Encapsulate key retrieval audit events

Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
author: Ade Lee <alee@redhat.com> 2017-05-18 01:27:12 -0400
committer: Ade Lee <alee@redhat.com> 2017-05-23 14:46:23 -0400
commit: 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 (patch)
tree: 0bea33ebd55f5f7797a3b5d992763277e900ed72 /base/kra/src
parent: f52f5be832e37cc45e665708d3b59d2a3aa04370 (diff)
download: pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.tar.gz
pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.tar.xz
pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.zip
2 files changed, 17 insertions, 15 deletions
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 5463b921d..df42a4f28 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -52,6 +52,7 @@ import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
 import com.netscape.certsrv.logging.event.SecurityDataArchivalProcessedEvent;
+import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
 import com.netscape.certsrv.security.IStorageKeyUnit;
@@ -356,25 +357,26 @@ public class NetkeyKeygenService implements IService {
                 if (wrappedPrivKeyString == null) {
                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                     CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
-                    auditMessage = CMS.getLogMessage(
-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                    audit(new SecurityDataExportEvent(
                             agentId,
                             ILogger.FAILURE,
                             auditSubjectID,
-                            PubKey);
+                            null,
+                            "NetkeyKeygenService: failed generating wrapped private key",
+                            PubKey));
 
                     audit(auditMessage);
                     return false;
                 } else {
                     request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
-                    auditMessage = CMS.getLogMessage(
-                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+
+                    audit(new SecurityDataExportEvent(
                             agentId,
                             ILogger.SUCCESS,
                             auditSubjectID,
-                            PubKey);
-
-                    audit(auditMessage);
+                            null,
+                            null,
+                            PubKey));
                 }
 
                 iv_s = /*base64Encode(iv);*/com.netscape.cmsutil.util.Utils.SpecialEncode(iv);
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index 7a21971c2..87e6f15d8 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -62,6 +62,7 @@ import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.kra.IKeyService;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataExportEvent;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IRequestQueue;
 import com.netscape.certsrv.request.RequestId;
@@ -601,15 +602,14 @@ public class KeyService extends SubsystemService implements KeyResource {
     }
 
     public void auditRetrieveKey(String status, String reason) {
-        String msg = CMS.getLogMessage(
-                AuditEvent.SECURITY_DATA_RETRIEVE_KEY,
+        audit(new SecurityDataExportEvent(
                 servletRequest.getUserPrincipal().getName(),
                 status,
-                requestId != null ? requestId.toString(): "null",
-                keyId != null ? keyId.toString(): "null",
-                (reason != null) ? auditInfo + ";" + reason : auditInfo
-        );
-        auditor.log(msg);
+                requestId,
+                keyId,
+                (reason != null) ? auditInfo + ";" + reason : auditInfo,
+                null
+        ));
     }
 
     public void auditRetrieveKey(String status) {
author	Ade Lee <alee@redhat.com>	2017-05-18 01:27:12 -0400
committer	Ade Lee <alee@redhat.com>	2017-05-23 14:46:23 -0400
commit	0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 (patch)
tree	0bea33ebd55f5f7797a3b5d992763277e900ed72 /base/kra/src
parent	f52f5be832e37cc45e665708d3b59d2a3aa04370 (diff)
download	pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.tar.gz pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.tar.xz pki-0df4ba1372e0a5942806fda3b56f0b9ea70c6e05.zip