diff options
| author | Christina Fu <cfu@redhat.com> | 2016-01-21 11:58:03 -0800 |
|---|---|---|
| committer | Christina Fu <cfu@redhat.com> | 2016-02-15 15:56:26 -0800 |
| commit | 4e948d6ab69f19f5ee705ca168e7813c14d36f10 (patch) | |
| tree | 708e500dd0aba7f5620443ae64d04f451d8774c0 | |
| parent | ae975289fcd669e122589cfd1a7c82e0b28f733e (diff) | |
| download | pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.gz pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.xz pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.zip | |
Ticket #1007 TPS audit events
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE
Administrative auditing (via REST interface) will be covered in a separate ticket
20 files changed, 757 insertions, 122 deletions
diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java index 94f5c1687..9bfa608f2 100644 --- a/base/common/src/com/netscape/certsrv/apps/CMS.java +++ b/base/common/src/com/netscape/certsrv/apps/CMS.java @@ -843,6 +843,27 @@ public final class CMS { } /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @param p9 9th parameter + * @param p10 10th parameter + * @return localized log message + */ + public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9, String p10) { + return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10); + } + + /** * Returns the main config store. It is a handle to CMS.cfg. * * @return configuration store diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java index e024208fd..aa6b9e32e 100644 --- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java +++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java @@ -456,6 +456,25 @@ public interface ICMSEngine extends ISubsystem { String p7, String p8, String p9); /** + * Retrieves the centralized log message from LogMessages.properties. + * + * @param msgID message id defined in LogMessages.properties + * @param p1 1st parameter + * @param p2 2nd parameter + * @param p3 3rd parameter + * @param p4 4th parameter + * @param p5 5th parameter + * @param p6 6th parameter + * @param p7 7th parameter + * @param p8 8th parameter + * @param p9 9th parameter + * @param p10 10th parameter + * @return localized log message + */ + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9, String p10); + + /** * Parse ACL resource attributes * * @param resACLs same format as the resourceACLs attribute: diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties index e0e926ccb..9dcfa1a9a 100644 --- a/base/server/cmsbundle/src/LogMessages.properties +++ b/base/server/cmsbundle/src/LogMessages.properties @@ -2541,13 +2541,26 @@ LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6=<type=ASYMKEY_GENERATION_RE # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT # - used for TPS when token certificate enrollment request is made +# - Info is normally used to store more info in case of failure # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate enrollment request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL # - used for TPS when token certificate renewal request is made +# - Info is normally used to store more info in case of failure # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}][Serial={7}][CA_ID={8}] token certificate renewal request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL +# - used for TPS when token certificate retrieval request is made; +# usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY +# +LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY +# - used for TPS when token certificate key recovery request is made +# +LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made # # LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST # - used when a token certificate status change request (e.g. revocation) @@ -2556,23 +2569,70 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[[AuditEvent # CertSerialNum must be the serial number (in hex) of the certificate to be revoked # RequestType must be "revoke", "on-hold", "off-hold" # -LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_7=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][SubjectID={0}][Outcome={1}][tokenType={2}][CUID={3}][CertSerialNum={4}][RequestType={5}][CA_ID={6}] token certificate revocation/unrevocation request made +LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made # -# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST +# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS # - used when token pin reset request is made -LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_REQUEST_7=<type=TOKEN_PIN_RESET_REQUEST>:[AuditEvent=TOKEN_PIN_RESET_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token pin reset request made +LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6=<type=TOKEN_PIN_RESET_SUCCESS>:[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success +# +# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE +# - used when token pin reset request failed +LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6=<type=TOKEN_PIN_RESET_FAILURE>:[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST +# - used when token op request made +# - OP can be "format", "enroll", or "pinReset" +LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token op request made +# +# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS +# - used when token format op succeeded +LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9=<type=TOKEN_FORMAT_SUCCESS>:[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success +# +# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE +# - used when token format op failed +LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=<type=TOKEN_FORMAT_FAILURE>:[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure +# +# +# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS +# - used when token apple upgrade succeeded +LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9=<type=TOKEN_APPLET_UPGRADE_SUCCESS>:[AuditEvent=TOKEN_APPLET_UPGRADE_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade success +# +# +# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE +# - used when token apple upgrade failed +LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9=<type=TOKEN_APPLET_UPGRADE_FAILURE>:[AuditEvent=TOKEN_APPLET_UPGRADE_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}][Info={8}] token applet upgrade failure # -# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST -# - used when token format request is made -LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_REQUEST_7=<type=TOKEN_FORMAT_REQUEST>:[AuditEvent=TOKEN_FORMAT_REQUEST][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][KeyVersion={6}] token format request made +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED +# - used when token key changeover is required +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required # -# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE -# - used when token apple upgrade occurs -LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_8=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][oldAppletVersion={6}][newAppletVersion={7}] token applet upgrade +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS +# - used when token key changeover succeeded +# - Info usually is unused for success +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10=<type=TOKEN_KEY_CHANGEOVER_SUCCESS>:[AuditEvent=TOKEN_KEY_CHANGEOVER_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover success +# +# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE +# - used when token key changeover failed +# - Info is used for storing more info in case of failure +LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10=<type=TOKEN_KEY_CHANGEOVER_FAILURE>:[AuditEvent=TOKEN_KEY_CHANGEOVER_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE +# - used when authentication failed +# Outcome should always be "failure" in this event +# (obviously, if authentication failed, you won't have a valid SubjectID, so +# in this case, AttemptedID is recorded) +# AuthMgr must be the authentication manager instance name that did +# this authentication +# +LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9=<type=TOKEN_AUTH_FAILURE>:[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure +# +# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS +# - used when authentication succeeded +# Outcome should always be "success" in this event +# AuthMgr must be the authentication manager instance name that did +# this authentication # -# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER -# - used when token applet upgrade occurs -LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_8=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER][SubjectID={0}][CUID={1}][MSN={2}][Outcome={3}][tokenType={4}][AppletVersion={5}][oldKeyVersion={6}][newKeyVersion={7}] token key changeover +LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success # # LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL # - used when configuring general TPS diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index d050060d9..d68290195 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -1650,6 +1650,13 @@ public class CMSEngine implements ICMSEngine { return getLogMessage(msgID, params); } + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9, String p10) { + String params[] = { p1, p2, p3, p4, p5, p6, p7, p8, p9, p10 }; + + return getLogMessage(msgID, params); + } + public void getSubjAltNameConfigDefaultParams(String name, Vector<String> params) { GeneralNameUtil.SubjAltNameGN.getDefaultParams(name, params); diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java index 5d43af7d1..2b85eacac 100644 --- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java +++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java @@ -253,6 +253,11 @@ public class CMSEngineDefaultStub implements ICMSEngine { return null; } + public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6, + String p7, String p8, String p9, String p10) { + return null; + } + public IACL parseACL(String resACLs) throws EACLsException { return null; } diff --git a/base/tps/shared/conf/CS.cfg.in b/base/tps/shared/conf/CS.cfg.in index 82801f2fb..e9f9ffaa6 100644 --- a/base/tps/shared/conf/CS.cfg.in +++ b/base/tps/shared/conf/CS.cfg.in @@ -209,11 +209,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_REQUEST,TOKEN_FORMAT_REQUEST,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIREDTOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,AUTH_FAIL,ROLE_ASSUME,AUTHZ_SUCCESS,AUTHZ_FAIL,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_REQUEST,TOKEN_FORMAT_REQUEST,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE +log.instance.SignedAudit.events=SELFTESTS_EXECUTION,AUTHZ_SUCCESS,AUTHZ_FAIL,AUTH_FAIL,AUTH_SUCCESS,AUTH_FAIL,ROLE_ASSUME,AUTHZ_SUCCESS,AUTHZ_FAIL,CIMC_CERT_VERIFICATION,CONFIG_SIGNED_AUDIT,CONFIG_ROLE,CONFIG_AUTH,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER_SUCCESS,TOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_GENERAL,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE log.instance.SignedAudit.unselected.events= log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING log.instance.SignedAudit.expirationTime=0 diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java index 9c83e0842..702038f8c 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CAEnrollCertResponse.java @@ -34,6 +34,11 @@ public class CAEnrollCertResponse extends RemoteResponse nameValTable = ht; } + public CAEnrollCertResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getCertB64() { return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_b64); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java index d70bf5d79..0a68e6583 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java @@ -263,7 +263,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler } CMS.debug("CARemoteRequestHandler: enrollCertificate(): ends."); - return new CAEnrollCertResponse(response); + return new CAEnrollCertResponse(connid, response); } else { CMS.debug("CARemoteRequestHandler: enrollCertificate(): no response content"); throw new EBaseException("CARemoteRequestHandler: enrollCertificate(): no response content."); @@ -360,7 +360,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler } CMS.debug("CARemoteRequestHandler: retrieveCertificate(): ends."); - return new CARetrieveCertResponse(response); + return new CARetrieveCertResponse(connid, response); } else { CMS.debug("CARemoteRequestHandler: retrieveCertificate(): no response content"); throw new EBaseException("CARemoteRequestHandler: retrieveCertificate(): no response content."); @@ -471,7 +471,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler } CMS.debug("CARemoteRequestHandler: renewCertificate(): ends."); - return new CARenewCertResponse(response); + return new CARenewCertResponse(connid, response); } else { CMS.debug("CARemoteRequestHandler: renewCertificate(): no response content"); throw new EBaseException("CARemoteRequestHandler: renewCertificate(): no response content."); @@ -542,7 +542,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler response.put(IRemoteRequest.RESPONSE_STATUS, ist); CMS.debug("CARemoteRequestHandler: revokeCertificate(): ends."); - return new CARevokeCertResponse(response); + return new CARevokeCertResponse(connid, response); } else { CMS.debug("CARemoteRequestHandler: revokeCertificate(): no response content."); throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): no response content."); @@ -605,7 +605,7 @@ public class CARemoteRequestHandler extends RemoteRequestHandler response.put(IRemoteRequest.RESPONSE_STATUS, ist); CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): ends."); - return new CARevokeCertResponse(response); + return new CARevokeCertResponse(connid, response); } else { CMS.debug("CARemoteRequestHandler: unrevokeCertificate(): no response content."); throw new EBaseException("CARemoteRequestHandler: unrevokeCertificate(): no response content."); diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java index bb9ebbb44..ad1edef28 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARenewCertResponse.java @@ -34,6 +34,11 @@ public class CARenewCertResponse extends RemoteResponse nameValTable = ht; } + public CARenewCertResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getRenewedCertB64() { return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_b64); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java index b9150c456..8889dc55a 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARetrieveCertResponse.java @@ -38,6 +38,11 @@ public class CARetrieveCertResponse extends RemoteResponse nameValTable = ht; } + public CARetrieveCertResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getCertB64() { return (String) nameValTable.get(IRemoteRequest.CA_RESPONSE_Certificate_chain_b64); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java index d7db5976c..f72a0cf09 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARevokeCertResponse.java @@ -33,6 +33,11 @@ public class CARevokeCertResponse extends RemoteResponse nameValTable = ht; } + public CARevokeCertResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getErrorString() { return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java index 9d0c5ff5f..aa9780995 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARecoverKeyResponse.java @@ -33,6 +33,11 @@ public class KRARecoverKeyResponse extends RemoteResponse nameValTable = ht; } + public KRARecoverKeyResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getErrorString() { return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java index 89304cbc9..1f7347ddd 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRARemoteRequestHandler.java @@ -208,7 +208,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler } CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): ends."); - return new KRAServerSideKeyGenResponse(response); + return new KRAServerSideKeyGenResponse(connid, response); } else { CMS.debug("KRARemoteRequestHandler: serverSideKeyGen(): no response content."); throw new EBaseException("KRARemoteRequestHandler: serverSideKeyGen(): no response content."); @@ -352,7 +352,7 @@ public class KRARemoteRequestHandler extends RemoteRequestHandler } CMS.debug("KRARemoteRequestHandler: recoverKey(): ends."); - return new KRARecoverKeyResponse(response); + return new KRARecoverKeyResponse(connid, response); } else { CMS.debug("KRARemoteRequestHandler: recoverKey(): no response content."); throw new EBaseException("KRARemoteRequestHandler: recoverKey(): no response content."); diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java index 1836bcdbd..11c5a944e 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/KRAServerSideKeyGenResponse.java @@ -33,6 +33,11 @@ public class KRAServerSideKeyGenResponse extends RemoteResponse nameValTable = ht; } + public KRAServerSideKeyGenResponse(String connid, Hashtable<String, Object> ht) { + setConnID(connid); + nameValTable = ht; + } + public String getErrorString() { return (String) nameValTable.get(IRemoteRequest.RESPONSE_ERROR_STRING); } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java index ceed1c11c..b594df920 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteRequestHandler.java @@ -88,4 +88,8 @@ public abstract class RemoteRequestHandler } } + protected String getConnid() { + return connid; + } + } diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java index c2c7818b0..bf6f82f29 100644 --- a/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java +++ b/base/tps/src/org/dogtagpki/server/tps/cms/RemoteResponse.java @@ -28,8 +28,17 @@ import org.dogtagpki.server.connector.IRemoteRequest; */ public abstract class RemoteResponse { + private String connId; protected Hashtable<String, Object> nameValTable; + protected void setConnID(String connid) { + connId = connid; + } + + public String getConnID() { + return connId; + } + public int getStatus() { Integer iValue = (Integer) nameValTable.get(IRemoteRequest.RESPONSE_STATUS); if (iValue == null) diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java index b5574760e..bcbb10be4 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/AppletInfo.java @@ -9,6 +9,7 @@ public class AppletInfo { private byte minorVersion; private byte appMajorVersion; private byte appMinorVersion; + private String finalAppletVersion = null; private TPSBuffer aid; private TPSBuffer cuid; @@ -26,6 +27,14 @@ public class AppletInfo { } + public void setFinalAppletVersion(String appletVersion) { + finalAppletVersion = appletVersion; + } + + public String getFinalAppletVersion() { + return finalAppletVersion; + } + public void setKDD(TPSBuffer theKDD) { kdd = new TPSBuffer(theKDD); } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java index 89e119135..46421068f 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java @@ -13,11 +13,6 @@ import java.util.Map; import java.util.Random; import java.util.zip.DataFormatException; -import netscape.security.provider.RSAPublicKey; -//import org.mozilla.jss.pkcs11.PK11ECPublicKey; -import netscape.security.util.BigInt; -import netscape.security.x509.X509CertImpl; - import org.dogtagpki.server.tps.TPSSession; import org.dogtagpki.server.tps.TPSSubsystem; import org.dogtagpki.server.tps.TPSTokenPolicy; @@ -57,8 +52,6 @@ import org.mozilla.jss.pkcs11.PK11PubKey; import org.mozilla.jss.pkcs11.PK11RSAPublicKey; import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo; -import sun.security.pkcs11.wrapper.PKCS11Constants; - import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; @@ -66,6 +59,12 @@ import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.cmsutil.util.Utils; +import netscape.security.provider.RSAPublicKey; +//import org.mozilla.jss.pkcs11.PK11ECPublicKey; +import netscape.security.util.BigInt; +import netscape.security.x509.X509CertImpl; +import sun.security.pkcs11.wrapper.PKCS11Constants; + public class TPSEnrollProcessor extends TPSProcessor { public TPSEnrollProcessor(TPSSession session) { @@ -91,6 +90,7 @@ public class TPSEnrollProcessor extends TPSProcessor { String method = "TPSEnrollProcessor.enroll:"; CMS.debug(method + " entering..."); String logMsg = null; + String auditInfo = null; TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); TPSTokenPolicy tokenPolicy = new TPSTokenPolicy(tps); IConfigStore configStore = CMS.getConfigStore(); @@ -100,9 +100,13 @@ public class TPSEnrollProcessor extends TPSProcessor { TokenRecord tokenRecord = null; try { appletInfo = getAppletInfo(); + auditOpRequest("enroll", appletInfo, "success", null); } catch (TPSException e) { - logMsg = e.toString(); - tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, + auditInfo = e.toString(); + // appletInfo is null as expected at this point + // but audit for the record anyway + auditOpRequest("enroll", appletInfo, "failure", auditInfo); + tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), auditInfo, "failure"); throw e; @@ -152,12 +156,15 @@ public class TPSEnrollProcessor extends TPSProcessor { throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); } + TPSAuthenticator userAuth = null; try { CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: calling requestUserId"); - TPSAuthenticator userAuth = - getAuthentication(authId); + userAuth = getAuthentication(authId); processAuthentication(TPSEngine.ENROLL_OP, userAuth, cuid, tokenRecord); + auditAuth(userid, currentTokenOperation, appletInfo, "success", authId); } catch (Exception e) { + auditAuth(userid, currentTokenOperation, appletInfo, "failure", + (userAuth != null) ? userAuth.getID() : null); // all exceptions are considered login failure CMS.debug(method + ": authentication exception thrown: " + e); logMsg = "ExternalReg authentication failed, status = STATUS_ERROR_LOGIN"; @@ -206,32 +213,7 @@ public class TPSEnrollProcessor extends TPSProcessor { } session.setExternalRegAttrs(erAttrs); - if (erAttrs.getTokenType() != null) { - CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to tokenType attribute of user entry:" - + - erAttrs.getTokenType()); - setSelectedTokenType(erAttrs.getTokenType()); - } else { - // get the default externalReg tokenType - configName = "externalReg.default.tokenType"; - CMS.debug(method + " externalReg user entry does not contain tokenType...setting to default config: " - + configName); - try { - tokenType = configStore.getString(configName, - "externalRegAddToToken"); - CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: setting tokenType to default:" + - tokenType); - setSelectedTokenType(tokenType); - } catch (EBaseException e) { - CMS.debug(method + " Internal Error obtaining mandatory config values. Error: " - + e); - logMsg = "TPS error getting config values from config store." + e.toString(); - tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, - "failure"); - - throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); - } - } + setExternalRegSelectedTokenType(erAttrs); CMS.debug("In TPSEnrollProcessor.enroll isExternalReg: about to process keySet resolver"); /* @@ -343,7 +325,7 @@ public class TPSEnrollProcessor extends TPSProcessor { // isExternalReg : user already authenticated earlier if (!isExternalReg) - checkAndAuthenticateUser(appletInfo, tokenType); + checkAndAuthenticateUser(appletInfo, getSelectedTokenType()); if (do_force_format) { CMS.debug(method + " About to force format first due to policy."); @@ -582,6 +564,7 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug(method + " tokendb updated with certs to the cuid so that it reflects what's on the token"); logMsg = "appletVersion=" + lastObjVer + "; tokenType =" + selectedTokenType + "; userid =" + userid; + CMS.debug(method + logMsg); tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, "success"); @@ -1216,6 +1199,7 @@ public class TPSEnrollProcessor extends TPSProcessor { String method = "TPSEnrollProcessor.externalRegRecover:"; String logMsg; + String auditInfo; CMS.debug(method + "begins"); TPSStatus status = TPSStatus.STATUS_ERROR_RECOVERY_IS_PROCESSED; if (session == null || session.getExternalRegAttrs() == null || @@ -1322,10 +1306,18 @@ public class TPSEnrollProcessor extends TPSProcessor { keyResp = kraRH.recoverKey(cuid, userid, Util.specialURLEncode(channel.getDRMWrappedDesKey()), null, keyid); if (keyResp == null) { - logMsg = "recovering key not found"; - CMS.debug(method + logMsg); + auditInfo = "recovering key not found"; + auditRecovery(userid, appletInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), + serial, caConn, + kraConn, auditInfo); + CMS.debug(method + auditInfo); return TPSStatus.STATUS_ERROR_RECOVERY_FAILED; } + auditRecovery(userid, appletInfo, "success", + channel.getKeyInfoData().toHexStringPlain(), + serial, caConn, + kraConn, null); } CertEnrollInfo cEnrollInfo = new CertEnrollInfo(); @@ -1837,15 +1829,18 @@ public class TPSEnrollProcessor extends TPSProcessor { try { caRH = new CARemoteRequestHandler(caConnId); - CARevokeCertResponse response = - caRH.revokeCertificate(false /*unrevoke*/, serialToRecover, - certToRecover.getCertificate(), - null); + CARevokeCertResponse response = caRH.revokeCertificate(false /*unrevoke*/, serialToRecover, + certToRecover.getCertificate(), + null); CMS.debug(method + ": response status =" + response.getStatus()); + auditRevoke(certToRecover.getTokenID(), false /*off-hold*/, -1 /*na*/, + String.valueOf(response.getStatus()), serialToRecover, caConnId, null); } catch (EBaseException e) { logMsg = "failed getting CARemoteRequestHandler"; CMS.debug(method + ":" + logMsg); + auditRevoke(certToRecover.getTokenID(), false/*off-hold*/, -1 /*na*/, "failure", + serialToRecover, caConnId, logMsg); throw new TPSException(method + ":" + logMsg, TPSStatus.STATUS_ERROR_RECOVERY_FAILED); } } @@ -2182,6 +2177,7 @@ public class TPSEnrollProcessor extends TPSProcessor { SecureChannel channel, TPSEngine.ENROLL_MODES mode) throws TPSException, IOException { + String auditInfo = null; CMS.debug("TPSEnrollProcessor.enrollOneCertificate: entering ... mode: " + mode); if (certsInfo == null || aInfo == null || cEnrollInfo == null || channel == null) { @@ -2209,8 +2205,11 @@ public class TPSEnrollProcessor extends TPSProcessor { //Bomb out if cert exists, we ca't overwrite if (certIdExists) { + auditInfo = "cert id exists on token; Overwrite of certificates not allowed"; + auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), + null, null /*caConnID*/, auditInfo); throw new TPSException( - "TPSEnrollProcessor.enrollOneCertificate: Overwrite of certificates not allowed!", + "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } @@ -2231,8 +2230,13 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enrollOneCertificate: detecting recovery mode!"); if (isRecovery && !serverSideKeyGen) { + auditInfo = "Attempting illegal recovery when archival is not enabled"; + auditRecovery(userid, aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), + null, null, + null, auditInfo); throw new TPSException( - "TPSEnrollProcessor.enrollOneCertificate: Attempting illegal recovery when archival is not enabled!", + "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, TPSStatus.STATUS_ERROR_RECOVERY_FAILED); } } @@ -2250,14 +2254,14 @@ public class TPSEnrollProcessor extends TPSProcessor { CMS.debug("TPSEnrollProcessor.enrollOneCertificate: either generate private key on the server, or preform recovery or perform renewal."); boolean archive = checkForServerKeyArchival(cEnrollInfo); - String drmConnId = getDRMConnectorID(); + String kraConnId = getDRMConnectorID(); String publicKeyStr = null; //Do this for JUST server side keygen if (isRecovery == false) { ssKeyGenResponse = getTPSEngine() .serverSideKeyGen(cEnrollInfo.getKeySize(), - aInfo.getCUIDhexStringPlain(), userid, drmConnId, channel.getDRMWrappedDesKey(), + aInfo.getCUIDhexStringPlain(), userid, kraConnId, channel.getDRMWrappedDesKey(), archive, isECC); publicKeyStr = ssKeyGenResponse.getPublicKey(); @@ -2286,10 +2290,19 @@ public class TPSEnrollProcessor extends TPSProcessor { + rsaKey.getKeySize()); } } catch (InvalidKeyFormatException e) { - String msg = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! " + auditInfo = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! " + e.toString(); - CMS.debug(msg); - throw new TPSException(msg, + if (!isRecovery) { //servrSideKeygen + auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), + BigInteger.ZERO, null /*caConnID*/, auditInfo); + } else { + auditRecovery(userid, aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), + null /*serial*/, null /*caConn*/, + kraConnId, auditInfo); + } + CMS.debug(auditInfo); + throw new TPSException(auditInfo, TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } catch (InvalidKeyException e) { String msg = "TPSEnrollProcessor.enrollOneCertificate, can't create public key object from server side key generated public key blob! " @@ -2457,6 +2470,16 @@ public class TPSEnrollProcessor extends TPSProcessor { } String retCertB64 = caEnrollResp.getCertB64(); + if (retCertB64 != null) + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert b64 =" + retCertB64); + else { + auditInfo = "new cert b64 not found"; + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo); + auditEnrollment(userid, "enrollment", aInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), + BigInteger.ZERO, caConnID, auditInfo); + throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, + TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); + } CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + retCertB64); @@ -2465,13 +2488,6 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSBuffer cert_bytes_buf = new TPSBuffer(cert_bytes); CMS.debug("TPSEnrollProcessor.enrollOneCertificate: retCertB64: " + cert_bytes_buf.toHexString()); - if (retCertB64 != null) - CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert b64 =" + retCertB64); - else { - CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert b64 not found"); - throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert b64 not found", - TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); - } x509Cert = caEnrollResp.getCert(); if (x509Cert != null) CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: new cert retrieved"); @@ -2481,12 +2497,17 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } + auditEnrollment(userid, "enrollment", aInfo, "success", channel.getKeyInfoData().toHexStringPlain(), + x509Cert.getSerialNumber(), caConnID, null); } else { + String caConnID = getCAConnectorID("keyGen", cEnrollInfo.getKeyType()); + //Import the cert data from the CertEnrollObject or from Renewal object CMS.debug("TPSEnrollProcessor.enrollOneCertificate: Attempt to import cert data in recovery mode or renew mode!"); if (isRecovery) { + CARetrieveCertResponse certResp = cEnrollInfo.getRecoveredCertData(); if (certResp == null) { @@ -2512,11 +2533,18 @@ public class TPSEnrollProcessor extends TPSProcessor { TPSStatus.STATUS_ERROR_RECOVERY_FAILED); } x509Cert = certResp.getCert(); - if (x509Cert != null) + if (x509Cert != null) { CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: recovering new cert retrieved"); - else { - CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: recovering new cert not found"); - throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert not found", + auditEnrollment(userid, "retrieval", aInfo, "success", + channel.getKeyInfoData().toHexStringPlain(), x509Cert.getSerialNumber(), + certResp.getConnID(), null); + } else { + auditInfo = "recovering new cert not found"; + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo); + auditEnrollment(userid, "retrieval", aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), null /*unavailable*/, + certResp.getConnID(), auditInfo); + throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, TPSStatus.STATUS_ERROR_RECOVERY_FAILED); } @@ -2528,8 +2556,11 @@ public class TPSEnrollProcessor extends TPSProcessor { CARenewCertResponse certResp = cEnrollInfo.getRenewedCertData(); if (certResp == null) { + auditInfo = "In renewal mode, CARemewCertResponse object not found!"; + auditEnrollment(userid, "renewal", aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), null, caConnID, auditInfo); throw new TPSException( - "TPSEnrollProcessor.enrollOneCertificate: In renewal mode, CARemewCertResponse object not found!", + "TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } @@ -2539,7 +2570,10 @@ public class TPSEnrollProcessor extends TPSProcessor { if (retCertB64 != null) CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing: new cert b64 =" + retCertB64); else { - CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert b64 not found"); + auditInfo = "renewing new cert b64 not found"; + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo); + auditEnrollment(userid, "renewal", aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), null, certResp.getConnID(), auditInfo); throw new TPSException( "TPSEnrollProcessor.enrollOneCertificate: remewomg: new cert b64 not found", TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); @@ -2547,11 +2581,17 @@ public class TPSEnrollProcessor extends TPSProcessor { x509Cert = certResp.getRenewedCert(); - if (x509Cert != null) + if (x509Cert != null) { CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert retrieved"); - else { - CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: renewing new cert not found"); - throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: new cert not found", + auditEnrollment(userid, "renewal", aInfo, "success", + channel.getKeyInfoData().toHexStringPlain(), x509Cert.getSerialNumber(), + certResp.getConnID(), null); + } else { + auditInfo = "renewing new cert not found"; + CMS.debug("TPSEnrollProcessor.enrollOneCertificate:: " + auditInfo); + auditEnrollment(userid, "renewal", aInfo, "failure", + channel.getKeyInfoData().toHexStringPlain(), null, certResp.getConnID(), auditInfo); + throw new TPSException("TPSEnrollProcessor.enrollOneCertificate: " + auditInfo, TPSStatus.STATUS_ERROR_MAC_ENROLL_PDU); } @@ -3447,6 +3487,75 @@ public class TPSEnrollProcessor extends TPSProcessor { return serialBI; } + /* + * op can be "retrieval", "renewal", or "enrollment" (default) + */ + private void auditEnrollment(String subjectID, String op, + AppletInfo aInfo, + String status, + String keyVersion, + BigInteger serial, + String caConnId, + String info) { + + // when serial is 0, means no serial, as in case of failure + String serialNum = ""; + if (serial != null && serial.compareTo(BigInteger.ZERO) > 0) + serialNum = serial.toString(); + + String auditType = ""; + switch (op) { + case "retrieval": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9"; + break; + case "renewal": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9"; + break; + default: + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9"; + } + + String auditMessage = CMS.getLogMessage( + auditType, + (session != null) ? session.getIpAddress() : null, + subjectID, + aInfo.getCUIDhexStringPlain(), + status, + getSelectedTokenType(), + keyVersion, + serialNum, + caConnId, + info); + audit(auditMessage); + } + + private void auditRecovery(String subjectID, AppletInfo aInfo, + String status, + String keyVersion, + BigInteger serial, + String caConnId, + String kraConnId, + String info) { + + String serialNum = ""; + if (serial.compareTo(BigInteger.ZERO) > 0) + serialNum = serial.toString(); + + String auditMessage = CMS.getLogMessage( + "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10", + (session != null) ? session.getIpAddress() : null, + subjectID, + aInfo.getCUIDhexStringPlain(), + status, + getSelectedTokenType(), + keyVersion, + serialNum, + caConnId, + kraConnId, + info); + audit(auditMessage); + } + public static void main(String[] args) { } diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java index 2c29b21e8..d9a79f4f0 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java @@ -72,8 +72,12 @@ public class TPSPinResetProcessor extends TPSProcessor { try { appletInfo = getAppletInfo(); + auditOpRequest("pinReset", appletInfo, "success", null); } catch (TPSException e) { logMsg = e.toString(); + // appletInfo is null as expected at this point + // but audit for the record anyway + auditOpRequest("pinReset", appletInfo, "failure", logMsg); tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -85,9 +89,10 @@ public class TPSPinResetProcessor extends TPSProcessor { if (tokenRecord == null) { //We can't reset the pin of a token that does not exist. - - CMS.debug(method + ": Token does not exist!"); - throw new TPSException(method + " Can't reset pin of token that does not exist ", + logMsg = "Token does not exist!"; + auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); + CMS.debug(method + ": " + logMsg); + throw new TPSException(method + logMsg + TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU); } @@ -122,6 +127,7 @@ public class TPSPinResetProcessor extends TPSProcessor { } } catch (TPSException e) { logMsg = e.toString(); + auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg); tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -144,6 +150,9 @@ public class TPSPinResetProcessor extends TPSProcessor { checkAndHandlePinReset(channel); + auditPinReset(session.getIpAddress(), userid, appletInfo, "success", + channel.getKeyInfoData().toHexStringPlain(), null); + try { tps.tdb.tdbUpdateTokenEntry(tokenRecord); CMS.debug(method + ": token record updated!"); @@ -165,6 +174,33 @@ public class TPSPinResetProcessor extends TPSProcessor { } + protected void auditPinReset(String ip, String subjectID, + AppletInfo aInfo, + String status, + String keyVersion, + String info) { + + String auditType = ""; + switch (status) { + case "success": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6"; + break; + default: + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6"; + } + + String auditMessage = CMS.getLogMessage( + auditType, + ip, + subjectID, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + status, + getSelectedTokenType(), + keyVersion, + info); + audit(auditMessage); + } + public static void main(String[] args) { // TODO Auto-generated method stub diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java index bf757c722..05742842f 100644 --- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java +++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java @@ -88,6 +88,7 @@ import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.EPropertyNotFound; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.common.Constants; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.tps.token.TokenStatus; import com.netscape.symkey.SessionKey; @@ -130,6 +131,8 @@ public class TPSProcessor { ProfileDatabase profileDatabase = new ProfileDatabase(); + protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger(); + public TPSProcessor(TPSSession session) { setSession(session); } @@ -903,10 +906,12 @@ public class TPSProcessor { APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, cardMgrAIDBuff); if (!select.checkResult()) { - throw new TPSException("TPSProcessor.upgradeApplet: Can't selelect the card manager!"); + String logMsg = "Can't selelect the card manager!"; + auditAppletUpgrade(appletInfo, "failure", null /*unavailable*/, new_version, logMsg); + throw new TPSException("TPSProcessor.upgradeApplet:" + logMsg); } - SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId,appletInfo); + SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId, appletInfo); channel.externalAuthenticate(); @@ -928,9 +933,13 @@ public class TPSProcessor { select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAIDBuff); if (!select.checkResult()) { - throw new TPSException("TPSProcessor.upgradeApplet: Cannot select newly created applet!", + String logMsg = "Cannot select newly created applet!"; + auditAppletUpgrade(appletInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), new_version, logMsg); + throw new TPSException("TPSProcessor.upgradeApplet: " + logMsg, TPSStatus.STATUS_ERROR_UPGRADE_APPLET); } + + auditAppletUpgrade(appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), new_version, null); tokenRecord.setAppletID(new_version); } @@ -1071,6 +1080,7 @@ public class TPSProcessor { tokenRecord.setUserID(userid); authToken = authenticateUser(op, userAuth, userCred); userid = authToken.getInString("userid"); + tokenRecord.setUserID(userid); CMS.debug(method + " auth token userid=" + userid); } @@ -1328,16 +1338,16 @@ public class TPSProcessor { throw new TPSException("TPSProcessor.isTokenRecordPresent: invalid input data."); } - CMS.debug("TPSEnrollProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString()); + CMS.debug("TPSProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString()); TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); TokenRecord tokenRecord = null; try { tokenRecord = tps.tdb.tdbGetTokenEntry(appletInfo.getCUIDhexStringPlain()); // now the in memory tokenRecord is replaced by the actual token data - CMS.debug("TPSEnrollProcessor.enroll: found token..."); + CMS.debug("TPSProcessor.enroll: found token..."); } catch (Exception e) { - CMS.debug("TPSEnrollProcessor.enroll: token does not exist in tokendb... create one in memory"); + CMS.debug("TPSProcessor.enroll: token does not exist in tokendb... create one in memory"); } return tokenRecord; @@ -1432,7 +1442,6 @@ public class TPSProcessor { /* * revokeCertificates revokes certificates on the token specified * @param cuid the cuid of the token to revoke certificates - * @return logMsg captures the audit message * @throws TPSException in case of error * * TODO: maybe make this a callback function later @@ -1536,13 +1545,15 @@ public class TPSProcessor { CMS.debug(method + ": found cert hex serial: " + serial + " dec serial:" + serialStr); try { - CARevokeCertResponse response = - caRH.revokeCertificate(true, serialStr, cert.getCertificate(), - revokeReason); + CARevokeCertResponse response = caRH.revokeCertificate(true, serialStr, cert.getCertificate(), + revokeReason); CMS.debug(method + ": response status =" + response.getStatus()); + auditRevoke(cuid, true, revokeReason.getCode(), String.valueOf(response.getStatus()), serialStr, + caConnId, null); } catch (EBaseException e) { logMsg = method + ": revokeCertificate from CA failed:" + e; CMS.debug(logMsg); + auditRevoke(cuid, true, revokeReason.getCode(), "failure", serialStr, caConnId, null); if (revokeReason == RevocationReason.CERTIFICATE_HOLD) { tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, session.getTokenRecord(), @@ -1731,6 +1742,41 @@ public class TPSProcessor { return erAttrs; } + protected void setExternalRegSelectedTokenType(ExternalRegAttrs erAttrs) + throws TPSException { + String method = "TPSProcessor.setExternalRegSelectedTokenType: "; + IConfigStore configStore = CMS.getConfigStore(); + TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); + + CMS.debug(method + " begins"); + if (erAttrs == null || erAttrs.getTokenType() == null) { + // get the default externalReg tokenType + String configName = "externalReg.default.tokenType"; + CMS.debug(method + "erAttrs null or externalReg user entry does not contain tokenType...setting to default config: " + + configName); + try { + String tokenType = configStore.getString(configName, + "externalRegAddToToken"); + CMS.debug(method + " setting tokenType to default:" + + tokenType); + setSelectedTokenType(tokenType); + } catch (EBaseException e) { + CMS.debug(method + " Internal Error obtaining mandatory config values. Error: " + + e); + String logMsg = "TPS error getting config values from config store." + e.toString(); + tps.tdb.tdbActivity(currentTokenOperation, session.getTokenRecord(), session.getIpAddress(), logMsg, + "failure"); + + throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); + } + } else { + CMS.debug(method + " setting tokenType to tokenType attribute of user entry:" + + + erAttrs.getTokenType()); + setSelectedTokenType(erAttrs.getTokenType()); + } + } + protected void format(boolean skipAuth) throws TPSException, IOException { IConfigStore configStore = CMS.getConfigStore(); @@ -1738,14 +1784,19 @@ public class TPSProcessor { String logMsg = null; String appletVersion = null; + CMS.debug("TPSProcessor.format begins"); TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID); AppletInfo appletInfo = null; TokenRecord tokenRecord = null; try { appletInfo = getAppletInfo(); + auditOpRequest("format", appletInfo, "success", null); } catch (TPSException e) { logMsg = e.toString(); + // appletInfo is null as expected at this point + // but audit for the record anyway + auditOpRequest("format", appletInfo, "failure", logMsg); tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -1849,12 +1900,15 @@ public class TPSProcessor { throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION); } + TPSAuthenticator userAuth = null; try { - TPSAuthenticator userAuth = - getAuthentication(authId); + userAuth = getAuthentication(authId); processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord); + auditAuth(userid, currentTokenOperation, appletInfo, "success", authId); } catch (Exception e) { + auditAuth(userid, currentTokenOperation, appletInfo, "failure", + (userAuth != null) ? userAuth.getID() : null); // all exceptions are considered login failure CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e); logMsg = "authentication failed, status = STATUS_ERROR_LOGIN"; @@ -1892,7 +1946,8 @@ public class TPSProcessor { } test ends */ - setSelectedTokenType(erAttrs.getTokenType()); + setExternalRegSelectedTokenType(erAttrs); +// setSelectedTokenType(erAttrs.getTokenType()); } CMS.debug("In TPSProcessor.format: isExternalReg: about to process keySet resolver"); /* @@ -1961,8 +2016,11 @@ public class TPSProcessor { CMS.debug("TPSProcessor.format: getting config: " + configName); isAuthRequired = configStore.getBoolean(configName, true); } catch (EBaseException e) { - CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e); - logMsg = "TPS error getting config values from config store." + e.toString(); + String info = " Internal Error obtaining mandatory config values. Error: " + e; + auditFormat(userid, appletInfo, "failure", + null, info); + CMS.debug("TPSProcessor.format: " + info); + logMsg = "TPS error: " + info; tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -1970,11 +2028,15 @@ public class TPSProcessor { } if (isAuthRequired && !skipAuth) { + TPSAuthenticator userAuth = null; try { - TPSAuthenticator userAuth = - getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType); + userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType); processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord); + auditAuth(userid, currentTokenOperation, appletInfo, "success", + (userAuth != null) ? userAuth.getID() : null); } catch (Exception e) { + auditAuth(userid, currentTokenOperation, appletInfo, "failure", + (userAuth != null) ? userAuth.getID() : null); // all exceptions are considered login failure CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e); logMsg = "authentication failed, status = STATUS_ERROR_LOGIN"; @@ -1997,12 +2059,12 @@ public class TPSProcessor { // Check for transition to 0/UNINITIALIZED status. if (!tps.engine.isOperationTransitionAllowed(tokenRecord.getTokenStatus(), newState)) { - CMS.debug("TPSProcessor.format: token transition disallowed " + - tokenRecord.getTokenStatus() + - " to " + newState); - logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() + - " Disabled, illegal transition attempted " + tokenRecord.getTokenStatus() + + String info = " illegal transition attempted: " + tokenRecord.getTokenStatus() + " to " + newState; + CMS.debug("TPSProcessor.format: token transition: " + info); + logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() + " Disabled. " + info; + auditFormat(userid, appletInfo, "failure", + null, info); tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg, "failure"); @@ -2020,6 +2082,8 @@ public class TPSProcessor { checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX); } + // TODO: the following lines of code could be replaced with call to + // checkAndUpgradeApplet() TPSBuffer build_id = getAppletVersion(); if (build_id == null) { @@ -2052,9 +2116,18 @@ public class TPSProcessor { // Upgrade Symm Keys if needed - SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord); + SecureChannel channel; + try { + channel = checkAndUpgradeSymKeys(appletInfo, tokenRecord); + } catch (TPSException te) { + auditKeyChangeover(appletInfo, "failure", null /* TODO */, + getSymmetricKeysRequiredVersionHexString(), te.toString()); + throw te; + } channel.externalAuthenticate(); + auditFormat(userid, appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), null); + if (isTokenPresent && revokeCertsAtFormat()) { // Revoke certificates on token, if so configured RevocationReason reason = getRevocationReasonAtFormat(); @@ -2621,7 +2694,7 @@ public class TPSProcessor { index = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_INDEX, 0x0); } catch (EBaseException e) { - throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e, + throw new TPSException("TPSProcessor.getChannelDefKeyIndex: Internal error finding config value: " + e, TPSStatus.STATUS_ERROR_UPGRADE_APPLET); } @@ -2800,6 +2873,12 @@ public class TPSProcessor { + " App major version: " + result.getAppMajorVersion() + " App minor version: " + result.getAppMinorVersion()); + String currentAppletVersion = formatCurrentAppletVersion(result); + if (currentAppletVersion != null) { + CMS.debug("TPSProcessor.getAppletInfo: current applet version = " + + currentAppletVersion); + } + return result; } @@ -2852,6 +2931,14 @@ public class TPSProcessor { return version; } + protected String getSymmetricKeysRequiredVersionHexString() throws TPSException { + int requiredVersion = getSymmetricKeysRequiredVersion(); + byte[] nv = { (byte) requiredVersion, 0x01 }; + TPSBuffer newVersion = new TPSBuffer(nv); + String newVersionStr = newVersion.toHexString(); + return newVersionStr; + } + protected SecureChannel checkAndUpgradeSymKeys(AppletInfo appletInfo,TokenRecord tokenRecord) throws TPSException, IOException { /* If the key of the required version is @@ -2909,6 +2996,10 @@ public class TPSProcessor { channel = setupSecureChannel(appletInfo); + auditKeyChangeoverRequired(appletInfo, + channel.getKeyInfoData().toHexStringPlain(), + getSymmetricKeysRequiredVersionHexString(), null); + /* Assemble the Buffer with the version information The second byte is the key offset, which is always 1 */ @@ -3003,7 +3094,8 @@ public class TPSProcessor { selectCoolKeyApplet(); channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex, - getTKSConnectorID(),appletInfo); + getTKSConnectorID(), appletInfo); + auditKeyChangeover(appletInfo, "success", curVersionStr, newVersionStr, null); } else { CMS.debug("TPSProcessor.checkAndUpgradeSymeKeys: We are already at the desired key set, returning secure channel."); @@ -3160,18 +3252,35 @@ public class TPSProcessor { } protected String formatCurrentAppletVersion(AppletInfo aInfo) throws TPSException, IOException { + String method = "TPSProcessor.formatCurrentAppletVersion: "; + CMS.debug(method + " begins"); + /* + * TODO: looks like calling formatCurrentAppletVersion() more than + * once will cause keygen to fail on token. (resolve later if needed) + * In the mean time, resolution is to save up the result the first + * time it is called + */ + if (aInfo.getFinalAppletVersion() != null) { + return aInfo.getFinalAppletVersion(); + } if (aInfo == null) { throw new TPSException("TPSProcessor.formatCurrentAppletVersion: ", TPSStatus.STATUS_ERROR_CONTACT_ADMIN); } TPSBuffer build_id = getAppletVersion(); + if (build_id == null) { + CMS.debug(method + " getAppletVersion returning null"); + return null; + } String build_idStr = build_id.toHexStringPlain(); String finalVersion = aInfo.getAppMajorVersion() + "." + aInfo.getAppMinorVersion() + "." + build_idStr; finalVersion = finalVersion.toLowerCase(); - CMS.debug("TPSProcessor.formatCurrentAppletVersion: returing: " + finalVersion); + + aInfo.setFinalAppletVersion(finalVersion); + CMS.debug(method + " returing: " + finalVersion); return finalVersion; @@ -3286,13 +3395,17 @@ public class TPSProcessor { CMS.debug(method + ": opPrefox: " + opPrefix); if (isAuthRequired) { + TPSAuthenticator userAuth = null; try { - TPSAuthenticator userAuth = - getAuthentication(opPrefix, tokenType); + userAuth = getAuthentication(opPrefix, tokenType); processAuthentication(TPSEngine.ENROLL_OP, userAuth, appletInfo.getCUIDhexString(), tokenRecord); + auditAuth(userid, currentTokenOperation, appletInfo, "success", + (userAuth != null) ? userAuth.getID() : null); } catch (Exception e) { // all exceptions are considered login failure + auditAuth(userid, currentTokenOperation, appletInfo, "failure", + (userAuth != null) ? userAuth.getID() : null); CMS.debug("TPSProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e); String msg = "TPS error user authentication failed:" + e; tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg, @@ -3700,6 +3813,219 @@ public class TPSProcessor { } */ + protected void auditAuth(String subjectID, String op, + AppletInfo aInfo, + String status, + String authMgrId) { + + String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9"; + if (status.equals("success")) + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9"; + + String auditMessage = CMS.getLogMessage( + auditType, + session.getIpAddress(), + subjectID, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + status, + op, + getSelectedTokenType(), + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + authMgrId); + audit(auditMessage); + } + + /* + * op can be can be "format", "enroll", or "pinReset" + */ + protected void auditOpRequest(String op, AppletInfo aInfo, + String status, + String info) { + String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6"; + String auditMessage = CMS.getLogMessage( + auditType, + session.getIpAddress(), + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + status, + op, + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + info); + audit(auditMessage); + } + + protected void auditFormat(String subjectID, + AppletInfo aInfo, + String status, + String keyVersion, + String info) { + String auditType = ""; + switch (status) { + case "success": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9"; + break; + default: + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9"; + } + + String auditMessage = CMS.getLogMessage( + auditType, + session.getIpAddress(), + subjectID, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + status, + getSelectedTokenType(), + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + keyVersion, + info); + audit(auditMessage); + } + + protected void auditAppletUpgrade(AppletInfo aInfo, + String status, + String keyVersion, + String newVersion, + String info) { + + String auditType = ""; + switch (status) { + case "success": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9"; + break; + default: + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9"; + } + + String auditMessage = CMS.getLogMessage( + auditType, + (session != null) ? session.getIpAddress() : null, + userid, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + status, + keyVersion, + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + newVersion, + info); + audit(auditMessage); + } + + protected void auditKeyChangeoverRequired(AppletInfo aInfo, + String oldKeyVersion, + String newKeyVersion, + String info) { + + String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10"; + + String auditMessage = CMS.getLogMessage( + auditType, + (session != null) ? session.getIpAddress() : null, + userid, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + "na", + getSelectedTokenType(), + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + oldKeyVersion, + newKeyVersion, + info); + audit(auditMessage); + } + + protected void auditKeyChangeover(AppletInfo aInfo, + String status, + String oldKeyVersion, + String newKeyVersion, + String info) { + + String auditType = ""; + switch (status) { + case "success": + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_9"; + break; + default: + auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10"; + } + + String auditMessage = CMS.getLogMessage( + auditType, + (session != null) ? session.getIpAddress() : null, + userid, + (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null, + (aInfo != null) ? aInfo.getMSNString() : null, + status, + getSelectedTokenType(), + (aInfo != null) ? aInfo.getFinalAppletVersion() : null, + oldKeyVersion, + newKeyVersion, + info); + audit(auditMessage); + } + + /* + * audit revoke, on-hold, or off-hold + */ + protected void auditRevoke(String cuid, + boolean isRevoke, + int revokeReason, + String status, + String serial, + String caConnId, + String info) { + + String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10"; + /* + * requestType is "revoke", "on-hold", or "off-hold" + */ + String requestType = "revoke"; + if (!isRevoke) + requestType = "off-hold"; + else { + if (revokeReason == RevocationReason.CERTIFICATE_HOLD.getCode()) { + requestType = "on-hold"; + } + } + + String auditMessage = CMS.getLogMessage( + auditType, + (session != null) ? session.getIpAddress() : null, + userid, + cuid, + status, + getSelectedTokenType(), + serial, + requestType, + String.valueOf(revokeReason), + caConnId, + info); + audit(auditMessage); + } + + /** + * Signed Audit Log + * + * This method is called to store messages to the signed audit log. + * <P> + * + * @param msg signed audit log message + */ + protected void audit(String msg) { + // in this case, do NOT strip preceding/trailing whitespace + // from passed-in String parameters + + if (mSignedAuditLogger == null) { + return; + } + + mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + public static void main(String[] args) { } |