diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-16 00:56:23 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-16 00:56:23 +0000 |
commit | 947f08749db7903faba6d0a533db760b45fa55bf (patch) | |
tree | 5b6dc030a6396e560e3a27eaccf0644308691a8f | |
parent | e2017998826b0db5f05e6c2909aee67b9166865f (diff) | |
download | pki-947f08749db7903faba6d0a533db760b45fa55bf.tar.gz pki-947f08749db7903faba6d0a533db760b45fa55bf.tar.xz pki-947f08749db7903faba6d0a533db760b45fa55bf.zip |
Bug 642359 - CC Feature - need to verify certificate when it is added
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1503 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
3 files changed, 52 insertions, 21 deletions
diff --git a/pki/base/common/src/LogMessages.properties b/pki/base/common/src/LogMessages.properties index 60abfa5a4..28899ed3a 100644 --- a/pki/base/common/src/LogMessages.properties +++ b/pki/base/common/src/LogMessages.properties @@ -1795,9 +1795,9 @@ LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent= # # LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION # - used for verifying CIMC system certificates -# - certTag is the cert tag listed in CS.cfg: cs.cert.list +# - CertNickName is the cert nickname # -LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][certTag={2}] CIMC certificate verification +LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification # # LOGGING_SIGNED_AUDIT_ROLE_ASSUME # - used when user assumes a role (in current CS that's when one accesses a diff --git a/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java index 79c20a614..445959157 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java @@ -85,6 +85,8 @@ public final class CMSAdminServlet extends AdminServlet { "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3"; private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION = "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2"; + private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION = + "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3"; // CMS must be instantiated before this admin servlet. @@ -2287,6 +2289,7 @@ private void createMasterKey(HttpServletRequest req, } else { nickname = tokenName + ":" + newNickname; } + CMS.debug("CMSAdminServlet: installCert(): nickname="+nickname); } if (certType.equals(Constants.PR_CA_SIGNING_CERT)) { @@ -2404,6 +2407,26 @@ private void createMasterKey(HttpServletRequest req, modifyRADMCert(nickname); } + boolean verified = CMS.verifySystemCertByNickname(nickname, null); + if (verified == true) { + CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() succeeded:"+ nickname); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.SUCCESS, + nickname); + + audit(auditMessage); + } else { + CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() failed:"+ nickname); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + auditSubjectID, + ILogger.FAILURE, + nickname); + + audit(auditMessage); + } // store a message in the signed audit log file auditMessage = CMS.getLogMessage( LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY, @@ -3170,6 +3193,7 @@ private void createMasterKey(HttpServletRequest req, ICryptoSubsystem jssSubSystem = (ICryptoSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_CRYPTO); jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust); + sendResponse(SUCCESS, null, null, resp); } diff --git a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java index 31081b8fe..6e38a4b4f 100644 --- a/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java +++ b/pki/base/common/src/com/netscape/cmscore/cert/CertUtils.java @@ -853,9 +853,35 @@ public class CertUtils { CMS.debug("CertUtils: verifySystemCertByTag() certusage for cert tag " + tag + " undefined in CS.cfg, not checking certificate usage"); } r = verifySystemCertByNickname(nickname, certusage); + if (r == true) { + // audit here + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.SUCCESS, + nickname); + + audit(auditMessage); + } else { + // audit here + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + nickname); + + audit(auditMessage); + } } catch (Exception e) { CMS.debug("CertUtils: verifySystemCertsByTag() failed: "+ e.toString()); + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, + ILogger.SYSTEM_UID, + ILogger.FAILURE, + ""); + + audit(auditMessage); r = false; } @@ -953,25 +979,6 @@ public class CertUtils { tag = tag.trim(); CMS.debug("CertUtils: verifySystemCerts() cert tag=" + tag); r = verifySystemCertByTag(tag); - if (r == true) { - // audit here - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.SUCCESS, - tag); - - audit(auditMessage); - } else { - // audit here - auditMessage = CMS.getLogMessage( - LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION, - ILogger.SYSTEM_UID, - ILogger.FAILURE, - tag); - - audit(auditMessage); - } } } catch (Exception e) { // audit here |