcessedEvent; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cms.servlet.key.KeyRecordParser; @@ -144,7 +147,6 @@ public class NetkeyKeygenService implements IService { */ public boolean serviceRequest(IRequest request) throws EBaseException { - String auditMessage = null; String auditSubjectID = null; byte[] wrapped_des_key; @@ -180,23 +182,21 @@ public class NetkeyKeygenService implements IService { String rCUID = request.getExtDataInString(IRequest.NETKEY_ATTR_CUID); String rUserid = request.getExtDataInString(IRequest.NETKEY_ATTR_USERID); String rKeytype = request.getExtDataInString(IRequest.NETKEY_ATTR_KEY_TYPE); + RequestId requestId = request.getRequestId(); auditSubjectID = rCUID + ":" + rUserid; SessionContext sContext = SessionContext.getContext(); String agentId = ""; if (sContext != null) { - agentId = - (String) sContext.get(SessionContext.USER_ID); + agentId = (String) sContext.get(SessionContext.USER_ID); } - auditMessage = CMS.getLogMessage( - AuditEvent.SERVER_SIDE_KEYGEN_REQUEST, + audit(new ServerSideKeyGenEvent( agentId, ILogger.SUCCESS, - auditSubjectID); - - audit(auditMessage); + auditSubjectID, + requestId)); String rWrappedDesKeyString = request.getExtDataInString(IRequest.NETKEY_ATTR_DRMTRANS_DES_KEY); // the request reocrd field delayLDAPCommit == "true" will cause @@ -262,13 +262,12 @@ public class NetkeyKeygenService implements IService { CMS.debug("NetkeyKeygenService: failed generating key pair for " + rCUID + ":" + rUserid); request.setExtData(IRequest.RESULT, Integer.valueOf(4)); - auditMessage = CMS.getLogMessage( - AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE, + audit(new ServerSideKeyGenProcessedEvent( agentId, ILogger.FAILURE, - auditSubjectID); - - audit(auditMessage); + auditSubjectID, + requestId, + null)); return false; } @@ -294,14 +293,12 @@ public class NetkeyKeygenService implements IService { request.setExtData("public_key", PubKey); } - auditMessage = CMS.getLogMessage( - AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS, + audit(new ServerSideKeyGenProcessedEvent( agentId, ILogger.SUCCESS, auditSubjectID, - PubKey); - - audit(auditMessage); + requestId, + PubKey)); //...extract the private key handle (not privatekeydata) java.security.PrivateKey privKey = @@ -365,7 +362,6 @@ public class NetkeyKeygenService implements IService { "NetkeyKeygenService: failed generating wrapped private key", PubKey)); - audit(auditMessage); return false; } else { request.setExtData("wrappedUserPrivate", wrappedPrivKeyString); diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 3ac23d5..fc4e946 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -1947,21 +1947,15 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=:[AuditEvent=LOG_PA # - used when server-side key generation request is made # This is for tokenkeys # EntityID must be the representation of the subject that will be on the certificate when issued -LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed +LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}] server-side key generation request # -# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS -# - used when server-side key generation request has been processed with success +# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED +# - used when server-side key generation request has been processed. # This is for tokenkeys # EntityID must be the representation of the subject that will be on the certificate when issued # PubKey must be the base-64 encoded public key associated with # the private key to be archived -LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS][SubjectID={0}][Outcome={1}][EntityID={2}][PubKey={3}] server-side key generation request processed with success -# -# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE -# - used when server-side key generation request has been processed with failure -# This is for tokenkeys -# EntityID must be the representation of the subject that will be on the certificate when issued -LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE][SubjectID={0}][Outcome={1}][EntityID={2}] server-side key generation request processed with failure +LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED][SubjectID={0}][Outcome={1}][EntityID={2}][RequestID={3}][[PubKey={4}] server-side key generation request processed # # LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST # - used when key recovery request is made -- 1.8.3.1 From 8aa94e1ca017e54454f6f6f6ebb4ee254062e822 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Sat, 20 May 2017 01:49:36 +0200 Subject: [PATCH 28/38] Replaced SHA1-based random number generators. The SHA1-based random number generators in some classes have been replaced with the random number generator provided by JssSubsystem. https://pagure.io/dogtagpki/issue/2695 Change-Id: Id0285dbc8c940fa7afb8feccab3086030d949514 --- base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 5 ++++- base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java | 5 ++++- base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java | 7 +++++-- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index e54c58a..8383e89 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -62,6 +62,7 @@ import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cms.servlet.key.KeyRecordParser; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmscore.util.Debug; import com.netscape.cmsutil.crypto.CryptoUtil; @@ -153,10 +154,12 @@ public class NetkeyKeygenService implements IService { byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; String iv_s = ""; try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); random.nextBytes(iv); } catch (Exception e) { CMS.debug("NetkeyKeygenService.serviceRequest: " + e.toString()); + throw new EBaseException(e); } IVParameterSpec algParam = new IVParameterSpec(iv); diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java index 2519a4d..c0b5cdd 100644 --- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java +++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java @@ -56,6 +56,7 @@ import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; +import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.cmsutil.util.Cert; @@ -203,10 +204,12 @@ public class TokenKeyRecoveryService implements IService { byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); random.nextBytes(iv); } catch (Exception e) { CMS.debug("TokenKeyRecoveryService.serviceRequest: " + e.toString()); + throw new EBaseException(e); } RequestId auditRequestID = request.getRequestId(); diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java index c8150a9..5b8b1dd 100644 --- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java +++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java @@ -54,6 +54,7 @@ import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.tks.GPParams; import com.netscape.cms.servlet.tks.NistSP800_108KDF; import com.netscape.cms.servlet.tks.SecureChannelProtocol; +import com.netscape.cmscore.security.JssSubsystem; import com.netscape.cmsutil.crypto.CryptoUtil; import com.netscape.symkey.SessionKey; @@ -1996,7 +1997,8 @@ public class TokenServlet extends CMSServlet { CMS.debug("TokenServlet: processEncryptData(): contain data in request, however, random generation on TKS is required. Generating..."); } try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); data = new byte[16]; random.nextBytes(data); } catch (Exception e) { @@ -2320,7 +2322,8 @@ public class TokenServlet extends CMSServlet { if (!missingParam) { try { - SecureRandom random = SecureRandom.getInstance("SHA1PRNG"); + JssSubsystem jssSubsystem = (JssSubsystem) CMS.getSubsystem(JssSubsystem.ID); + SecureRandom random = jssSubsystem.getRandomNumberGenerator(); randomData = new byte[dataSize]; random.nextBytes(randomData); } catch (Exception e) { -- 1.8.3.1 From 5ce1212159f8055ab7534887542e1d8cb41eb15d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 25 May 2017 19:35:36 +0200 Subject: [PATCH 29/38] Refactored CRLIssuingPoint.generateDeltaCRL(). The code related to delta CRL generation has been moved into generateDeltaCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic38c654cea03fe8748bd9663b5414fbe8e762f26 --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 102 ++++++++++++----------- 1 file changed, 54 insertions(+), 48 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index 3764adf..feca02a 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -2607,51 +2607,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[5] += System.currentTimeMillis(); } else { if (isDeltaCRLEnabled()) { - mSplits[1] -= System.currentTimeMillis(); - @SuppressWarnings("unchecked") - Hashtable deltaCRLCerts = - (Hashtable) clonedRevokedCerts.clone(); - deltaCRLCerts.putAll(clonedUnrevokedCerts); - if (mIncludeExpiredCertsOneExtraTime) { - if (!clonedExpiredCerts.isEmpty()) { - for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { - BigInteger serialNumber = e.nextElement(); - if ((mLastFullUpdate != null && - mLastFullUpdate.after((mExpiredCerts.get(serialNumber)).getRevocationDate())) || - mLastFullUpdate == null) { - deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); - } - } - } - } else { - deltaCRLCerts.putAll(clonedExpiredCerts); - } - - mLastCRLNumber = mCRLNumber; - - CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); - - mSplits[1] += System.currentTimeMillis(); + generateDeltaCRL( + clonedRevokedCerts, + clonedUnrevokedCerts, + clonedExpiredCerts, + signingAlgorithm, + thisUpdate, + nextDeltaUpdate); - X509CRLImpl newX509DeltaCRL = generateDeltaCRL( - deltaCRLCerts, signingAlgorithm, thisUpdate, nextDeltaUpdate, ext); - - try { - mSplits[4] -= System.currentTimeMillis(); - publishCRL(newX509DeltaCRL, true); - mSplits[4] += System.currentTimeMillis(); - } catch (EBaseException e) { - newX509DeltaCRL = null; - if (Debug.on()) - Debug.printStackTrace(e); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); - } catch (OutOfMemoryError e) { - newX509DeltaCRL = null; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); - } } else { mDeltaCRLSize = -1; } @@ -2780,12 +2744,41 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { return ext; } - X509CRLImpl generateDeltaCRL( - Hashtable deltaCRLCerts, + void generateDeltaCRL( + Hashtable clonedRevokedCerts, + Hashtable clonedUnrevokedCerts, + Hashtable clonedExpiredCerts, String signingAlgorithm, Date thisUpdate, - Date nextDeltaUpdate, - CRLExtensions ext) { + Date nextDeltaUpdate) { + + mSplits[1] -= System.currentTimeMillis(); + + @SuppressWarnings("unchecked") + Hashtable deltaCRLCerts = + (Hashtable) clonedRevokedCerts.clone(); + + deltaCRLCerts.putAll(clonedUnrevokedCerts); + + if (mIncludeExpiredCertsOneExtraTime) { + + for (Enumeration e = clonedExpiredCerts.keys(); e.hasMoreElements();) { + BigInteger serialNumber = e.nextElement(); + if (mLastFullUpdate == null || + mLastFullUpdate.after(mExpiredCerts.get(serialNumber).getRevocationDate())) { + deltaCRLCerts.put(serialNumber, clonedExpiredCerts.get(serialNumber)); + } + } + + } else { + deltaCRLCerts.putAll(clonedExpiredCerts); + } + + mLastCRLNumber = mCRLNumber; + + CRLExtensions ext = generateCRLExtensions(FreshestCRLExtension.NAME); + + mSplits[1] += System.currentTimeMillis(); X509CRLImpl newX509DeltaCRL = null; @@ -2868,7 +2861,20 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mDeltaCRLSize = -1; } - return newX509DeltaCRL; + try { + mSplits[4] -= System.currentTimeMillis(); + publishCRL(newX509DeltaCRL, true); + mSplits[4] += System.currentTimeMillis(); + + } catch (EBaseException e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + CMS.debug(e); + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + } } X509CRLImpl generateFullCRL( -- 1.8.3.1 From 5e0cb550236c5bb06baa4b3a94558407a53c92ea Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 25 May 2017 21:22:50 +0200 Subject: [PATCH 30/38] Refactored CRLIssuingPoint.generateFullCRL(). The code related to full CRL generation has been moved into generateFullCRL(). https://pagure.io/dogtagpki/issue/2651 Change-Id: I6a23c97255ba7095e168e927621f0503923251c2 --- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 80 ++++++++++++------------ 1 file changed, 40 insertions(+), 40 deletions(-) diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index feca02a..cbcdc69 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -2676,39 +2676,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { clonedExpiredCerts = null; if ((!isDeltaCRLEnabled()) || mSchemaCounter == 0) { - mSplits[6] -= System.currentTimeMillis(); - if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { - mNextCRLNumber = mNextDeltaCRLNumber; - } - - CRLExtensions ext; - if (mAllowExtensions) { - ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); - } else { - ext = null; - } - mSplits[6] += System.currentTimeMillis(); - // for audit log - X509CRLImpl newX509CRL = generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate, ext); - - try { - mSplits[9] -= System.currentTimeMillis(); - mUpdatingCRL = CRL_PUBLISHING_STARTED; - publishCRL(newX509CRL); - newX509CRL = null; - mSplits[9] += System.currentTimeMillis(); - } catch (EBaseException e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); - } catch (OutOfMemoryError e) { - newX509CRL = null; - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); - } + generateFullCRL(signingAlgorithm, thisUpdate, nextUpdate); } if (isDeltaCRLEnabled() && mDeltaCRLSize > -1 && mSchemaCounter > 0) { @@ -2877,11 +2846,25 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } } - X509CRLImpl generateFullCRL( + void generateFullCRL( String signingAlgorithm, Date thisUpdate, - Date nextUpdate, - CRLExtensions ext) throws EBaseException { + Date nextUpdate) throws EBaseException { + + mSplits[6] -= System.currentTimeMillis(); + if (mNextDeltaCRLNumber.compareTo(mNextCRLNumber) > 0) { + mNextCRLNumber = mNextDeltaCRLNumber; + } + + CRLExtensions ext; + if (mAllowExtensions) { + ext = generateCRLExtensions(DeltaCRLIndicatorExtension.NAME); + } else { + ext = null; + } + mSplits[6] += System.currentTimeMillis(); + + X509CRLImpl newX509CRL = null; try { CMS.debug("Making CRL with algorithm " + @@ -2904,7 +2887,7 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { thisUpdate, nextUpdate, mCRLCerts, ext); CMS.debug("CRLIssuingPoint: signing CRL"); - X509CRLImpl newX509CRL = mCA.sign(crl, signingAlgorithm); + newX509CRL = mCA.sign(crl, signingAlgorithm); CMS.debug("CRLIssuingPoint: encoding CRL"); byte[] newCRL = newX509CRL.getEncoded(); @@ -2914,8 +2897,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { mSplits[8] -= System.currentTimeMillis(); Date nextUpdateDate = mNextUpdate; - if (isDeltaCRLEnabled() && (mUpdateSchema > 1 || - (mEnableDailyUpdates && mExtendedTimeList)) && mNextDeltaUpdate != null) { + if (isDeltaCRLEnabled() + && (mUpdateSchema > 1 || mEnableDailyUpdates && mExtendedTimeList) + && mNextDeltaUpdate != null) { nextUpdateDate = mNextDeltaUpdate; } @@ -2976,8 +2960,6 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); - return newX509CRL; - } catch (EBaseException e) { CMS.debug(e); mUpdatingCRL = CRL_UPDATE_DONE; @@ -3008,6 +2990,24 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); } + + try { + mSplits[9] -= System.currentTimeMillis(); + mUpdatingCRL = CRL_PUBLISHING_STARTED; + publishCRL(newX509CRL); + mSplits[9] += System.currentTimeMillis(); + + } catch (EBaseException e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } catch (OutOfMemoryError e) { + CMS.debug(e); + mUpdatingCRL = CRL_UPDATE_DONE; + log(ILogger.LL_FAILURE, + CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + } } /** -- 1.8.3.1 From 64233b8f26a3f87786fa0e0d641a5a02116ebece Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 26 May 2017 00:13:49 +0200 Subject: [PATCH 31/38] Updated ECAException constructor. The ECAException constructor has been modified to accept a more generic Throwable instead of Exception. https://pagure.io/dogtagpki/issue/2651 Change-Id: I2a63fad2f8a3216fe8d33f550d3571d2fec2c4ee --- base/common/src/com/netscape/certsrv/ca/ECAException.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/ca/ECAException.java b/base/common/src/com/netscape/certsrv/ca/ECAException.java index 01c601e..814219f 100644 --- a/base/common/src/com/netscape/certsrv/ca/ECAException.java +++ b/base/common/src/com/netscape/certsrv/ca/ECAException.java @@ -51,10 +51,10 @@ public class ECAException extends EBaseException { *

* * @param msgFormat constant from CAResources. - * @param e embedded exception. + * @param cause cause of this exception. */ - public ECAException(String msgFormat, Exception e) { - super(msgFormat, e); + public ECAException(String msgFormat, Throwable cause) { + super(msgFormat, cause); } /** -- 1.8.3.1 From 5438e24e022c4c169ff9b5c6325e5ec0023d4caa Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 25 May 2017 16:31:45 -0400 Subject: [PATCH 32/38] Set encryption flag for generated keys The key record for keys generated in the keygen servlets was not updated to reflect whether or not the server was set up to do encryption/key wrapping. This patch corrects this oversight. Bugzilla BZ# 1455617 Change-Id: I31daece8b93a0ad58cb595e6a23fe8705f338024 --- base/kra/src/com/netscape/kra/AsymKeyGenService.java | 2 +- base/kra/src/com/netscape/kra/NetkeyKeygenService.java | 2 +- base/kra/src/com/netscape/kra/SymKeyGenService.java | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java index ea1d0cc..1e38b48 100644 --- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java @@ -197,7 +197,7 @@ public class AsymKeyGenService implements IService { } try { - record.setWrappingParams(params, false); + record.setWrappingParams(params, allowEncDecrypt_archival); } catch (Exception e) { auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to store wrapping params"); diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java index 8383e89..96d7aae 100644 --- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java +++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java @@ -477,7 +477,7 @@ public class NetkeyKeygenService implements IService { return false; } - rec.setWrappingParams(params, false); + rec.setWrappingParams(params, allowEncDecrypt_archival); CMS.debug("NetkeyKeygenService: before addKeyRecord"); rec.set(KeyRecord.ATTR_ID, serialNo); diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index a4613c2..578b1ff 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -221,7 +221,7 @@ public class SymKeyGenService implements IService { } try { - rec.setWrappingParams(params, false); + rec.setWrappingParams(params, allowEncDecrypt_archival); } catch (Exception e) { mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters: " + e); -- 1.8.3.1 From 2866f6195eb49012cf7c42089a9fbf1be819129a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 26 May 2017 17:47:14 +1000 Subject: [PATCH 33/38] Fix NPE in lightweight CA creation Fixes: https://pagure.io/dogtagpki/issue/2711 --- .../cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java index 908cbe4..4b0f68c 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollmentProcessor.java @@ -148,7 +148,9 @@ public class EnrollmentProcessor extends CertProcessor { IProfileContext ctx = profile.createContext(); // set arbitrary user data into request, if any - String userData = request.getParameter("user-data"); + String userData = null; + if (request != null) + userData = request.getParameter("user-data"); if (userData != null) ctx.set(IEnrollProfile.REQUEST_USER_DATA, userData); -- 1.8.3.1 From e3f64ea8ca4ec231a954076a7f6b05dfc626ff1b Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 18 May 2017 19:38:20 +0200 Subject: [PATCH 34/38] Added DELTA_CRL_GENERATION audit event. A new DELTA_CRL_GENERATION audit event has been added which will be generated when delta CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: Ic4759ac2d90b6915443587708292d0f51e11345f --- base/ca/shared/conf/CS.cfg | 4 +- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 69 ++++++++++++----- .../logging/event/DeltaCRLGenerationEvent.java | 86 ++++++++++++++++++++++ base/server/cmsbundle/src/LogMessages.properties | 6 ++ 4 files changed, 145 insertions(+), 20 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 4e881dc..7377561 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index cbcdc69..ff157b5 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -51,8 +51,10 @@ import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.certdb.IRevocationInfo; import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord; import com.netscape.certsrv.dbs.crldb.ICRLRepository; +import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; import com.netscape.certsrv.publish.ILdapRule; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.request.IRequest; @@ -2758,8 +2760,9 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { if (deltaCRLCerts.size() == 0) { CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No Delta CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "No Revoked Certificates")); + mDeltaCRLSize = -1; + audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); + return; } } @@ -2804,30 +2807,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } ); + audit(DeltaCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); + } catch (EBaseException e) { CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_DELTA", e.toString())); mDeltaCRLSize = -1; + audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); + return; - } catch (NoSuchAlgorithmException e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - - } catch (CRLException e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - - } catch (X509ExtensionException e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); - mDeltaCRLSize = -1; - - } catch (OutOfMemoryError e) { + } catch (Throwable e) { CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_DELTA", e.toString())); mDeltaCRLSize = -1; + audit(DeltaCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); + return; } try { @@ -3186,6 +3180,45 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { } } } + + String getAuditSubjectID() { + + SessionContext context = SessionContext.getExistingContext(); + + if (context == null) { + return ILogger.UNIDENTIFIED; + } + + String subjectID = (String)context.get(SessionContext.USER_ID); + + if (subjectID == null) { + if (Thread.currentThread() == mUpdateThread) { + return ILogger.SYSTEM_UID; + + } else { + return ILogger.NONROLEUSER; + } + } + + return subjectID.trim(); + } + + void audit(AuditEvent event) { + + ILogger logger = CMS.getSignedAuditLogger(); + if (logger == null) return; + + String messageID = event.getMessage(); + Object[] params = event.getParameters(); + + String message = CMS.getLogMessage(messageID, params); + + logger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + message); + } } class CertRecProcessor implements IElementProcessor { diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java new file mode 100644 index 0000000..ba04a33 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLGenerationEvent.java @@ -0,0 +1,86 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import java.math.BigInteger; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; + +public class DeltaCRLGenerationEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION"; + + public DeltaCRLGenerationEvent() { + super(LOGGING_PROPERTY); + } + + public static DeltaCRLGenerationEvent createSuccessEvent( + String subjectID, + BigInteger crlNumber) { + + DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); + + event.setAttribute("CRLnum", crlNumber); + + event.setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + event.getAttributeList() + }); + + return event; + } + + public static DeltaCRLGenerationEvent createSuccessEvent( + String subjectID, + String info) { + + DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); + + event.setAttribute("Info", info); + + event.setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + event.getAttributeList() + }); + + return event; + } + + public static DeltaCRLGenerationEvent createFailureEvent( + String subjectID, + String reason) { + + DeltaCRLGenerationEvent event = new DeltaCRLGenerationEvent(); + + event.setAttribute("FailureReason", reason); + + event.setParameters(new Object[] { + subjectID, + ILogger.FAILURE, + event.getAttributeList() + }); + + return event; + } +} diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index fc4e946..30b8e2a 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification # +# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION +# - used when delta CRL generation is complete +# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise +# +LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation +# # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL # - used when CRLs are retrieved by the OCSP Responder # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise -- 1.8.3.1 From 4d5ecb5dd3e1f4eabbe29ab2ddbfeb825f9f4233 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 25 May 2017 22:53:03 +0200 Subject: [PATCH 35/38] Added DELTA_CRL_PUBLISHING audit event. A new DELTA_CRL_PUBLISHING audit event has been added which will be generated when delta CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I38f84fc2d00ea57ef13f0ee50998da9239437372 --- base/ca/shared/conf/CS.cfg | 4 +- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 10 ++-- .../logging/event/DeltaCRLPublishingEvent.java | 63 ++++++++++++++++++++++ base/server/cmsbundle/src/LogMessages.properties | 6 +++ 4 files changed, 76 insertions(+), 7 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 7377561..867e4cb 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index ff157b5..9fd8c49 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; +import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; import com.netscape.certsrv.publish.ILdapRule; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.request.IRequest; @@ -2829,14 +2830,13 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { publishCRL(newX509DeltaCRL, true); mSplits[4] += System.currentTimeMillis(); - } catch (EBaseException e) { - CMS.debug(e); - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); - } catch (OutOfMemoryError e) { + audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); + + } catch (Throwable e) { CMS.debug(e); log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_DELTA", mCRLNumber.toString(), e.toString())); + audit(new DeltaCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); } } diff --git a/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java new file mode 100644 index 0000000..d6521d7 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/DeltaCRLPublishingEvent.java @@ -0,0 +1,63 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import java.math.BigInteger; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; + +public class DeltaCRLPublishingEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING"; + + public DeltaCRLPublishingEvent( + String subjectID, + BigInteger crlNumber) { + + super(LOGGING_PROPERTY); + + setAttribute("CRLnum", crlNumber); + + setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + getAttributeList() + }); + } + + public DeltaCRLPublishingEvent( + String subjectID, + BigInteger crlNumber, + String reason) { + + super(LOGGING_PROPERTY); + + setAttribute("CRLnum", crlNumber); + setAttribute("FailureReason", reason); + + setParameters(new Object[] { + subjectID, + ILogger.FAILURE, + getAttributeList() + }); + } +} diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 30b8e2a..c35d605 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2128,6 +2128,12 @@ LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=:[A # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEvent=DELTA_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Delta CRL generation # +# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING +# - used when delta CRL publishing is complete +# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise +# +LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing +# # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL # - used when CRLs are retrieved by the OCSP Responder # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise -- 1.8.3.1 From 37e6ba6d1fb24694c2744adbc27c78b749d7e35d Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 26 May 2017 00:13:10 +0200 Subject: [PATCH 36/38] Added FULL_CRL_GENERATION audit event. A new FULL_CRL_GENERATION audit event has been added which will be generated when full CRL generation is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I74b083721e477ad72fe5a787935af617e89a6968 --- base/ca/shared/conf/CS.cfg | 4 +- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 36 +++------ .../logging/event/FullCRLGenerationEvent.java | 86 ++++++++++++++++++++++ base/server/cmsbundle/src/LogMessages.properties | 6 ++ 4 files changed, 104 insertions(+), 28 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 867e4cb..3daac8b 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index 9fd8c49..9583f50 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -19,8 +19,6 @@ package com.netscape.ca; import java.io.IOException; import java.math.BigInteger; -import java.security.NoSuchAlgorithmException; -import java.security.cert.CRLException; import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; @@ -56,6 +54,7 @@ import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; +import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; import com.netscape.certsrv.publish.ILdapRule; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.request.IRequest; @@ -84,7 +83,6 @@ import netscape.security.x509.RevokedCertImpl; import netscape.security.x509.RevokedCertificate; import netscape.security.x509.X509CRLImpl; import netscape.security.x509.X509CertImpl; -import netscape.security.x509.X509ExtensionException; /** * This class encapsulates CRL issuing mechanism. CertificateAuthority @@ -2870,8 +2868,8 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { if (mConfigStore.getBoolean("noCRLIfNoRevokedCert", false)) { if (mCRLCerts.size() == 0) { CMS.debug("CRLIssuingPoint: No Revoked Certificates Found And noCRLIfNoRevokedCert is set to true - No CRL Generated"); - throw new EBaseException(CMS.getUserMessage("CMS_BASE_INTERNAL_ERROR", - "No Revoked Certificates")); + audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), "No Revoked Certificates")); + return; } } @@ -2954,35 +2952,21 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { CMS.debug("CRLIssuingPoint: Finished Logging CRL Update to transaction log"); + audit(FullCRLGenerationEvent.createSuccessEvent(getAuditSubjectID(), mCRLNumber)); + } catch (EBaseException e) { CMS.debug(e); mUpdatingCRL = CRL_UPDATE_DONE; log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_OR_STORE_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); - } catch (NoSuchAlgorithmException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - - } catch (CRLException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - - } catch (X509ExtensionException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); - - } catch (OutOfMemoryError e) { + } catch (Throwable e) { CMS.debug(e); mUpdatingCRL = CRL_UPDATE_DONE; log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_CA_ISSUING_SIGN_CRL", e.toString())); - throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString())); + audit(FullCRLGenerationEvent.createFailureEvent(getAuditSubjectID(), e.getMessage())); + throw new ECAException(CMS.getUserMessage("CMS_CA_FAILED_CONSTRUCTING_CRL", e.toString()), e); } try { diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java new file mode 100644 index 0000000..9dd47dd --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLGenerationEvent.java @@ -0,0 +1,86 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import java.math.BigInteger; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; + +public class FullCRLGenerationEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION"; + + public FullCRLGenerationEvent() { + super(LOGGING_PROPERTY); + } + + public static FullCRLGenerationEvent createSuccessEvent( + String subjectID, + BigInteger crlNumber) { + + FullCRLGenerationEvent event = new FullCRLGenerationEvent(); + + event.setAttribute("CRLnum", crlNumber); + + event.setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + event.getAttributeList() + }); + + return event; + } + + public static FullCRLGenerationEvent createSuccessEvent( + String subjectID, + String info) { + + FullCRLGenerationEvent event = new FullCRLGenerationEvent(); + + event.setAttribute("Info", info); + + event.setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + event.getAttributeList() + }); + + return event; + } + + public static FullCRLGenerationEvent createFailureEvent( + String subjectID, + String reason) { + + FullCRLGenerationEvent event = new FullCRLGenerationEvent(); + + event.setAttribute("FailureReason", reason); + + event.setParameters(new Object[] { + subjectID, + ILogger.FAILURE, + event.getAttributeList() + }); + + return event; + } +} diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index c35d605..f5ae7bb 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2134,6 +2134,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=:[AuditEven # LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEvent=DELTA_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Delta CRL publishing # +# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION +# - used when full CRL generation is complete +# Outcome is "success" when full CRL is generated successfully, "failure" otherwise +# +LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation +# # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL # - used when CRLs are retrieved by the OCSP Responder # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise -- 1.8.3.1 From 33838ebaffcdf121c4167379f0c917b5b5b67d0e Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 26 May 2017 00:46:53 +0200 Subject: [PATCH 37/38] Added FULL_CRL_PUBLISHING audit event. A new FULL_CRL_PUBLISHING audit event has been added which will be generated when full CRL publishing is complete. https://pagure.io/dogtagpki/issue/2651 Change-Id: I4461b03f4afd300b65e9d12c7d0bfa935b4e7082 --- base/ca/shared/conf/CS.cfg | 4 +- base/ca/src/com/netscape/ca/CRLIssuingPoint.java | 16 +++--- .../logging/event/FullCRLPublishingEvent.java | 63 ++++++++++++++++++++++ base/server/cmsbundle/src/LogMessages.properties | 6 +++ 4 files changed, 79 insertions(+), 10 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index 3daac8b..fc21295 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java index 9583f50..be6ffa8 100644 --- a/base/ca/src/com/netscape/ca/CRLIssuingPoint.java +++ b/base/ca/src/com/netscape/ca/CRLIssuingPoint.java @@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.logging.event.DeltaCRLGenerationEvent; import com.netscape.certsrv.logging.event.DeltaCRLPublishingEvent; import com.netscape.certsrv.logging.event.FullCRLGenerationEvent; +import com.netscape.certsrv.logging.event.FullCRLPublishingEvent; import com.netscape.certsrv.publish.ILdapRule; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.request.IRequest; @@ -2975,16 +2976,15 @@ public class CRLIssuingPoint implements ICRLIssuingPoint, Runnable { publishCRL(newX509CRL); mSplits[9] += System.currentTimeMillis(); - } catch (EBaseException e) { - CMS.debug(e); - mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); - } catch (OutOfMemoryError e) { + audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber)); + + } catch (Throwable e) { CMS.debug(e); mUpdatingCRL = CRL_UPDATE_DONE; - log(ILogger.LL_FAILURE, - CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString())); + String message = CMS.getLogMessage("CMSCORE_CA_ISSUING_PUBLISH_CRL", mCRLNumber.toString(), e.toString()); + log(ILogger.LL_FAILURE, message); + audit(new FullCRLPublishingEvent(getAuditSubjectID(), mCRLNumber, e.getMessage())); + throw new ECAException(message, e); } } diff --git a/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java new file mode 100644 index 0000000..a3764c0 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/FullCRLPublishingEvent.java @@ -0,0 +1,63 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import java.math.BigInteger; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; + +public class FullCRLPublishingEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING"; + + public FullCRLPublishingEvent( + String subjectID, + BigInteger crlNumber) { + + super(LOGGING_PROPERTY); + + setAttribute("CRLnum", crlNumber); + + setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + getAttributeList() + }); + } + + public FullCRLPublishingEvent( + String subjectID, + BigInteger crlNumber, + String reason) { + + super(LOGGING_PROPERTY); + + setAttribute("CRLnum", crlNumber); + setAttribute("FailureReason", reason); + + setParameters(new Object[] { + subjectID, + ILogger.FAILURE, + getAttributeList() + }); + } +} diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index f5ae7bb..689d7bc 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2140,6 +2140,12 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=:[AuditEven # LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=:[AuditEvent=FULL_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} Full CRL generation # +# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING +# - used when full CRL publishing is complete +# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise +# +LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=:[AuditEvent=FULL_CRL_PUBLISHING][SubjectID={0}][Outcome={1}]{2} Full CRL publishing +# # LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL # - used when CRLs are retrieved by the OCSP Responder # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise -- 1.8.3.1 From c9a9fe6e31d860c089dd2b2ee584dd0d4a9b2174 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Fri, 19 May 2017 00:33:26 +0200 Subject: [PATCH 38/38] Added SCHEDULE_CRL_GENERATION audit event. A new SCHEDULE_CRL_GENERATION audit event has been added which will be generated when CRL generation is scheduled manually. https://pagure.io/dogtagpki/issue/2651 Change-Id: I1e2fc307491e796e50b09550d66e5eba370d090a --- base/ca/shared/conf/CS.cfg | 4 +- .../logging/event/ScheduleCRLGenerationEvent.java | 56 ++++++++++++++++++++++ .../com/netscape/cms/servlet/cert/UpdateCRL.java | 16 +++++-- base/server/cmsbundle/src/LogMessages.properties | 6 +++ 4 files changed, 77 insertions(+), 5 deletions(-) create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg index fc21295..d1bf7db 100644 --- a/base/ca/shared/conf/CS.cfg +++ b/base/ca/shared/conf/CS.cfg @@ -907,11 +907,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS,CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java new file mode 100644 index 0000000..5b2a461 --- /dev/null +++ b/base/common/src/com/netscape/certsrv/logging/event/ScheduleCRLGenerationEvent.java @@ -0,0 +1,56 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; version 2 of the License. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +// +// (C) 2017 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- +package com.netscape.certsrv.logging.event; + +import com.netscape.certsrv.logging.AuditEvent; +import com.netscape.certsrv.logging.ILogger; + +public class ScheduleCRLGenerationEvent extends AuditEvent { + + private static final long serialVersionUID = 1L; + + public final static String LOGGING_PROPERTY = + "LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION"; + + public ScheduleCRLGenerationEvent( + String subjectID) { + + super(LOGGING_PROPERTY); + + setParameters(new Object[] { + subjectID, + ILogger.SUCCESS, + getAttributeList() + }); + } + + public ScheduleCRLGenerationEvent( + String subjectID, + Exception e) { + + super(LOGGING_PROPERTY); + + setAttribute("FailureReason", e.getMessage()); + + setParameters(new Object[] { + subjectID, + ILogger.FAILURE, + getAttributeList() + }); + } +} diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java index b4d9d29..a9a2cd2 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java +++ b/base/server/cms/src/com/netscape/cms/servlet/cert/UpdateCRL.java @@ -45,6 +45,7 @@ import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.ldap.ELdapException; import com.netscape.certsrv.logging.AuditFormat; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.ScheduleCRLGenerationEvent; import com.netscape.certsrv.publish.ILdapRule; import com.netscape.certsrv.publish.IPublisherProcessor; import com.netscape.certsrv.util.IStatsSubsystem; @@ -375,9 +376,18 @@ public class UpdateCRL extends CMSServlet { } else { - CMS.debug("UpdateCRL: scheduling CRL update"); - crlIssuingPoint.setManualUpdate(signatureAlgorithm); - header.addStringValue("crlUpdate", "Scheduled"); + try { + CMS.debug("UpdateCRL: scheduling CRL update"); + + crlIssuingPoint.setManualUpdate(signatureAlgorithm); + header.addStringValue("crlUpdate", "Scheduled"); + + audit(new ScheduleCRLGenerationEvent(auditSubjectID())); + + } catch (Exception e) { + audit(new ScheduleCRLGenerationEvent(auditSubjectID(), e)); + throw e; + } } return; diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index 689d7bc..9490098 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2122,6 +2122,12 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification # +# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION +# - used when CRL generation is scheduled +# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise +# +LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=:[AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID={0}][Outcome={1}]{2} schedule for CRL generation +# # LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION # - used when delta CRL generation is complete # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise -- 1.8.3.1