diff options
author | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-23 03:56:06 +0000 |
---|---|---|
committer | cfu <cfu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-01-23 03:56:06 +0000 |
commit | 2f397c05020e7d85886a1146c963d5a7900e09f3 (patch) | |
tree | af6fa68d7c9d6d8b531e06ae9a7a3576a921eb4e /pki/base | |
parent | 281568c660e81ca4b8943bd358ceb57fffa492d4 (diff) | |
download | pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.gz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.tar.xz pki-2f397c05020e7d85886a1146c963d5a7900e09f3.zip |
481237 - signed audit
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@183 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base')
-rw-r--r-- | pki/base/ca/shared/conf/CS.cfg | 19 | ||||
-rw-r--r-- | pki/base/ca/shared/conf/caAuditSigningCert.profile | 37 | ||||
-rw-r--r-- | pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg | 87 | ||||
-rw-r--r-- | pki/base/common/src/LogMessages_en.properties | 56 | ||||
-rw-r--r-- | pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java | 40 | ||||
-rw-r--r-- | pki/base/java-tools/build.xml | 2 | ||||
-rw-r--r-- | pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java | 31 | ||||
-rw-r--r-- | pki/base/kra/shared/conf/CS.cfg | 15 | ||||
-rw-r--r-- | pki/base/ocsp/shared/conf/CS.cfg | 15 | ||||
-rw-r--r-- | pki/base/tks/shared/conf/CS.cfg | 17 |
10 files changed, 303 insertions, 16 deletions
diff --git a/pki/base/ca/shared/conf/CS.cfg b/pki/base/ca/shared/conf/CS.cfg index f97af9022..c679c6529 100644 --- a/pki/base/ca/shared/conf/CS.cfg +++ b/pki/base/ca/shared/conf/CS.cfg @@ -24,11 +24,12 @@ preop.admin.name=Certificate System Administrator preop.admin.group=Certificate Manager Agents preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] -preop.cert.list=signing,ocsp_signing,sslserver,subsystem +preop.cert.list=signing,ocsp_signing,sslserver,subsystem,audit_signing preop.cert.signing.enable=true preop.cert.ocsp_signing.enable=true preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA preop.cert.signing.dn=CN=Certificate Authority preop.cert.signing.cncomponent.override=true @@ -39,6 +40,16 @@ preop.cert.signing.profile=caCert.profile preop.cert.signing.subsystem=ca preop.cert.signing.type=selfsign preop.cert.signing.userfriendlyname=CA Signing Certificate +preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.audit_signing.dn=CN=CA Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caAuditSigningCert.profile +preop.cert.audit_signing.subsystem=ca +preop.cert.audit_signing.type=local +preop.cert.audit_signing.userfriendlyname=CA Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true preop.cert.ocsp_signing.defaultSigningAlgorithm=SHA1withRSA preop.cert.ocsp_signing.dn=CN=OCSP Signing Certificate preop.cert.ocsp_signing.keysize.custom_size=2048 @@ -766,7 +777,7 @@ log.instance.SignedAudit.maxFileSize=2000 log.instance.SignedAudit.pluginName=file log.instance.SignedAudit.rolloverInterval=2592000 log.instance.SignedAudit.signedAudit=_002=## -log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] log.instance.SignedAudit.type=signedAudit log.instance.System._000=## log.instance.System._001=## System Logging @@ -815,7 +826,7 @@ oidmap.pse.oid=2.16.840.1.113730.1.18 oidmap.subject_info_access.class=netscape.security.extensions.SubjectInfoAccessExtension oidmap.subject_info_access.oid=1.3.6.1.5.5.7.1.11 os.userid=nobody -profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal +profile.list=caUserCert,caDualCert,caSignedLogCert,caTPSCert,caRARouterCert,caRouterCert,caServerCert,caOtherCert,caCACert,caInstallCACert,caRACert,caOCSPCert,caTransportCert,caDirUserCert,caAgentServerCert,caAgentFileSigning,caCMCUserCert,caFullCMCUserCert,caSimpleCMCUserCert,caTokenDeviceKeyEnrollment,caTokenUserEncryptionKeyEnrollment,caTokenUserSigningKeyEnrollment,caTempTokenDeviceKeyEnrollment,caTempTokenUserEncryptionKeyEnrollment,caTempTokenUserSigningKeyEnrollment,caAdminCert,caInternalAuthServerCert,caInternalAuthTransportCert,caInternalAuthDRMstorageCert,caInternalAuthSubsystemCert,caInternalAuthOCSPCert,caInternalAuthAuditSigningCert,DomainController,caDualRAuserCert,caRAagentCert,caRAserverCert,caUUIDdeviceCert,caSSLClientSelfRenewal,caDirUserRenewal,caManualRenewal profile.caUUIDdeviceCert.class_id=caEnrollImpl profile.caUUIDdeviceCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caUUIDdeviceCert.cfg profile.caManualRenewal.class_id=caEnrollImpl @@ -850,6 +861,8 @@ profile.caFullCMCUserCert.class_id=caEnrollImpl profile.caFullCMCUserCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caFullCMCUserCert.cfg profile.caInternalAuthOCSPCert.class_id=caEnrollImpl profile.caInternalAuthOCSPCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthOCSPCert.cfg +profile.caInternalAuthAuditSigningCert.class_id=caEnrollImpl +profile.caInternalAuthAuditSigningCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthAuditSigningCert.cfg profile.caInternalAuthServerCert.class_id=caEnrollImpl profile.caInternalAuthServerCert.config=[PKI_INSTANCE_PATH]/profiles/ca/caInternalAuthServerCert.cfg profile.caInternalAuthSubsystemCert.class_id=caEnrollImpl diff --git a/pki/base/ca/shared/conf/caAuditSigningCert.profile b/pki/base/ca/shared/conf/caAuditSigningCert.profile new file mode 100644 index 000000000..f1124e100 --- /dev/null +++ b/pki/base/ca/shared/conf/caAuditSigningCert.profile @@ -0,0 +1,37 @@ +# +# CA Audit Signing Cert Profile +# +id=caAuditSigningCert.profile +name=CA Audit Signing Certificate Profile +description=This profile creates a CA Audit signing certificate that is valid for audit log signing purpose. +list=2,4,6,8,9 +2.default.class=com.netscape.cms.profile.def.ValidityDefault +2.default.name=Validity Default +2.default.params.range=720 +2.default.params.startTime=0 +4.default.class=com.netscape.cms.profile.def.AuthorityKeyIdentifierExtDefault +4.default.name=Authority Key Identifier Default +6.default.class=com.netscape.cms.profile.def.KeyUsageExtDefault +6.default.name=Key Usage Default +6.default.params.keyUsageCritical=true +6.default.params.keyUsageDigitalSignature=true +6.default.params.keyUsageNonRepudiation=true +6.default.params.keyUsageDataEncipherment=false +6.default.params.keyUsageKeyEncipherment=false +6.default.params.keyUsageKeyAgreement=false +6.default.params.keyUsageKeyCertSign=false +6.default.params.keyUsageCrlSign=false +6.default.params.keyUsageEncipherOnly=false +6.default.params.keyUsageDecipherOnly=false +8.default.class=com.netscape.cms.profile.def.AuthInfoAccessExtDefault +8.default.name=AIA Extension Default +8.default.params.authInfoAccessADEnable_0=true +8.default.params.authInfoAccessADLocationType_0=URIName +8.default.params.authInfoAccessADLocation_0= +8.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +8.default.params.authInfoAccessCritical=false +8.default.params.authInfoAccessNumADs=1 +9.default.class=com.netscape.cms.profile.def.ExtendedKeyUsageExtDefault +9.default.name=Extended Key Usage Extension Default +9.default.params.exKeyUsageCritical=false +9.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 diff --git a/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg new file mode 100644 index 000000000..547a11166 --- /dev/null +++ b/pki/base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg @@ -0,0 +1,87 @@ +desc=This certificate profile is for enrolling audit signing certificates. +visible=true +enable=true +enableBy=admin +auth.instance_id=TokenAuth +authz.acl=group="Enterprise OCSP Administrators" || group="Enterprise RA Administrators" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators" +name=Audit Signing Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=auditSigningCertSet +policyset.auditSigningCertSet.list=1,2,3,4,5,6,7,9 +policyset.auditSigningCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.auditSigningCertSet.1.constraint.name=Subject Name Constraint +policyset.auditSigningCertSet.1.constraint.params.pattern=CN=.* +policyset.auditSigningCertSet.1.constraint.params.accept=true +policyset.auditSigningCertSet.1.default.class_id=userSubjectNameDefaultImpl +policyset.auditSigningCertSet.1.default.name=Subject Name Default +policyset.auditSigningCertSet.1.default.params.name= +policyset.auditSigningCertSet.2.constraint.class_id=validityConstraintImpl +policyset.auditSigningCertSet.2.constraint.name=Validity Constraint +policyset.auditSigningCertSet.2.constraint.params.range=720 +policyset.auditSigningCertSet.2.constraint.params.notBeforeCheck=false +policyset.auditSigningCertSet.2.constraint.params.notAfterCheck=false +policyset.auditSigningCertSet.2.default.class_id=validityDefaultImpl +policyset.auditSigningCertSet.2.default.name=Validity Default +policyset.auditSigningCertSet.2.default.params.range=720 +policyset.auditSigningCertSet.2.default.params.startTime=0 +policyset.auditSigningCertSet.3.constraint.class_id=keyConstraintImpl +policyset.auditSigningCertSet.3.constraint.name=Key Constraint +policyset.auditSigningCertSet.3.constraint.params.keyType=- +policyset.auditSigningCertSet.3.constraint.params.keyMinLength=256 +policyset.auditSigningCertSet.3.constraint.params.keyMaxLength=4096 +policyset.auditSigningCertSet.3.default.class_id=userKeyDefaultImpl +policyset.auditSigningCertSet.3.default.name=Key Default +policyset.auditSigningCertSet.4.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.4.constraint.name=No Constraint +policyset.auditSigningCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.auditSigningCertSet.4.default.name=Authority Key Identifier Default +policyset.auditSigningCertSet.5.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.5.constraint.name=No Constraint +policyset.auditSigningCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.auditSigningCertSet.5.default.name=AIA Extension Default +policyset.auditSigningCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.auditSigningCertSet.5.default.params.authInfoAccessADLocation_0= +policyset.auditSigningCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.auditSigningCertSet.5.default.params.authInfoAccessCritical=false +policyset.auditSigningCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.auditSigningCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.auditSigningCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.auditSigningCertSet.6.constraint.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.constraint.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.auditSigningCertSet.6.default.name=Key Usage Default +policyset.auditSigningCertSet.6.default.params.keyUsageCritical=true +policyset.auditSigningCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.auditSigningCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.auditSigningCertSet.6.default.params.keyUsageDataEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyEncipherment=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.auditSigningCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageCrlSign=false +policyset.auditSigningCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.auditSigningCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.auditSigningCertSet.7.constraint.class_id=noConstraintImpl +policyset.auditSigningCertSet.7.constraint.name=No Constraint +policyset.auditSigningCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.auditSigningCertSet.7.default.name=Extended Key Usage Extension Default +policyset.auditSigningCertSet.7.default.params.exKeyUsageCritical=false +policyset.auditSigningCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.4 +policyset.auditSigningCertSet.9.constraint.class_id=signingAlgConstraintImpl +policyset.auditSigningCertSet.9.constraint.name=No Constraint +policyset.auditSigningCertSet.9.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC +policyset.auditSigningCertSet.9.default.class_id=signingAlgDefaultImpl +policyset.auditSigningCertSet.9.default.name=Signing Alg +policyset.auditSigningCertSet.9.default.params.signingAlg=- diff --git a/pki/base/common/src/LogMessages_en.properties b/pki/base/common/src/LogMessages_en.properties index 6d4d8e820..b7747674f 100644 --- a/pki/base/common/src/LogMessages_en.properties +++ b/pki/base/common/src/LogMessages_en.properties @@ -2139,6 +2139,62 @@ LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALI # LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY][SubjectID={0}][Outcome={1}][ReqType={2}][CertSubject={3}][SignerInfo={4}] agent pre-approved CMC request signature verification # +# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST +# - used for TPS to TKS to get a sessoin key for secure channel setup +# SubjectID must be the CUID of the token establishing the secure channel +# AgentID must be the trusted agent id used to make the request +# IsCryptoValidate tells if the card cryptogram is to be validated +# IsServerSideKeygen tells if the keys are to be generated on server +LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][SubjectID={0}][Outcome={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request +# +# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED +# - request for TPS to TKS to get a sessoin key for secure channel processed +# SubjectID must be the CUID of the token establishing the secure channel +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# IsCryptoValidate tells if the card cryptogram is to be validated +# IsServerSideKeygen tells if the keys are to be generated on server +LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][IsCryptoValidate={3}[IsServerSideKeygen={4}] TKS Compute session key request processed +# +# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST +# - request for TPS to TKS to do key change over +# SubjectID must be the CUID of the token requesting key change over +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# oldMasterKeyName is the old master key name +# newMasterKeyName is the new master key name +LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_5=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request +# +########################### +# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED +# - request for TPS to TKS to do key change over request processed +# SubjectID must be the CUID of the token requesting key change over +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# oldMasterKeyName is the old master key name +# newMasterKeyName is the new master key name +LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_5=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][oldMasterKeyName={3}[newMasterKeyName={4}] TKS Key Change Over request processed +# +# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST +# - request from TPS to TKS to encrypt data +# (or generate random data and encrypt) +# SubjectID must be the CUID of the token requesting encrypt data +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# isRandom tells if the data is randomly generated on TKS +LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request +# +# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED +# - request from TPS to TKS to encrypt data +# (or generate random data and encrypt) +# SubjectID must be the CUID of the token requesting encrypt data +# AgentID must be the trusted agent id used to make the request +# status is 0 for success, non-zero for various errors +# isRandom tells if the data is randomly generated on TKS +LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_4=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED][SubjectID={0}][status={1}][AgentID={2}][isRandom={3} TKS encrypt data request processed +# +# +# ########################### #Unselectable signedAudit Events # diff --git a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java index 9509d421c..d4f3d1dee 100644 --- a/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java +++ b/pki/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java @@ -73,6 +73,15 @@ public class TokenServlet extends CMSServlet { "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3"; IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":"); + private final static String + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_5"; + + private final static String + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED = + "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_5"; + + /** * Constructs tks servlet. */ @@ -199,6 +208,7 @@ public class TokenServlet extends CMSServlet { byte[] card_crypto, host_cryptogram, input_card_crypto; byte[] xcard_challenge, xhost_challenge; byte[] enc_session_key, xkeyInfo; + String auditMessage = null; String keySet = req.getParameter("keySet"); if (keySet == null || keySet.equals("")) { @@ -252,6 +262,14 @@ public class TokenServlet extends CMSServlet { missingParam = true; } + SessionContext sContext = SessionContext.getContext(); + + String agentId=""; + if (sContext != null) { + agentId = + (String) sContext.get(SessionContext.USER_ID); + } + if ((rcard_challenge == null) || (rcard_challenge.equals(""))) { CMS.debug("TokenServlet: ComputeSessionKey(): missing request parameter: card challenge"); missingParam = true; @@ -273,6 +291,16 @@ public class TokenServlet extends CMSServlet { boolean sameCardCrypto = true; if (!missingParam) { + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST, + rCUID, + ILogger.SUCCESS, + agentId, + isCryptoValidate? "true":"false", + serversideKeygen? "true":"false"); + + audit(auditMessage); + xCUID =com.netscape.cmsutil.util.Utils.SpecialDecode(rCUID); if (xCUID == null || xCUID.length != 10) { CMS.debug("TokenServlet: Invalid CUID length"); @@ -297,6 +325,7 @@ public class TokenServlet extends CMSServlet { } } + CUID = null; if (!missingParam) { card_challenge = com.netscape.cmsutil.util.Utils.SpecialDecode(rcard_challenge); @@ -392,7 +421,9 @@ public class TokenServlet extends CMSServlet { /*generate it on whichever token the master key is at*/ if (useSoftToken_s.equals("true")) { CMS.debug("TokenServlet: key encryption key generated on internal"); +//cfu audit here? sym key gen desKey = SessionKey.GenerateSymkey("internal"); +//cfu audit here? sym key gen done } else { CMS.debug("TokenServlet: key encryption key generated on " + selectedToken); desKey = SessionKey.GenerateSymkey(selectedToken); @@ -611,6 +642,15 @@ public class TokenServlet extends CMSServlet { } catch (IOException e) { CMS.debug("TokenServlet: " + e.toString()); } + auditMessage = CMS.getLogMessage( + LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED, + rCUID, + status, + agentId, + isCryptoValidate? "true":"false", + serversideKeygen? "true":"false"); + + audit(auditMessage); } private void processDiversifyKey(HttpServletRequest req, diff --git a/pki/base/java-tools/build.xml b/pki/base/java-tools/build.xml index 9ddd835e3..43aeca017 100644 --- a/pki/base/java-tools/build.xml +++ b/pki/base/java-tools/build.xml @@ -196,7 +196,7 @@ <arg value="-e"/> <arg value="s/\[PKI_PRODUCT\]/${product.prefix}/g"/> <arg value="-e"/> - <arg value="s/\[PKI_COMMAND\]/AudityVerify/g"/> + <arg value="s/\[PKI_COMMAND\]/AuditVerify/g"/> <arg value="./build/cmds/AuditVerify.tmp"/> </exec> <delete file="./build/cmds/AuditVerify.tmp"/> diff --git a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java index 3207c2f76..955004c25 100644 --- a/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java +++ b/pki/base/java-tools/src/com/netscape/cmstools/AuditVerify.java @@ -26,6 +26,7 @@ import org.mozilla.jss.crypto.ObjectNotFoundException; import org.mozilla.jss.util.Base64InputStream; import java.security.*; import java.security.interfaces.*; +import netscape.security.x509.X509CertImpl; /** * Tool for verifying signed audit logs @@ -92,6 +93,17 @@ public class AuditVerify { return (matchingFiles.length > 0); } + public static boolean isSigningCert(X509CertImpl cert) { + boolean[] keyUsage = null; + + try { + keyUsage = cert.getKeyUsage(); + } catch (Exception e) { + e.printStackTrace(); + } + return (keyUsage == null) ? false : keyUsage[0]; + } + public static void main(String args[]) { try { @@ -165,12 +177,21 @@ public class AuditVerify { CryptoManager cm = CryptoManager.getInstance(); X509Certificate signerCert = cm.findCertByNickname(signerNick); + X509CertImpl cert_i = null; + if (signerCert != null) { + byte[] signerCert_b = signerCert.getEncoded(); + cert_i = new X509CertImpl(signerCert_b); + } else { + System.out.println("ERROR: signing certificate not found"); + System.exit(1); + } + // verify signer's certificate - if( ! cm.isCertValid(signerNick, true, - CryptoManager.CertUsage.EmailSigner) ) - { - System.out.println("Error: signing certificate is not valid"); - System.exit(1); + // not checking validity because we want to allow verifying old logs + // + if (!isSigningCert(cert_i)) { + System.out.println("info: signing certificate is not a signing certificate"); + System.exit(1); } PublicKey pubk = signerCert.getPublicKey(); diff --git a/pki/base/kra/shared/conf/CS.cfg b/pki/base/kra/shared/conf/CS.cfg index b3ff6d6b8..d0b1d490a 100644 --- a/pki/base/kra/shared/conf/CS.cfg +++ b/pki/base/kra/shared/conf/CS.cfg @@ -18,11 +18,22 @@ preop.admin.name=Data Recovery Manager Administrator preop.admin.group=Data Recovery Manager Agents preop.admincert.profile=caAdminCert preop.pin=[PKI_RANDOM_NUMBER] -preop.cert.list=transport,storage,sslserver,subsystem +preop.cert.list=transport,storage,sslserver,subsystem,audit_signing preop.cert.transport.enable=true preop.cert.storage.enable=true preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.audit_signing.dn=CN=DRM Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.subsystem=kra +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=DRM Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true preop.cert.storage.defaultSigningAlgorithm=SHA1withRSA preop.cert.storage.dn=CN=DRM Storage Certificate preop.cert.storage.keysize.custom_size=2048 @@ -219,7 +230,7 @@ log.instance.SignedAudit.rolloverInterval=2592000 log.instance.SignedAudit.signedAudit:_000=## log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow KRA audit logs to be signed log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] log.instance.SignedAudit.type=signedAudit log.instance.System._000=## log.instance.System._001=## System Logging diff --git a/pki/base/ocsp/shared/conf/CS.cfg b/pki/base/ocsp/shared/conf/CS.cfg index 6290801a9..8b44eb37e 100644 --- a/pki/base/ocsp/shared/conf/CS.cfg +++ b/pki/base/ocsp/shared/conf/CS.cfg @@ -27,10 +27,21 @@ preop.configModules.module2.commonName=lunasa preop.configModules.module2.imagePath=../img/clearpixel.gif preop.configModules.count=3 preop.module.token=Internal Key Storage Token -preop.cert.list=signing,sslserver,subsystem +preop.cert.list=signing,sslserver,subsystem,audit_signing preop.cert.ocsp_signing.enable=true preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.audit_signing.dn=CN=OCSP Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.subsystem=ocsp +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=OCSP Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true preop.cert.signing.defaultSigningAlgorithm=SHA1withRSA preop.cert.signing.dn=CN=OCSP Signing Certificate preop.cert.signing.keysize.custom_size=2048 @@ -175,7 +186,7 @@ log.instance.SignedAudit.rolloverInterval=2592000 log.instance.SignedAudit.signedAudit:_000=## log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow OCSP audit logs to be signed log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] log.instance.SignedAudit.type=signedAudit log.instance.System._000=## log.instance.System._001=## System Logging diff --git a/pki/base/tks/shared/conf/CS.cfg b/pki/base/tks/shared/conf/CS.cfg index 6e83b455a..503232292 100644 --- a/pki/base/tks/shared/conf/CS.cfg +++ b/pki/base/tks/shared/conf/CS.cfg @@ -18,9 +18,20 @@ preop.system.name=TKS preop.product.name=CS preop.product.version= preop.system.fullname=Token Key Service -preop.cert.list=sslserver,subsystem +preop.cert.list=sslserver,subsystem,audit_signing preop.cert.sslserver.enable=true preop.cert.subsystem.enable=true +preop.cert.audit_signing.enable=true +preop.cert.audit_signing.defaultSigningAlgorithm=SHA1withRSA +preop.cert.audit_signing.dn=CN=TKS Audit Signing Certificate +preop.cert.audit_signing.keysize.custom_size=2048 +preop.cert.audit_signing.keysize.size=2048 +preop.cert.audit_signing.nickname=auditSigningCert cert-[PKI_INSTANCE_ID] +preop.cert.audit_signing.profile=caInternalAuthAuditSigningCert +preop.cert.audit_signing.subsystem=tks +preop.cert.audit_signing.type=remote +preop.cert.audit_signing.userfriendlyname=TKS Audit Signing Certificate +preop.cert.audit_signing.cncomponent.override=true preop.cert.sslserver.defaultSigningAlgorithm=SHA1withRSA preop.cert.sslserver.dn=CN=[PKI_MACHINE_NAME] preop.cert.sslserver.keysize.custom_size=2048 @@ -161,7 +172,7 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE,PRIVATE_KEY_ARCHIVE_PROCESSED,KEY_RECOVERY_REQUEST,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_PROCESSED,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/signedAudit/tks_cert-tks_audit log.instance.SignedAudit.flushInterval=5 @@ -173,7 +184,7 @@ log.instance.SignedAudit.rolloverInterval=2592000 log.instance.SignedAudit.signedAudit:_000=## log.instance.SignedAudit.signedAudit:_001=## Fill in the nickname of a trusted signing certificate to allow TKS audit logs to be signed log.instance.SignedAudit.signedAudit:_002=## -log.instance.SignedAudit.signedAuditCertNickname= +log.instance.SignedAudit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_ID] log.instance.SignedAudit.type=signedAudit log.instance.System._000=## log.instance.System._001=## System Logging |