481237 - signed audit

git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@183 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
author: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-01-23 03:56:06 +0000
committer: cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> 2009-01-23 03:56:06 +0000
commit: 2f397c05020e7d85886a1146c963d5a7900e09f3 (patch)
tree: af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base
parent: 281568c660e81ca4b8943bd358ceb57fffa492d4 (diff)
download: pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz
pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz
pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip
10 files changed, 303 insertions, 16 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg
index f97af9022..c679c6529 100644
--- a/pki/base/ca/shared/conf/CS.cfg
+++ b/pki/base/ca/shared/conf/CS.cfg
@@ -24,11 +24,12 @@ preop.admin.name=Certificate System Administrator
 preop.admin.group=Certificate Manager Agents
 preop.admincert.profile=caAdminCert
 preop.pin=[PKI_RANDOM_NUMBER]
-preop.cert.list=signing,ocsp_signing,sslserver,subsystem
+preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing
 preop.cert.signing.enable=true
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
+preop.cert.audit_signing.enable=true
 preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA
 preop.cert.signing.dn=CN=Certificate Authority
 preop.cert.signing.cncomponent.override=true
@@ -39,6 +40,16 @@ preop.cert.signing.profile=caCert.profile
 preop.cert.signing.subsystem=ca
 preop.cert.signing.type=selfsign
 preop.cert.signing.userfriendlyname=CA Signing Certificate
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
+preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate
+preop.cert.audit_signing.keysize.custom_size=2048
+preop.cert.audit_signing.keysize.size=2048
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
+preop.cert.audit_signing.profile=caAuditSigningCert.profile
+preop.cert.audit_signing.subsystem=ca
+preop.cert.audit_signing.type=local
+preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate
+preop.cert.audit_signing.cncomponent.override=true
 preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA
 preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate
 preop.cert.ocsp_signing.keysize.custom_size=2048
@@ -766,7 +777,7 @@ log.instance.SignedAudit.maxFileSize=2000
 log.instance.SignedAudit.pluginName=file
 log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit=_002=##
-log.instance.SignedAudit.signedAuditCertNickname=
+log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 log.instance.SignedAudit.type=signedAudit
 log.instance.System._000=##
 log.instance.System._001=## System Logging
@@ -815,7 +826,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18
 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension
 oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11
 os.userid=nobody
-profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal
+profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal
 profile.caUUIDdeviceCert.class_id=caEnrollImpl
 profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg
 profile.caManualRenewal.class_id=caEnrollImpl
@@ -850,6 +861,8 @@ profile.caFullCMCUserCert.class_id=caEnrollImpl
 profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg
 profile.caInternalAuthOCSPCert.class_id=caEnrollImpl
 profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg
+profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl
+profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg
 profile.caInternalAuthServerCert.class_id=caEnrollImpl
 profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg
 profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl
diff --git a/pki/base/ca/shared/conf/caAuditSigningCert.profile b/pki/base/ca/shared/conf/caAuditSigningCert.profile
new file mode 100644
index 000000000..f1124e100
--- /dev/null
+++ b/pki/base/ca/shared/conf/caAuditSigningCert.profile
@@ -0,0 +1,37 @@
+#
+# CA Audit Signing Cert Profile
+#
+id=caAuditSigningCert.profile
+name=CA Audit Signing Certificate Profile
+description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose.
+list=2,4,6,8,9
+2.default.class=com.netscape.cms.profile.def.ValidityDefault
+2.default.name=Validity Default
+2.default.params.range=720
+2.default.params.startTime=0
+4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault
+4.default.name=Authority Key Identifier Default
+6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault
+6.default.name=Key Usage Default
+6.default.params.keyUsageCritical=true
+6.default.params.keyUsageDigitalSignature=true
+6.default.params.keyUsageNonRepudiation=true
+6.default.params.keyUsageDataEncipherment=false
+6.default.params.keyUsageKeyEncipherment=false
+6.default.params.keyUsageKeyAgreement=false
+6.default.params.keyUsageKeyCertSign=false
+6.default.params.keyUsageCrlSign=false
+6.default.params.keyUsageEncipherOnly=false
+6.default.params.keyUsageDecipherOnly=false
+8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault
+8.default.name=AIA Extension Default
+8.default.params.authInfoAccessADEnable_0=true
+8.default.params.authInfoAccessADLocationType_0=URIName
+8.default.params.authInfoAccessADLocation_0=
+8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+8.default.params.authInfoAccessCritical=false
+8.default.params.authInfoAccessNumADs=1
+9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault
+9.default.name=Extended Key Usage Extension Default
+9.default.params.exKeyUsageCritical=false
+9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
new file mode 100644
index 000000000..547a11166
--- /dev/null
+++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg
@@ -0,0 +1,87 @@
+desc=This certificate profile is for enrolling audit signing certificates.
+visible=true
+enable=true
+enableBy=admin
+auth.instance_id=TokenAuth
+authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators"
+name=Audit Signing Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=auditSigningCertSet
+policyset.auditSigningCertSet.list=1,2,3,4,5,6,7,9
+policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint
+policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.*
+policyset.auditSigningCertSet.1.constraint.params.accept=true
+policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl
+policyset.auditSigningCertSet.1.default.name=Subject Name Default
+policyset.auditSigningCertSet.1.default.params.name=
+policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.auditSigningCertSet.2.constraint.name=Validity Constraint
+policyset.auditSigningCertSet.2.constraint.params.range=720
+policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false
+policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false
+policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl
+policyset.auditSigningCertSet.2.default.name=Validity Default
+policyset.auditSigningCertSet.2.default.params.range=720
+policyset.auditSigningCertSet.2.default.params.startTime=0
+policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.auditSigningCertSet.3.constraint.name=Key Constraint
+policyset.auditSigningCertSet.3.constraint.params.keyType=-
+policyset.auditSigningCertSet.3.constraint.params.keyMinLength=256
+policyset.auditSigningCertSet.3.constraint.params.keyMaxLength=4096
+policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.auditSigningCertSet.3.default.name=Key Default
+policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl
+policyset.auditSigningCertSet.4.constraint.name=No Constraint
+policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default
+policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl
+policyset.auditSigningCertSet.5.constraint.name=No Constraint
+policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl
+policyset.auditSigningCertSet.5.default.name=AIA Extension Default
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0=
+policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1
+policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false
+policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1
+policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl
+policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false
+policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false
+policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl
+policyset.auditSigningCertSet.6.default.name=Key Usage Default
+policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true
+policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true
+policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true
+policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false
+policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false
+policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false
+policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false
+policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false
+policyset.auditSigningCertSet.7.constraint.class_id=noConstraintImpl
+policyset.auditSigningCertSet.7.constraint.name=No Constraint
+policyset.auditSigningCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl
+policyset.auditSigningCertSet.7.default.name=Extended Key Usage Extension Default
+policyset.auditSigningCertSet.7.default.params.exKeyUsageCritical=false
+policyset.auditSigningCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4
+policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl
+policyset.auditSigningCertSet.9.constraint.name=No Constraint
+policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC
+policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl
+policyset.auditSigningCertSet.9.default.name=Signing Alg
+policyset.auditSigningCertSet.9.default.params.signingAlg=-
diff --git a/pki/base/common/src/LogMessages_en.properties b/pki/base/common/src/LogMessages_en.properties
index 6d4d8e820..b7747674f 100644
--- a/pki/base/common/src/LogMessages_en.properties
+++ b/pki/base/common/src/LogMessages_en.properties
@@ -2139,6 +2139,62 @@ LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALI
 #
 LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification
 #
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST
+# - used for TPS to TKS to get a sessoin key for secure channel setup
+# SubjectID must be the CUID of the token establishing the secure channel
+# AgentID must be the trusted agent id used to make the request
+# IsCryptoValidate tells if the card cryptogram is to be validated
+# IsServerSideKeygen tells if the keys are to be generated on server
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request
+#
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED
+# - request for TPS to TKS to get a sessoin key for secure channel processed
+# SubjectID must be the CUID of the token establishing the secure channel
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# IsCryptoValidate tells if the card cryptogram is to be validated
+# IsServerSideKeygen tells if the keys are to be generated on server
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request processed
+#
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
+# - request for TPS to TKS to do key change over
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request
+#
+###########################
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED
+# - request for TPS to TKS to do key change over request processed
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_5=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request processed
+#
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
+# - request from TPS to TKS to encrypt data 
+#        (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request
+#
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED
+# - request from TPS to TKS to encrypt data 
+#        (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_4=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request processed
+#
+#
+#
 ###########################
 #Unselectable signedAudit Events
 #
diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index 9509d421c..d4f3d1dee 100644
--- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -73,6 +73,15 @@ public class TokenServlet extends CMSServlet {
         "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
     IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
 
+    private final static String
+        LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
+        "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5";
+
+    private final static String
+        LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED =
+        "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5";
+
+
     /**
      * Constructs tks servlet.
      */
@@ -199,6 +208,7 @@ public class TokenServlet extends CMSServlet {
         byte[] card_crypto, host_cryptogram, input_card_crypto;
         byte[] xcard_challenge, xhost_challenge;
         byte[] enc_session_key, xkeyInfo;
+        String auditMessage = null;
     
         String keySet = req.getParameter("keySet");
         if (keySet == null || keySet.equals("")) {
@@ -252,6 +262,14 @@ public class TokenServlet extends CMSServlet {
             missingParam = true;
         }
 
+        SessionContext sContext = SessionContext.getContext();
+
+        String agentId="";
+        if (sContext != null) {
+            agentId =
+                (String) sContext.get(SessionContext.USER_ID);
+        }
+
         if ((rcard_challenge == null) || (rcard_challenge.equals(""))) {
             CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge");
             missingParam = true;
@@ -273,6 +291,16 @@ public class TokenServlet extends CMSServlet {
         boolean sameCardCrypto = true;
 
         if (!missingParam) {
+            auditMessage = CMS.getLogMessage(
+                         LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+                        rCUID,
+                        ILogger.SUCCESS,
+                        agentId,
+                        isCryptoValidate? "true":"false",
+                        serversideKeygen? "true":"false");
+
+            audit(auditMessage);
+
             xCUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID);
             if (xCUID == null || xCUID.length != 10) {
                         CMS.debug("TokenServlet: Invalid CUID length");
@@ -297,6 +325,7 @@ public class TokenServlet extends CMSServlet {
             }
         }
 
+        CUID = null;
         if (!missingParam) {
             card_challenge = 
                 com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge);
@@ -392,7 +421,9 @@ public class TokenServlet extends CMSServlet {
 			/*generate it on whichever token the master key is at*/
 			if (useSoftToken_s.equals("true")) {
 			   CMS.debug("TokenServlet: key encryption key generated on internal");
+//cfu audit here? sym key gen
 			  desKey = SessionKey.GenerateSymkey("internal");
+//cfu audit here? sym key gen done
             } else {
 			   CMS.debug("TokenServlet: key encryption key generated on " + selectedToken);
 			  desKey = SessionKey.GenerateSymkey(selectedToken);
@@ -611,6 +642,15 @@ public class TokenServlet extends CMSServlet {
         } catch (IOException e) {
             CMS.debug("TokenServlet: " + e.toString());
         }
+        auditMessage = CMS.getLogMessage(
+                         LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED,
+                        rCUID,
+                        status,
+                        agentId,
+                        isCryptoValidate? "true":"false",
+                        serversideKeygen? "true":"false");
+
+        audit(auditMessage);
     }
 
     private void processDiversifyKey(HttpServletRequest req,
diff --git a/pki/base/java-tools/build.xml b/pki/base/java-tools/build.xml
index 9ddd835e3..43aeca017 100644
--- a/pki/base/java-tools/build.xml
+++ b/pki/base/java-tools/build.xml
@@ -196,7 +196,7 @@
             <arg value="-e"/>
             <arg value="s/\[PKI_PRODUCT\]/${product.prefix}/g"/>
             <arg value="-e"/>
-            <arg value="s/\[PKI_COMMAND\]/AudityVerify/g"/>
+            <arg value="s/\[PKI_COMMAND\]/AuditVerify/g"/>
             <arg value="./build/cmds/AuditVerify.tmp"/>
         </exec>
         <delete file="./build/cmds/AuditVerify.tmp"/>
diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
index 3207c2f76..955004c25 100644
--- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
+++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java
@@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.util.Base64InputStream;
 import java.security.*;
 import java.security.interfaces.*;
+import netscape.security.x509.X509CertImpl;
 
 /**
  * Tool for verifying signed audit logs
@@ -92,6 +93,17 @@ public class AuditVerify {
         return (matchingFiles.length > 0);
     }
 
+    public static boolean isSigningCert(X509CertImpl cert) {
+        boolean[] keyUsage = null;
+
+        try {
+            keyUsage = cert.getKeyUsage();
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+        return (keyUsage == null) ? false : keyUsage[0];
+    }
+
 
     public static void main(String args[]) {
       try {
@@ -165,12 +177,21 @@ public class AuditVerify {
         CryptoManager cm = CryptoManager.getInstance();
         X509Certificate signerCert = cm.findCertByNickname(signerNick);
         
+        X509CertImpl cert_i = null;
+        if (signerCert != null) {
+            byte[] signerCert_b = signerCert.getEncoded();
+            cert_i = new X509CertImpl(signerCert_b);
+        } else {
+           System.out.println("ERROR: signing certificate not found");
+           System.exit(1);
+        }
+
         // verify signer's certificate
-        if( ! cm.isCertValid(signerNick, true,
-                        CryptoManager.CertUsage.EmailSigner) )
-        {
-            System.out.println("Error: signing certificate is not valid");
-            System.exit(1);
+        //  not checking validity because we want to allow verifying old logs
+        // 
+        if (!isSigningCert(cert_i)) {
+           System.out.println("info: signing certificate is not a signing certificate");
+           System.exit(1);
         }
 
         PublicKey pubk = signerCert.getPublicKey();
diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg
index b3ff6d6b8..d0b1d490a 100644
--- a/pki/base/kra/shared/conf/CS.cfg
+++ b/pki/base/kra/shared/conf/CS.cfg
@@ -18,11 +18,22 @@ preop.admin.name=Data Recovery Manager Administrator
 preop.admin.group=Data Recovery Manager Agents
 preop.admincert.profile=caAdminCert
 preop.pin=[PKI_RANDOM_NUMBER]
-preop.cert.list=transport,storage,sslserver,subsystem
+preop.cert.list=transport,storage,sslserver,subsystem,audit_signing
 preop.cert.transport.enable=true
 preop.cert.storage.enable=true
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
+preop.cert.audit_signing.enable=true
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
+preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate
+preop.cert.audit_signing.keysize.custom_size=2048
+preop.cert.audit_signing.keysize.size=2048
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
+preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
+preop.cert.audit_signing.subsystem=kra
+preop.cert.audit_signing.type=remote
+preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate
+preop.cert.audit_signing.cncomponent.override=true
 preop.cert.storage.defaultSigningAlgorithm=SHA1withRSA
 preop.cert.storage.dn=CN=DRM Storage Certificate
 preop.cert.storage.keysize.custom_size=2048
@@ -219,7 +230,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit:_000=##
 log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed
 log.instance.SignedAudit.signedAudit:_002=##
-log.instance.SignedAudit.signedAuditCertNickname=
+log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 log.instance.SignedAudit.type=signedAudit
 log.instance.System._000=##
 log.instance.System._001=## System Logging
diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg
index 6290801a9..8b44eb37e 100644
--- a/pki/base/ocsp/shared/conf/CS.cfg
+++ b/pki/base/ocsp/shared/conf/CS.cfg
@@ -27,10 +27,21 @@ preop.configModules.module2.commonName=lunasa
 preop.configModules.module2.imagePath=../img/clearpixel.gif
 preop.configModules.count=3
 preop.module.token=Internal Key Storage Token
-preop.cert.list=signing,sslserver,subsystem
+preop.cert.list=signing,sslserver,subsystem,audit_signing
 preop.cert.ocsp_signing.enable=true
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
+preop.cert.audit_signing.enable=true
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
+preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate
+preop.cert.audit_signing.keysize.custom_size=2048
+preop.cert.audit_signing.keysize.size=2048
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
+preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
+preop.cert.audit_signing.subsystem=ocsp
+preop.cert.audit_signing.type=remote
+preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate
+preop.cert.audit_signing.cncomponent.override=true
 preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA
 preop.cert.signing.dn=CN=OCSP Signing Certificate
 preop.cert.signing.keysize.custom_size=2048
@@ -175,7 +186,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit:_000=##
 log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed
 log.instance.SignedAudit.signedAudit:_002=##
-log.instance.SignedAudit.signedAuditCertNickname=
+log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 log.instance.SignedAudit.type=signedAudit
 log.instance.System._000=##
 log.instance.System._001=## System Logging
diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg
index 6e83b455a..503232292 100644
--- a/pki/base/tks/shared/conf/CS.cfg
+++ b/pki/base/tks/shared/conf/CS.cfg
@@ -18,9 +18,20 @@ preop.system.name=TKS
 preop.product.name=CS
 preop.product.version=
 preop.system.fullname=Token Key Service
-preop.cert.list=sslserver,subsystem
+preop.cert.list=sslserver,subsystem,audit_signing
 preop.cert.sslserver.enable=true
 preop.cert.subsystem.enable=true
+preop.cert.audit_signing.enable=true
+preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA
+preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate
+preop.cert.audit_signing.keysize.custom_size=2048
+preop.cert.audit_signing.keysize.size=2048
+preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID]
+preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert
+preop.cert.audit_signing.subsystem=tks
+preop.cert.audit_signing.type=remote
+preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate
+preop.cert.audit_signing.cncomponent.override=true
 preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA
 preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME]
 preop.cert.sslserver.keysize.custom_size=2048
@@ -161,7 +172,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST
+log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit
 log.instance.SignedAudit.flushInterval=5
@@ -173,7 +184,7 @@ log.instance.SignedAudit.rolloverInterval=2592000
 log.instance.SignedAudit.signedAudit:_000=##
 log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed
 log.instance.SignedAudit.signedAudit:_002=##
-log.instance.SignedAudit.signedAuditCertNickname=
+log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID]
 log.instance.SignedAudit.type=signedAudit
 log.instance.System._000=##
 log.instance.System._001=## System Logging
author	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-01-23 03:56:06 +0000
committer	cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b>	2009-01-23 03:56:06 +0000
commit	2f397c05020e7d85886a1146c963d5a7900e09f3 (patch)
tree	af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base
parent	281568c660e81ca4b8943bd358ceb57fffa492d4 (diff)
download	pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip