--- patch/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 04:56:02.188426066 +0200 +++ pki/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java 2017-06-06 01:50:56.698341052 +0200 @@ -17,6 +17,8 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.kra; +import java.math.BigInteger; + import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.dbs.keydb.KeyId; @@ -41,6 +43,7 @@ public class SecurityDataRecoveryService private IKeyRecoveryAuthority kra = null; private SecurityDataProcessor processor = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); public SecurityDataRecoveryService(IKeyRecoveryAuthority kra) { this.kra = kra; @@ -65,8 +68,66 @@ public class SecurityDataRecoveryService throws EBaseException { CMS.debug("SecurityDataRecoveryService.serviceRequest()"); - processor.recover(request); - kra.getRequestQueue().updateRequest(request); + + // parameters for auditing + String auditSubjectID = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + BigInteger serialNumber = request.getExtDataInBigInteger("serialNumber"); + KeyId keyId = serialNumber != null ? new KeyId(serialNumber): null; + RequestId requestID = request.getRequestId(); + String approvers = request.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); + + try { + processor.recover(request); + kra.getRequestQueue().updateRequest(request); + auditRecoveryRequestProcessed( + auditSubjectID, + ILogger.SUCCESS, + requestID, + keyId, + null, + approvers); + } catch (EBaseException e) { + auditRecoveryRequestProcessed( + auditSubjectID, + ILogger.FAILURE, + requestID, + keyId, + e.getMessage(), + approvers); + throw e; + } return false; //TODO: return true? } + + private void audit(AuditEvent event) { + + String template = event.getMessage(); + Object[] params = event.getParameters(); + + String message = CMS.getLogMessage(template, params); + + audit(message); + } + + private void audit(String msg) { + if (signedAuditLogger == null) + return; + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, + KeyId keyID, String reason, String recoveryAgents) { + audit(new SecurityDataRecoveryProcessedEvent( + subjectID, + status, + requestID, + keyID, + reason, + recoveryAgents)); + } }