summaryrefslogtreecommitdiffstats
path: root/base/kra
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2017-05-16 17:29:45 -0400
committerAde Lee <alee@redhat.com>2017-05-23 14:31:54 -0400
commit1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2 (patch)
tree67efbe323389114660ae79e918c9e621d61f86d7 /base/kra
parent3249ddc2c19f6f5ded11823b345c9c58bae4750b (diff)
downloadpki-1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2.tar.gz
pki-1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2.tar.xz
pki-1c8c61ef235bb57e744e9a8cfa5e1ff0cebb06a2.zip
Encapsulate the archival audit log
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
Diffstat (limited to 'base/kra')
-rw-r--r--base/kra/shared/conf/CS.cfg4
-rw-r--r--base/kra/src/com/netscape/kra/EnrollmentService.java92
-rw-r--r--base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java27
-rw-r--r--base/kra/src/com/netscape/kra/NetkeyKeygenService.java15
-rw-r--r--base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java9
5 files changed, 40 insertions, 107 deletions
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index bd49a8ded..be4ce7180 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -300,11 +300,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging
log.instance.SignedAudit._002=##
log.instance.SignedAudit._003=##
log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
log.instance.SignedAudit._006=##
log.instance.SignedAudit.bufferSize=512
log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,SECURITY_DATA_RETRIEVE_KEY,KEY_STATUS_CHANGE,ACCESS_SESSION_ESTABLISH_FAILURE,ACCESS_SESSION_ESTABLISH_SUCCESS,ACCESS_SESSION_TERMINATED
log.instance.SignedAudit.expirationTime=0
log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
log.instance.SignedAudit.flushInterval=5
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index e413a06b5..0a1fe1f80 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -50,6 +50,7 @@ import com.netscape.certsrv.kra.ProofOfArchival;
import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.AuditFormat;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
import com.netscape.certsrv.profile.IEnrollProfile;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
@@ -155,13 +156,10 @@ public class EnrollmentService implements IService {
String auditMessage = null;
String auditSubjectID = auditSubjectID();
String auditRequesterID = auditRequesterID();
- String auditArchiveID = ILogger.UNIDENTIFIED;
String auditPublicKey = ILogger.UNIDENTIFIED;
String id = request.getRequestId().toString();
- if (id != null) {
- auditArchiveID = id.trim();
- }
+
if (CMS.debugOn())
CMS.debug("EnrollmentServlet: KRA services enrollment request");
@@ -198,15 +196,11 @@ public class EnrollmentService implements IService {
aOpts = CRMFParser.getPKIArchiveOptions(
request.getExtDataInString(IRequest.HTTP_PARAMS, CRMF_REQUEST));
} catch (IOException e) {
-
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
@@ -247,14 +241,11 @@ public class EnrollmentService implements IService {
} catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
@@ -283,14 +274,11 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
@@ -325,14 +313,11 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_DEBUG, e.getMessage());
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"), e);
}
} // !allowEncDecrypt_archival
@@ -346,14 +331,11 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(
CMS.getUserMessage("CMS_KRA_INVALID_PUBLIC_KEY"));
}
@@ -371,14 +353,11 @@ public class EnrollmentService implements IService {
if (owner == null) {
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
@@ -406,14 +385,11 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_DEBUG, e.getMessage());
mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_PRIVATE_KEY"));
}
@@ -433,14 +409,11 @@ public class EnrollmentService implements IService {
rec.setKeySize(Integer.valueOf(rsaPublicKey.getKeySize()));
} catch (InvalidKeyException e) {
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_KEYRECORD"));
}
} else if (keyAlg.equals("EC")) {
@@ -483,14 +456,11 @@ public class EnrollmentService implements IService {
CMS.getLogMessage("CMSCORE_KRA_INVALID_SERIAL_NUMBER",
rec.getSerialNumber().toString()));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
@@ -505,14 +475,11 @@ public class EnrollmentService implements IService {
} catch (Exception e) {
mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
// TODO(alee) Set correct audit message here
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
@@ -523,14 +490,11 @@ public class EnrollmentService implements IService {
mKRA.log(ILogger.LL_FAILURE,
CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
throw new EKRAException(CMS.getUserMessage("CMS_KRA_INVALID_STATE"));
}
if (i == 0) {
@@ -580,14 +544,10 @@ public class EnrollmentService implements IService {
);
// store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditRequesterID,
- auditArchiveID);
-
- audit(auditMessage);
+ auditRequesterID));
// store a message in the signed audit log file
auditPublicKey = auditPublicKey(rec);
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index 54953d1b1..de097b220 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -58,6 +58,7 @@ import com.netscape.certsrv.kra.IKeyService;
import com.netscape.certsrv.listeners.EListenersException;
import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
import com.netscape.certsrv.request.ARequestNotifier;
import com.netscape.certsrv.request.IPolicy;
import com.netscape.certsrv.request.IRequest;
@@ -751,11 +752,9 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
String auditSubjectID = auditSubjectID();
String auditRequesterID = auditRequesterID();
String auditPublicKey = auditPublicKey(rec);
- String auditArchiveID = ILogger.UNIDENTIFIED;
IRequestQueue queue = null;
IRequest r = null;
- String id = null;
// ensure that any low-level exceptions are reported
// to the signed audit log and stored as failures
@@ -764,34 +763,18 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
r = queue.newRequest(KRAService.ENROLLMENT);
- if (r != null) {
- // overwrite "auditArchiveID" if and only if "id" != null
- id = r.getRequestId().toString();
- if (id != null) {
- auditArchiveID = id.trim();
- }
- }
-
// store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.SUCCESS,
- auditRequesterID,
- auditArchiveID);
+ auditRequesterID));
- audit(auditMessage);
} catch (EBaseException eAudit1) {
// store a message in the signed audit log file
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit(new SecurityDataArchivalEvent(
auditSubjectID,
ILogger.FAILURE,
- auditRequesterID,
- auditArchiveID);
-
- audit(auditMessage);
-
+ auditRequesterID));
throw eAudit1;
}
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 636e93ed0..088546980 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
import com.netscape.certsrv.request.IRequest;
import com.netscape.certsrv.request.IService;
import com.netscape.certsrv.security.IStorageKeyUnit;
@@ -142,7 +143,6 @@ public class NetkeyKeygenService implements IService {
throws EBaseException {
String auditMessage = null;
String auditSubjectID = null;
- String auditArchiveID = ILogger.UNIDENTIFIED;
byte[] wrapped_des_key;
byte iv[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 };
@@ -165,11 +165,6 @@ public class NetkeyKeygenService implements IService {
;
String PubKey = "";
- String id = request.getRequestId().toString();
- if (id != null) {
- auditArchiveID = id.trim();
- }
-
String rArchive = request.getExtDataInString(IRequest.NETKEY_ATTR_ARCHIVE_FLAG);
if (rArchive.equals("true")) {
archive = true;
@@ -395,14 +390,10 @@ public class NetkeyKeygenService implements IService {
//
// mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
- auditMessage = CMS.getLogMessage(
- AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
+ audit( new SecurityDataArchivalEvent(
agentId,
ILogger.SUCCESS,
- auditSubjectID,
- auditArchiveID);
-
- audit(auditMessage);
+ auditSubjectID));
CMS.debug("KRA encrypts private key to put on internal ldap db");
byte privateKeyData[] = null;
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 38f7e93d5..b0bcff24b 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -50,6 +50,7 @@ import com.netscape.certsrv.key.KeyRequestResponse;
import com.netscape.certsrv.key.SymKeyGenerationRequest;
import com.netscape.certsrv.logging.AuditEvent;
import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.SecurityDataArchivalEvent;
import com.netscape.certsrv.request.RequestId;
import com.netscape.certsrv.request.RequestNotFoundException;
import com.netscape.cms.realm.PKIPrincipal;
@@ -354,13 +355,11 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
}
public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) {
- String msg = CMS.getLogMessage(
- AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST,
+ audit(new SecurityDataArchivalEvent(
getRequestor(),
status,
- requestId != null? requestId.toString(): "null",
- clientKeyID);
- auditor.log(msg);
+ requestId,
+ clientKeyID));
}
public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
generated by cgit (git 2.34.1) at 2024-10-01 07:49:42 +0000