diff options
author | Ade Lee <alee@redhat.com> | 2013-10-03 12:58:34 -0400 |
---|---|---|
committer | Ade Lee <alee@redhat.com> | 2013-10-07 22:17:04 -0400 |
commit | 99def3060c7c59ea5727a5555adb7b4af3fc4887 (patch) | |
tree | 2c239f6e56451bb174f9cdbccfec7439eb9183a3 /base/kra/src | |
parent | f2a85c09689cb09e6a0996125c112552599c717c (diff) | |
download | pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.gz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.tar.xz pki-99def3060c7c59ea5727a5555adb7b4af3fc4887.zip |
Add audit logging for new security data operations in kra
Ticket 97
Diffstat (limited to 'base/kra/src')
-rw-r--r-- | base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java | 72 | ||||
-rw-r--r-- | base/kra/src/com/netscape/kra/SecurityDataService.java | 78 |
2 files changed, 139 insertions, 11 deletions
diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java index afe4ed6ea..0ec4ed335 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java @@ -52,13 +52,16 @@ import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.kra.EKRAException; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; +import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.request.IRequest; import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; import com.netscape.cmscore.dbs.KeyRecord; @@ -78,7 +81,10 @@ public class SecurityDataRecoveryService implements IService { private IKeyRepository mStorage = null; private IStorageKeyUnit mStorageUnit = null; private ITransportKeyUnit mTransportUnit = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5"; public static final String ATTR_SERIALNO = "serialNumber"; public static final String ATTR_KEY_RECORD = "keyRecord"; @@ -112,18 +118,22 @@ public class SecurityDataRecoveryService implements IService { byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; byte iv_in[] = null; + String subjectID = auditSubjectID(); + Hashtable<String, Object> params = mKRA.getVolatileRequest( request.getRequestId()); + BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); + request.setExtData(ATTR_KEY_RECORD, serialno); + RequestId requestID = request.getRequestId(); + if (params == null) { CMS.debug("Can't get volatile params."); + auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + "cannot get volatile params"); throw new EBaseException("Can't obtain volatile params!"); } - BigInteger serialno = request.getExtDataInBigInteger(ATTR_SERIALNO); - - request.setExtData(ATTR_KEY_RECORD, serialno); - byte[] wrappedPassPhrase = null; byte[] wrappedSessKey = null; @@ -202,6 +212,8 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); } catch (Exception e) { + auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + "Cannot unwrap passphrase"); throw new EBaseException("Can't unwrap pass phase! " + e.toString()); } finally { if ( pass != null) { @@ -222,6 +234,8 @@ public class SecurityDataRecoveryService implements IService { wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); key_data = wrapper.wrap(symKey); } catch (Exception e) { + auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + "Cannot wrap symmetric key"); throw new EBaseException("Can't wrap symmetric key! " + e.toString()); } @@ -233,10 +247,14 @@ public class SecurityDataRecoveryService implements IService { encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); key_data = encryptor.doFinal(unwrappedSecData); } else { + auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + serialno.toString(), "Failed to create cipher"); throw new IOException("Failed to create cipher"); } } catch (Exception e) { e.printStackTrace(); + auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + serialno.toString(), "Cannot wrap pass phrase"); throw new EBaseException("Can't wrap pass phrase!"); } } @@ -246,7 +264,8 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); } - return false; + auditRecoveryRequestProcessed(subjectID, ILogger.SUCCESS, requestID, serialno.toString(), "None"); + return false; //return true ? TODO } public SymmetricKey recoverSymKey(KeyRecord keyRecord) @@ -385,4 +404,47 @@ public class SecurityDataRecoveryService implements IService { return retData; } + private void audit(String msg) { + if (signedAuditLogger == null) + return; + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private String auditSubjectID() { + if (signedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) auditContext.get(SessionContext.USER_ID); + subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), + keyID, + reason); + audit(auditMessage); + } + } diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java index 8a5886fa5..9fc737529 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataService.java @@ -18,20 +18,23 @@ package com.netscape.kra; import java.math.BigInteger; + import org.mozilla.jss.crypto.SymmetricKey; +import com.netscape.certsrv.apps.CMS; +import com.netscape.certsrv.base.EBaseException; +import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.dbs.keydb.IKeyRecord; +import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; import com.netscape.certsrv.logging.ILogger; import com.netscape.certsrv.profile.IEnrollProfile; -import com.netscape.certsrv.request.IService; import com.netscape.certsrv.request.IRequest; +import com.netscape.certsrv.request.IService; +import com.netscape.certsrv.request.RequestId; import com.netscape.certsrv.security.IStorageKeyUnit; import com.netscape.certsrv.security.ITransportKeyUnit; -import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.dbs.keydb.IKeyRecord; -import com.netscape.certsrv.dbs.keydb.IKeyRepository; -import com.netscape.certsrv.apps.CMS; import com.netscape.cmscore.dbs.KeyRecord; import com.netscape.cmsutil.util.Utils; @@ -50,6 +53,11 @@ public class SecurityDataService implements IService { private IKeyRecoveryAuthority mKRA = null; private ITransportKeyUnit mTransportUnit = null; private IStorageKeyUnit mStorageUnit = null; + private ILogger signedAuditLogger = CMS.getSignedAuditLogger(); + + private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6"; + public SecurityDataService(IKeyRecoveryAuthority kra) { mKRA = kra; @@ -82,9 +90,12 @@ public class SecurityDataService implements IService { CMS.debug("SecurityDataService.serviceRequest wrappedSecurityData: " + wrappedSecurityData); String owner = getOwnerName(request); + String subjectID = auditSubjectID(); //Check here even though restful layer checks for this. if(wrappedSecurityData == null || clientId == null || dataType == null) { + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientId, null, "Bad data in request"); throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); } //We need some info from the PKIArchiveOptions wrapped security data @@ -95,7 +106,9 @@ public class SecurityDataService implements IService { //Check here just in case a null ArchiveOptions makes it this far if(options == null) { - throw new EBaseException("Problem decofing PKIArchiveOptions."); + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientId, null, "Problem decoding PKIArchiveOptions"); + throw new EBaseException("Problem decoding PKIArchiveOptions."); } String algStr = options.getSymmAlgOID(); @@ -129,6 +142,8 @@ public class SecurityDataService implements IService { } else if (securityData != null) { privateSecurityData = mStorageUnit.encryptInternalPrivate(securityData); } else { // We have no data. + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } // create key record @@ -141,6 +156,8 @@ public class SecurityDataService implements IService { //Now we need a serial number for our new key. if (rec.getSerialNumber() != null) { + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -150,6 +167,8 @@ public class SecurityDataService implements IService { if (serialNo == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); + auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + clientId, null, "Failed to get next Key ID"); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -162,6 +181,9 @@ public class SecurityDataService implements IService { storage.addKeyRecord(rec); + auditArchivalRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(), + clientId, serialNo.toString(), "None"); + return true; } @@ -169,4 +191,48 @@ public class SecurityDataService implements IService { private String getOwnerName(IRequest request) { return DEFAULT_OWNER; } + + private void audit(String msg) { + if (signedAuditLogger == null) + return; + + signedAuditLogger.log(ILogger.EV_SIGNED_AUDIT, + null, + ILogger.S_SIGNED_AUDIT, + ILogger.LL_SECURITY, + msg); + } + + private String auditSubjectID() { + if (signedAuditLogger == null) { + return null; + } + + String subjectID = null; + + // Initialize subjectID + SessionContext auditContext = SessionContext.getExistingContext(); + + if (auditContext != null) { + subjectID = (String) auditContext.get(SessionContext.USER_ID); + subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; + } else { + subjectID = ILogger.UNIDENTIFIED; + } + + return subjectID; + } + + private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientID, + String keyID, String reason) { + String auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED, + subjectID, + status, + requestID.toString(), + clientID, + keyID != null ? keyID : "None", + reason); + audit(auditMessage); + } }
\ No newline at end of file |