summaryrefslogtreecommitdiffstats
path: root/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
diff options
context:
space:
mode:
authorChristina Fu <cfu@redhat.com>2016-01-21 11:58:03 -0800
committerChristina Fu <cfu@redhat.com>2016-02-15 15:56:26 -0800
commit4e948d6ab69f19f5ee705ca168e7813c14d36f10 (patch)
tree708e500dd0aba7f5620443ae64d04f451d8774c0 /base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
parentae975289fcd669e122589cfd1a7c82e0b28f733e (diff)
downloadpki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.gz
pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.tar.xz
pki-4e948d6ab69f19f5ee705ca168e7813c14d36f10.zip
Ticket #1007 TPS audit events
This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
Diffstat (limited to 'base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java')
-rw-r--r--base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java382
1 files changed, 354 insertions, 28 deletions
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index bf757c722..05742842f 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -88,6 +88,7 @@ import com.netscape.certsrv.base.EBaseException;
import com.netscape.certsrv.base.EPropertyNotFound;
import com.netscape.certsrv.base.IConfigStore;
import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.ILogger;
import com.netscape.certsrv.tps.token.TokenStatus;
import com.netscape.symkey.SessionKey;
@@ -130,6 +131,8 @@ public class TPSProcessor {
ProfileDatabase profileDatabase = new ProfileDatabase();
+ protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
+
public TPSProcessor(TPSSession session) {
setSession(session);
}
@@ -903,10 +906,12 @@ public class TPSProcessor {
APDUResponse select = selectApplet((byte) 0x04, (byte) 0x00, cardMgrAIDBuff);
if (!select.checkResult()) {
- throw new TPSException("TPSProcessor.upgradeApplet: Can't selelect the card manager!");
+ String logMsg = "Can't selelect the card manager!";
+ auditAppletUpgrade(appletInfo, "failure", null /*unavailable*/, new_version, logMsg);
+ throw new TPSException("TPSProcessor.upgradeApplet:" + logMsg);
}
- SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId,appletInfo);
+ SecureChannel channel = setupSecureChannel((byte) defKeyVersion, (byte) defKeyIndex, connId, appletInfo);
channel.externalAuthenticate();
@@ -928,9 +933,13 @@ public class TPSProcessor {
select = selectApplet((byte) 0x04, (byte) 0x00, netkeyAIDBuff);
if (!select.checkResult()) {
- throw new TPSException("TPSProcessor.upgradeApplet: Cannot select newly created applet!",
+ String logMsg = "Cannot select newly created applet!";
+ auditAppletUpgrade(appletInfo, "failure", channel.getKeyInfoData().toHexStringPlain(), new_version, logMsg);
+ throw new TPSException("TPSProcessor.upgradeApplet: " + logMsg,
TPSStatus.STATUS_ERROR_UPGRADE_APPLET);
}
+
+ auditAppletUpgrade(appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), new_version, null);
tokenRecord.setAppletID(new_version);
}
@@ -1071,6 +1080,7 @@ public class TPSProcessor {
tokenRecord.setUserID(userid);
authToken = authenticateUser(op, userAuth, userCred);
userid = authToken.getInString("userid");
+
tokenRecord.setUserID(userid);
CMS.debug(method + " auth token userid=" + userid);
}
@@ -1328,16 +1338,16 @@ public class TPSProcessor {
throw new TPSException("TPSProcessor.isTokenRecordPresent: invalid input data.");
}
- CMS.debug("TPSEnrollProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString());
+ CMS.debug("TPSProcessor.isTokenRecordPresent: " + appletInfo.getCUIDhexString());
TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
TokenRecord tokenRecord = null;
try {
tokenRecord = tps.tdb.tdbGetTokenEntry(appletInfo.getCUIDhexStringPlain());
// now the in memory tokenRecord is replaced by the actual token data
- CMS.debug("TPSEnrollProcessor.enroll: found token...");
+ CMS.debug("TPSProcessor.enroll: found token...");
} catch (Exception e) {
- CMS.debug("TPSEnrollProcessor.enroll: token does not exist in tokendb... create one in memory");
+ CMS.debug("TPSProcessor.enroll: token does not exist in tokendb... create one in memory");
}
return tokenRecord;
@@ -1432,7 +1442,6 @@ public class TPSProcessor {
/*
* revokeCertificates revokes certificates on the token specified
* @param cuid the cuid of the token to revoke certificates
- * @return logMsg captures the audit message
* @throws TPSException in case of error
*
* TODO: maybe make this a callback function later
@@ -1536,13 +1545,15 @@ public class TPSProcessor {
CMS.debug(method + ": found cert hex serial: " + serial +
" dec serial:" + serialStr);
try {
- CARevokeCertResponse response =
- caRH.revokeCertificate(true, serialStr, cert.getCertificate(),
- revokeReason);
+ CARevokeCertResponse response = caRH.revokeCertificate(true, serialStr, cert.getCertificate(),
+ revokeReason);
CMS.debug(method + ": response status =" + response.getStatus());
+ auditRevoke(cuid, true, revokeReason.getCode(), String.valueOf(response.getStatus()), serialStr,
+ caConnId, null);
} catch (EBaseException e) {
logMsg = method + ": revokeCertificate from CA failed:" + e;
CMS.debug(logMsg);
+ auditRevoke(cuid, true, revokeReason.getCode(), "failure", serialStr, caConnId, null);
if (revokeReason == RevocationReason.CERTIFICATE_HOLD) {
tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, session.getTokenRecord(),
@@ -1731,6 +1742,41 @@ public class TPSProcessor {
return erAttrs;
}
+ protected void setExternalRegSelectedTokenType(ExternalRegAttrs erAttrs)
+ throws TPSException {
+ String method = "TPSProcessor.setExternalRegSelectedTokenType: ";
+ IConfigStore configStore = CMS.getConfigStore();
+ TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
+
+ CMS.debug(method + " begins");
+ if (erAttrs == null || erAttrs.getTokenType() == null) {
+ // get the default externalReg tokenType
+ String configName = "externalReg.default.tokenType";
+ CMS.debug(method + "erAttrs null or externalReg user entry does not contain tokenType...setting to default config: "
+ + configName);
+ try {
+ String tokenType = configStore.getString(configName,
+ "externalRegAddToToken");
+ CMS.debug(method + " setting tokenType to default:" +
+ tokenType);
+ setSelectedTokenType(tokenType);
+ } catch (EBaseException e) {
+ CMS.debug(method + " Internal Error obtaining mandatory config values. Error: "
+ + e);
+ String logMsg = "TPS error getting config values from config store." + e.toString();
+ tps.tdb.tdbActivity(currentTokenOperation, session.getTokenRecord(), session.getIpAddress(), logMsg,
+ "failure");
+
+ throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
+ }
+ } else {
+ CMS.debug(method + " setting tokenType to tokenType attribute of user entry:"
+ +
+ erAttrs.getTokenType());
+ setSelectedTokenType(erAttrs.getTokenType());
+ }
+ }
+
protected void format(boolean skipAuth) throws TPSException, IOException {
IConfigStore configStore = CMS.getConfigStore();
@@ -1738,14 +1784,19 @@ public class TPSProcessor {
String logMsg = null;
String appletVersion = null;
+ CMS.debug("TPSProcessor.format begins");
TPSSubsystem tps = (TPSSubsystem) CMS.getSubsystem(TPSSubsystem.ID);
AppletInfo appletInfo = null;
TokenRecord tokenRecord = null;
try {
appletInfo = getAppletInfo();
+ auditOpRequest("format", appletInfo, "success", null);
} catch (TPSException e) {
logMsg = e.toString();
+ // appletInfo is null as expected at this point
+ // but audit for the record anyway
+ auditOpRequest("format", appletInfo, "failure", logMsg);
tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
"failure");
@@ -1849,12 +1900,15 @@ public class TPSProcessor {
throw new TPSException(logMsg, TPSStatus.STATUS_ERROR_MISCONFIGURATION);
}
+ TPSAuthenticator userAuth = null;
try {
- TPSAuthenticator userAuth =
- getAuthentication(authId);
+ userAuth = getAuthentication(authId);
processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
+ auditAuth(userid, currentTokenOperation, appletInfo, "success", authId);
} catch (Exception e) {
+ auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+ (userAuth != null) ? userAuth.getID() : null);
// all exceptions are considered login failure
CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
@@ -1892,7 +1946,8 @@ public class TPSProcessor {
}
test ends */
- setSelectedTokenType(erAttrs.getTokenType());
+ setExternalRegSelectedTokenType(erAttrs);
+// setSelectedTokenType(erAttrs.getTokenType());
}
CMS.debug("In TPSProcessor.format: isExternalReg: about to process keySet resolver");
/*
@@ -1961,8 +2016,11 @@ public class TPSProcessor {
CMS.debug("TPSProcessor.format: getting config: " + configName);
isAuthRequired = configStore.getBoolean(configName, true);
} catch (EBaseException e) {
- CMS.debug("TPSProcessor.format: Internal Error obtaining mandatory config values. Error: " + e);
- logMsg = "TPS error getting config values from config store." + e.toString();
+ String info = " Internal Error obtaining mandatory config values. Error: " + e;
+ auditFormat(userid, appletInfo, "failure",
+ null, info);
+ CMS.debug("TPSProcessor.format: " + info);
+ logMsg = "TPS error: " + info;
tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
"failure");
@@ -1970,11 +2028,15 @@ public class TPSProcessor {
}
if (isAuthRequired && !skipAuth) {
+ TPSAuthenticator userAuth = null;
try {
- TPSAuthenticator userAuth =
- getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType);
+ userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType);
processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
+ auditAuth(userid, currentTokenOperation, appletInfo, "success",
+ (userAuth != null) ? userAuth.getID() : null);
} catch (Exception e) {
+ auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+ (userAuth != null) ? userAuth.getID() : null);
// all exceptions are considered login failure
CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
@@ -1997,12 +2059,12 @@ public class TPSProcessor {
// Check for transition to 0/UNINITIALIZED status.
if (!tps.engine.isOperationTransitionAllowed(tokenRecord.getTokenStatus(), newState)) {
- CMS.debug("TPSProcessor.format: token transition disallowed " +
- tokenRecord.getTokenStatus() +
- " to " + newState);
- logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() +
- " Disabled, illegal transition attempted " + tokenRecord.getTokenStatus() +
+ String info = " illegal transition attempted: " + tokenRecord.getTokenStatus() +
" to " + newState;
+ CMS.debug("TPSProcessor.format: token transition: " + info);
+ logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() + " Disabled. " + info;
+ auditFormat(userid, appletInfo, "failure",
+ null, info);
tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
"failure");
@@ -2020,6 +2082,8 @@ public class TPSProcessor {
checkAllowUnknownToken(TPSEngine.OP_FORMAT_PREFIX);
}
+ // TODO: the following lines of code could be replaced with call to
+ // checkAndUpgradeApplet()
TPSBuffer build_id = getAppletVersion();
if (build_id == null) {
@@ -2052,9 +2116,18 @@ public class TPSProcessor {
// Upgrade Symm Keys if needed
- SecureChannel channel = checkAndUpgradeSymKeys(appletInfo,tokenRecord);
+ SecureChannel channel;
+ try {
+ channel = checkAndUpgradeSymKeys(appletInfo, tokenRecord);
+ } catch (TPSException te) {
+ auditKeyChangeover(appletInfo, "failure", null /* TODO */,
+ getSymmetricKeysRequiredVersionHexString(), te.toString());
+ throw te;
+ }
channel.externalAuthenticate();
+ auditFormat(userid, appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), null);
+
if (isTokenPresent && revokeCertsAtFormat()) {
// Revoke certificates on token, if so configured
RevocationReason reason = getRevocationReasonAtFormat();
@@ -2621,7 +2694,7 @@ public class TPSProcessor {
index = configStore.getInteger(TPSEngine.CFG_CHANNEL_DEFKEY_INDEX, 0x0);
} catch (EBaseException e) {
- throw new TPSException("TPSProcessor.getChannelDefKeyVersion: Internal error finding config value: " + e,
+ throw new TPSException("TPSProcessor.getChannelDefKeyIndex: Internal error finding config value: " + e,
TPSStatus.STATUS_ERROR_UPGRADE_APPLET);
}
@@ -2800,6 +2873,12 @@ public class TPSProcessor {
+ " App major version: " + result.getAppMajorVersion() + " App minor version: "
+ result.getAppMinorVersion());
+ String currentAppletVersion = formatCurrentAppletVersion(result);
+ if (currentAppletVersion != null) {
+ CMS.debug("TPSProcessor.getAppletInfo: current applet version = " +
+ currentAppletVersion);
+ }
+
return result;
}
@@ -2852,6 +2931,14 @@ public class TPSProcessor {
return version;
}
+ protected String getSymmetricKeysRequiredVersionHexString() throws TPSException {
+ int requiredVersion = getSymmetricKeysRequiredVersion();
+ byte[] nv = { (byte) requiredVersion, 0x01 };
+ TPSBuffer newVersion = new TPSBuffer(nv);
+ String newVersionStr = newVersion.toHexString();
+ return newVersionStr;
+ }
+
protected SecureChannel checkAndUpgradeSymKeys(AppletInfo appletInfo,TokenRecord tokenRecord) throws TPSException, IOException {
/* If the key of the required version is
@@ -2909,6 +2996,10 @@ public class TPSProcessor {
channel = setupSecureChannel(appletInfo);
+ auditKeyChangeoverRequired(appletInfo,
+ channel.getKeyInfoData().toHexStringPlain(),
+ getSymmetricKeysRequiredVersionHexString(), null);
+
/* Assemble the Buffer with the version information
The second byte is the key offset, which is always 1
*/
@@ -3003,7 +3094,8 @@ public class TPSProcessor {
selectCoolKeyApplet();
channel = setupSecureChannel((byte) requiredVersion, (byte) defKeyIndex,
- getTKSConnectorID(),appletInfo);
+ getTKSConnectorID(), appletInfo);
+ auditKeyChangeover(appletInfo, "success", curVersionStr, newVersionStr, null);
} else {
CMS.debug("TPSProcessor.checkAndUpgradeSymeKeys: We are already at the desired key set, returning secure channel.");
@@ -3160,18 +3252,35 @@ public class TPSProcessor {
}
protected String formatCurrentAppletVersion(AppletInfo aInfo) throws TPSException, IOException {
+ String method = "TPSProcessor.formatCurrentAppletVersion: ";
+ CMS.debug(method + " begins");
+ /*
+ * TODO: looks like calling formatCurrentAppletVersion() more than
+ * once will cause keygen to fail on token. (resolve later if needed)
+ * In the mean time, resolution is to save up the result the first
+ * time it is called
+ */
+ if (aInfo.getFinalAppletVersion() != null) {
+ return aInfo.getFinalAppletVersion();
+ }
if (aInfo == null) {
throw new TPSException("TPSProcessor.formatCurrentAppletVersion: ", TPSStatus.STATUS_ERROR_CONTACT_ADMIN);
}
TPSBuffer build_id = getAppletVersion();
+ if (build_id == null) {
+ CMS.debug(method + " getAppletVersion returning null");
+ return null;
+ }
String build_idStr = build_id.toHexStringPlain();
String finalVersion = aInfo.getAppMajorVersion() + "." + aInfo.getAppMinorVersion() + "." + build_idStr;
finalVersion = finalVersion.toLowerCase();
- CMS.debug("TPSProcessor.formatCurrentAppletVersion: returing: " + finalVersion);
+
+ aInfo.setFinalAppletVersion(finalVersion);
+ CMS.debug(method + " returing: " + finalVersion);
return finalVersion;
@@ -3286,13 +3395,17 @@ public class TPSProcessor {
CMS.debug(method + ": opPrefox: " + opPrefix);
if (isAuthRequired) {
+ TPSAuthenticator userAuth = null;
try {
- TPSAuthenticator userAuth =
- getAuthentication(opPrefix, tokenType);
+ userAuth = getAuthentication(opPrefix, tokenType);
processAuthentication(TPSEngine.ENROLL_OP, userAuth, appletInfo.getCUIDhexString(), tokenRecord);
+ auditAuth(userid, currentTokenOperation, appletInfo, "success",
+ (userAuth != null) ? userAuth.getID() : null);
} catch (Exception e) {
// all exceptions are considered login failure
+ auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+ (userAuth != null) ? userAuth.getID() : null);
CMS.debug("TPSProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e);
String msg = "TPS error user authentication failed:" + e;
tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg,
@@ -3700,6 +3813,219 @@ public class TPSProcessor {
}
*/
+ protected void auditAuth(String subjectID, String op,
+ AppletInfo aInfo,
+ String status,
+ String authMgrId) {
+
+ String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
+ if (status.equals("success"))
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ session.getIpAddress(),
+ subjectID,
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ status,
+ op,
+ getSelectedTokenType(),
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ authMgrId);
+ audit(auditMessage);
+ }
+
+ /*
+ * op can be can be "format", "enroll", or "pinReset"
+ */
+ protected void auditOpRequest(String op, AppletInfo aInfo,
+ String status,
+ String info) {
+ String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ session.getIpAddress(),
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ status,
+ op,
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ info);
+ audit(auditMessage);
+ }
+
+ protected void auditFormat(String subjectID,
+ AppletInfo aInfo,
+ String status,
+ String keyVersion,
+ String info) {
+ String auditType = "";
+ switch (status) {
+ case "success":
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
+ break;
+ default:
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
+ }
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ session.getIpAddress(),
+ subjectID,
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ status,
+ getSelectedTokenType(),
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ keyVersion,
+ info);
+ audit(auditMessage);
+ }
+
+ protected void auditAppletUpgrade(AppletInfo aInfo,
+ String status,
+ String keyVersion,
+ String newVersion,
+ String info) {
+
+ String auditType = "";
+ switch (status) {
+ case "success":
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
+ break;
+ default:
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
+ }
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ (session != null) ? session.getIpAddress() : null,
+ userid,
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ status,
+ keyVersion,
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ newVersion,
+ info);
+ audit(auditMessage);
+ }
+
+ protected void auditKeyChangeoverRequired(AppletInfo aInfo,
+ String oldKeyVersion,
+ String newKeyVersion,
+ String info) {
+
+ String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ (session != null) ? session.getIpAddress() : null,
+ userid,
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ "na",
+ getSelectedTokenType(),
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ oldKeyVersion,
+ newKeyVersion,
+ info);
+ audit(auditMessage);
+ }
+
+ protected void auditKeyChangeover(AppletInfo aInfo,
+ String status,
+ String oldKeyVersion,
+ String newKeyVersion,
+ String info) {
+
+ String auditType = "";
+ switch (status) {
+ case "success":
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_9";
+ break;
+ default:
+ auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
+ }
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ (session != null) ? session.getIpAddress() : null,
+ userid,
+ (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+ (aInfo != null) ? aInfo.getMSNString() : null,
+ status,
+ getSelectedTokenType(),
+ (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+ oldKeyVersion,
+ newKeyVersion,
+ info);
+ audit(auditMessage);
+ }
+
+ /*
+ * audit revoke, on-hold, or off-hold
+ */
+ protected void auditRevoke(String cuid,
+ boolean isRevoke,
+ int revokeReason,
+ String status,
+ String serial,
+ String caConnId,
+ String info) {
+
+ String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
+ /*
+ * requestType is "revoke", "on-hold", or "off-hold"
+ */
+ String requestType = "revoke";
+ if (!isRevoke)
+ requestType = "off-hold";
+ else {
+ if (revokeReason == RevocationReason.CERTIFICATE_HOLD.getCode()) {
+ requestType = "on-hold";
+ }
+ }
+
+ String auditMessage = CMS.getLogMessage(
+ auditType,
+ (session != null) ? session.getIpAddress() : null,
+ userid,
+ cuid,
+ status,
+ getSelectedTokenType(),
+ serial,
+ requestType,
+ String.valueOf(revokeReason),
+ caConnId,
+ info);
+ audit(auditMessage);
+ }
+
+ /**
+ * Signed Audit Log
+ *
+ * This method is called to store messages to the signed audit log.
+ * <P>
+ *
+ * @param msg signed audit log message
+ */
+ protected void audit(String msg) {
+ // in this case, do NOT strip preceding/trailing whitespace
+ // from passed-in String parameters
+
+ if (mSignedAuditLogger == null) {
+ return;
+ }
+
+ mSignedAuditLogger.log(ILogger.EV_SIGNED_AUDIT,
+ null,
+ ILogger.S_SIGNED_AUDIT,
+ ILogger.LL_SECURITY,
+ msg);
+ }
+
public static void main(String[] args) {
}
generated by cgit (git 2.34.1) at 2024-06-10 23:21:15 +0000