diff options
10 files changed, 98 insertions, 130 deletions
diff --git a/base/common/src/com/netscape/certsrv/request/IRequest.java b/base/common/src/com/netscape/certsrv/request/IRequest.java index f9c442754..885cb72a6 100644 --- a/base/common/src/com/netscape/certsrv/request/IRequest.java +++ b/base/common/src/com/netscape/certsrv/request/IRequest.java @@ -293,6 +293,9 @@ public interface IRequest extends Serializable { public final static String ATTR_SOURCE_ID = "requestSourceId"; public final static String ATTR_REQUEST_TYPE = "requestType"; + /* for async recovery */ + public final static String ATTR_APPROVE_AGENTS = "approvingAgents"; + /* * Other attributes stored in the attribute set */ diff --git a/base/kra/shared/conf/CS.cfg.in b/base/kra/shared/conf/CS.cfg.in index ce298c794..d8b595153 100644 --- a/base/kra/shared/conf/CS.cfg.in +++ b/base/kra/shared/conf/CS.cfg.in @@ -274,11 +274,11 @@ log.instance.SignedAudit._001=## Signed Audit Logging log.instance.SignedAudit._002=## log.instance.SignedAudit._003=## log.instance.SignedAudit._004=## Available Audit events: -log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY +log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED log.instance.SignedAudit._006=## log.instance.SignedAudit.bufferSize=512 log.instance.SignedAudit.enable=true -log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY +log.instance.SignedAudit.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ_SUCCESS,AUTHZ_FAIL,INTER_BOUNDARY,AUTH_FAIL,AUTH_SUCCESS,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_RETRIEVE_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED log.instance.SignedAudit.expirationTime=0 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit log.instance.SignedAudit.flushInterval=5 diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java index 54cf2a0c6..8ee8cb2d0 100644 --- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java +++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java @@ -575,6 +575,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } + public int getNoOfRequiredSecurityDataRecoveryAgents() throws EBaseException { + int ret = -1; + ret = mConfig.getInteger("noOfRequiredSecurityDataRecoveryAgents", 1); + if (ret <= 0) { + throw new EBaseException("Invalid parameter noOfRequiredSecurityDataRecoveryAgents"); + } + return ret; + } + /** * Sets number of required agents for * recovery operation @@ -850,7 +859,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove r.setExtData(RecoveryService.ATTR_SERIALNO, kid); r.setExtData(RecoveryService.ATTR_USER_CERT, cert); // first one in the "approvingAgents" list is the initiating agent - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, agent); + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); r.setRequestStatus(RequestStatus.PENDING); queue.updateRequest(r); auditRecoveryID = r.getRequestId().toString(); @@ -911,7 +920,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (agents != null) { int i = agents.indexOf(","); if (i == -1) { @@ -946,7 +955,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - String agents = r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + String agents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); if (agents != null) { int count = 0; StringTokenizer st = new StringTokenizer(agents, ","); @@ -959,11 +968,15 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } count++; } + int agentsRequired = + (r.getRequestType().equals(IRequest.SECURITY_DATA_RECOVERY_REQUEST)) ? + getNoOfRequiredSecurityDataRecoveryAgents() : + getNoOfRequiredAgents(); // note: if count==1 and required agents is 1, it's good to add - // and it'd look like "agent1,agent1" - that's the only dup allowed - if (count <= getNoOfRequiredAgents()) { //all good, add it - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, + // and it'd look like "agent1,agent1" - that's the only duplicate allowed + if (count <= agentsRequired) { //all good, add it + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agents + "," + agentID); if (count == getNoOfRequiredAgents()) { r.setRequestStatus(RequestStatus.APPROVED); @@ -1039,7 +1052,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove } } // for both sync and async recovery - r.setExtData(RecoveryService.ATTR_APPROVE_AGENTS, agent); + r.setExtData(IRequest.ATTR_APPROVE_AGENTS, agent); // store a message in the signed audit log file auditMessage = CMS.getLogMessage( @@ -1151,8 +1164,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove queue = getRequestQueue(); r = queue.findRequest(new RequestId(reqID)); - auditAgents = - r.getExtDataInString(RecoveryService.ATTR_APPROVE_AGENTS); + auditAgents = r.getExtDataInString(IRequest.ATTR_APPROVE_AGENTS); // set transient parameters params = createVolatileRequest(r.getRequestId()); diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java index 1b5781ca0..7b1685b4d 100644 --- a/base/kra/src/com/netscape/kra/RecoveryService.java +++ b/base/kra/src/com/netscape/kra/RecoveryService.java @@ -103,9 +103,6 @@ public class RecoveryService implements IService { public static final String ATTR_USER_CERT = "cert"; public static final String ATTR_DELIVERY = "delivery"; - // for Async Key Recovery - public static final String ATTR_APPROVE_AGENTS = "approvingAgents"; - private IKeyRecoveryAuthority mKRA = null; private IKeyRepository mStorage = null; private IStorageKeyUnit mStorageUnit = null; diff --git a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java index 269fa8df4..a2d587318 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataRecoveryService.java @@ -53,7 +53,6 @@ import org.mozilla.jss.util.Password; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -119,7 +118,8 @@ public class SecurityDataRecoveryService implements IService { byte iv_default[] = { 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1 }; byte iv_in[] = null; - String subjectID = auditSubjectID(); + String requestor = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = requestor; Hashtable<String, Object> params = mKRA.getVolatileRequest( request.getRequestId()); @@ -130,7 +130,7 @@ public class SecurityDataRecoveryService implements IService { if (params == null) { CMS.debug("Can't get volatile params."); - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "cannot get volatile params"); throw new EBaseException("Can't obtain volatile params!"); } @@ -213,7 +213,7 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_PASS_WRAPPED_DATA, pbeWrappedData); } catch (Exception e) { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot unwrap passphrase"); throw new EBaseException("Can't unwrap pass phase! " + e.toString()); } finally { @@ -235,7 +235,7 @@ public class SecurityDataRecoveryService implements IService { wrapper.initWrap(unwrappedSess, new IVParameterSpec(iv)); key_data = wrapper.wrap(symKey); } catch (Exception e) { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot wrap symmetric key"); throw new EBaseException("Can't wrap symmetric key! " + e.toString()); } @@ -248,13 +248,13 @@ public class SecurityDataRecoveryService implements IService { encryptor.initEncrypt(unwrappedSess, new IVParameterSpec(iv)); key_data = encryptor.doFinal(unwrappedSecData); } else { - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Failed to create cipher"); throw new IOException("Failed to create cipher"); } } catch (Exception e) { e.printStackTrace(); - auditRecoveryRequestProcessed(subjectID, ILogger.FAILURE, requestID, + auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(), "Cannot wrap pass phrase"); throw new EBaseException("Can't wrap pass phrase!"); } @@ -265,7 +265,7 @@ public class SecurityDataRecoveryService implements IService { params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr); } - auditRecoveryRequestProcessed(subjectID, ILogger.SUCCESS, requestID, serialno.toString(), + auditRecoveryRequestProcessed(auditSubjectID, ILogger.SUCCESS, requestID, serialno.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); mKRA.getRequestQueue().updateRequest(request); @@ -421,26 +421,6 @@ public class SecurityDataRecoveryService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/com/netscape/kra/SecurityDataService.java b/base/kra/src/com/netscape/kra/SecurityDataService.java index 8201414db..4a2ebef34 100644 --- a/base/kra/src/com/netscape/kra/SecurityDataService.java +++ b/base/kra/src/com/netscape/kra/SecurityDataService.java @@ -24,7 +24,6 @@ import org.mozilla.jss.crypto.SymmetricKey; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -47,7 +46,6 @@ import com.netscape.cmsutil.util.Utils; */ public class SecurityDataService implements IService { - private final static String DEFAULT_OWNER = "IPA Agent"; public final static String ATTR_KEY_RECORD = "keyRecord"; private final static String STATUS_ACTIVE = "active"; @@ -94,7 +92,7 @@ public class SecurityDataService implements IService { String algParams = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_PARAMS); String algStr = request.getExtDataInString(IEnrollProfile.REQUEST_ALGORITHM_OID); - // prameters if the secret is a symkey + // parameters if the secret is a symmetric key String dataType = request.getExtDataInString(IRequest.SECURITY_DATA_TYPE); String algorithm = request.getExtDataInString(IRequest.SECURITY_DATA_ALGORITHM); int strength = request.getExtDataInInteger(IRequest.SECURITY_DATA_STRENGTH); @@ -102,12 +100,12 @@ public class SecurityDataService implements IService { CMS.debug("SecurityDataService.serviceRequest. Request id: " + id); CMS.debug("SecurityDataService.serviceRequest wrappedSecurityData: " + wrappedSecurityData); - String owner = getOwnerName(request); - String subjectID = auditSubjectID(); + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; //Check here even though restful layer checks for this. if (clientKeyId == null || dataType == null) { - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Bad data in request"); throw new EBaseException("Bad data in SecurityDataService.serviceRequest"); } @@ -177,11 +175,13 @@ public class SecurityDataService implements IService { } else if (securityData != null) { privateSecurityData = mStorageUnit.encryptInternalPrivate(securityData); } else { // We have no data. - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } // create key record + // Note that in this case the owner is the same as the approving agent + // because the archival request is made by the agent. KeyRecord rec = new KeyRecord(null, publicKey, privateSecurityData, owner, algStr, owner); @@ -191,7 +191,7 @@ public class SecurityDataService implements IService { //Now we need a serial number for our new key. if (rec.getSerialNumber() != null) { - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -202,7 +202,7 @@ public class SecurityDataService implements IService { if (serialNo == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - auditArchivalRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to get next Key ID"); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -222,7 +222,7 @@ public class SecurityDataService implements IService { storage.addKeyRecord(rec); - auditArchivalRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(), + auditArchivalRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), clientKeyId, serialNo.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); mKRA.getRequestQueue().updateRequest(request); @@ -230,10 +230,6 @@ public class SecurityDataService implements IService { return true; } - //ToDo: return real owner with auth - private String getOwnerName(IRequest request) { - return DEFAULT_OWNER; - } private void audit(String msg) { if (signedAuditLogger == null) @@ -246,26 +242,6 @@ public class SecurityDataService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java index 774bbcda9..46c8265f0 100644 --- a/base/kra/src/com/netscape/kra/SymKeyGenService.java +++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java @@ -34,7 +34,6 @@ import org.mozilla.jss.crypto.TokenException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; -import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.dbs.keydb.IKeyRecord; import com.netscape.certsrv.dbs.keydb.IKeyRepository; import com.netscape.certsrv.key.KeyRequestResource; @@ -56,7 +55,6 @@ import com.netscape.cmscore.dbs.KeyRecord; */ public class SymKeyGenService implements IService { - private final static String DEFAULT_OWNER = "IPA Agent"; public final static String ATTR_KEY_RECORD = "keyRecord"; private final static String STATUS_ACTIVE = "active"; @@ -102,12 +100,12 @@ public class SymKeyGenService implements IService { CMS.debug("SymKeyGenService.serviceRequest. Request id: " + id); CMS.debug("SymKeyGenService.serviceRequest algorithm: " + algorithm); - String owner = getOwnerName(request); - String subjectID = auditSubjectID(); + String owner = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + String auditSubjectID = owner; //Check here even though restful layer checks for this. if (algorithm == null || clientKeyId == null || keySize <= 0) { - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Bad data in request"); throw new EBaseException("Bad data in SymKeyGenService.serviceRequest"); } @@ -167,7 +165,7 @@ public class SymKeyGenService implements IService { } catch (TokenException | IllegalStateException | CharConversionException | NoSuchAlgorithmException | InvalidAlgorithmParameterException e) { CMS.debugStackTrace(); - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to generate symmetric key"); throw new EBaseException("Errors in generating symmetric key: " + e); } @@ -178,7 +176,7 @@ public class SymKeyGenService implements IService { if (sk != null) { privateSecurityData = mStorageUnit.wrap(sk); } else { // We have no data. - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to create security data to archive"); throw new EBaseException("Failed to create security data to archive!"); } @@ -192,7 +190,7 @@ public class SymKeyGenService implements IService { //Now we need a serial number for our new key. if (rec.getSerialNumber() != null) { - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, CMS.getUserMessage("CMS_KRA_INVALID_STATE")); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -203,7 +201,7 @@ public class SymKeyGenService implements IService { if (serialNo == null) { mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL")); - auditSymKeyGenRequestProcessed(subjectID, ILogger.FAILURE, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(), clientKeyId, null, "Failed to get next Key ID"); throw new EBaseException(CMS.getUserMessage("CMS_KRA_INVALID_STATE")); } @@ -218,7 +216,7 @@ public class SymKeyGenService implements IService { CMS.debug("KRA adding Security Data key record " + serialNo); storage.addKeyRecord(rec); - auditSymKeyGenRequestProcessed(subjectID, ILogger.SUCCESS, request.getRequestId(), + auditSymKeyGenRequestProcessed(auditSubjectID, ILogger.SUCCESS, request.getRequestId(), clientKeyId, serialNo.toString(), "None"); request.setExtData(IRequest.RESULT, IRequest.RES_SUCCESS); @@ -227,11 +225,6 @@ public class SymKeyGenService implements IService { return true; } - //ToDo: return real owner with auth - private String getOwnerName(IRequest request) { - return DEFAULT_OWNER; - } - private void audit(String msg) { if (signedAuditLogger == null) return; @@ -243,26 +236,6 @@ public class SymKeyGenService implements IService { msg); } - private String auditSubjectID() { - if (signedAuditLogger == null) { - return null; - } - - String subjectID = null; - - // Initialize subjectID - SessionContext auditContext = SessionContext.getExistingContext(); - - if (auditContext != null) { - subjectID = (String) auditContext.get(SessionContext.USER_ID); - subjectID = (subjectID != null) ? subjectID.trim() : ILogger.NONROLEUSER; - } else { - subjectID = ILogger.UNIDENTIFIED; - } - - return subjectID; - } - private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID, String keyID, String reason) { String auditMessage = CMS.getLogMessage( diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java index 4f3ef57af..c538e016b 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java @@ -43,6 +43,7 @@ import com.netscape.certsrv.base.BadRequestException; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.PKIException; import com.netscape.certsrv.base.ResourceMessage; +import com.netscape.certsrv.base.UnauthorizedException; import com.netscape.certsrv.dbs.keydb.KeyId; import com.netscape.certsrv.key.KeyArchivalRequest; import com.netscape.certsrv.key.KeyRecoveryRequest; @@ -176,7 +177,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Archival must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditArchivalRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); return createCreatedResponse(response, new URI(response.getRequestInfo().getRequestURL())); @@ -207,8 +212,12 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { + String requestor = servletRequest.getUserPrincipal().getName(); + if (requestor == null) { + throw new UnauthorizedException("Recovery must be initiated by an agent"); + } response = (data.getCertificate() != null)? - requestKeyRecovery(data): dao.submitRequest(data, uriInfo); + requestKeyRecovery(data): dao.submitRequest(data, uriInfo, requestor); auditRecoveryRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getKeyId()); @@ -253,18 +262,9 @@ public class KeyRequestService extends PKIService implements KeyRequestResource if (id == null) { throw new BadRequestException("Invalid request id."); } - // auth and authz - KeyRequestDAO dao = new KeyRequestDAO(); try { - IRequest request = queue.findRequest(id); - String type = request.getRequestType(); - if (IRequest.KEYRECOVERY_REQUEST.equals(type)) { - service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } else if (IRequest.SECURITY_DATA_RECOVERY_REQUEST.equals(type)) { - dao.approveRequest(id); - auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); - } + service.addAgentAsyncKeyRecovery(id.toString(), servletRequest.getUserPrincipal().getName()); + auditRecoveryRequestChange(id, ILogger.SUCCESS, "approve"); } catch (EBaseException e) { e.printStackTrace(); auditRecoveryRequestChange(id, ILogger.FAILURE, "approve"); @@ -448,7 +448,11 @@ public class KeyRequestService extends PKIService implements KeyRequestResource KeyRequestDAO dao = new KeyRequestDAO(); KeyRequestResponse response; try { - response = dao.submitRequest(data, uriInfo); + String owner = servletRequest.getUserPrincipal().getName(); + if (owner == null) { + throw new UnauthorizedException("Key generation must be performed by an agent"); + } + response = dao.submitRequest(data, uriInfo, owner); auditSymKeyGenRequestMade(response.getRequestInfo().getRequestId(), ILogger.SUCCESS, data.getClientKeyId()); diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java index cfb84a5bf..9f33b1ba7 100644 --- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java +++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java @@ -314,8 +314,22 @@ public class KeyService extends PKIService implements KeyResource { throw new BadRequestException("Invalid request type"); } - //confirm that agent is originator of request, else throw 401 - // TO-DO + //confirm that retriever is originator of request, else throw 401 + String retriever = servletRequest.getUserPrincipal().getName(); + IRequest request; + try { + request = queue.findRequest(reqId); + } catch (EBaseException e) { + e.printStackTrace(); + auditRetrieveKey(ILogger.FAILURE, reqId, null, "unable to retrieve recovery request"); + throw new PKIException(e.getMessage()); + } + String originator = request.getExtDataInString(IRequest.ATTR_REQUEST_OWNER); + if (! originator.equals(retriever)) { + auditRetrieveKey(ILogger.FAILURE, reqId, null, "recovery request not approved. originator does not match retriever"); + throw new UnauthorizedException( + "Data for recovery requests can only be retrieved by the originators of the request"); + } // confirm request is in approved state RequestStatus status = reqInfo.getRequestStatus(); diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java index 22d0f48e6..3686ec776 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java @@ -155,7 +155,8 @@ public class KeyRequestDAO extends CMSRequestDAO { * @return info for the request submitted. * @throws EBaseException */ - public KeyRequestResponse submitRequest(KeyArchivalRequest data, UriInfo uriInfo) throws EBaseException { + public KeyRequestResponse submitRequest(KeyArchivalRequest data, UriInfo uriInfo, String owner) + throws EBaseException { String clientKeyId = data.getClientKeyId(); String wrappedSecurityData = data.getWrappedPrivateData(); String transWrappedSessionKey = data.getTransWrappedSessionKey(); @@ -192,6 +193,8 @@ public class KeyRequestDAO extends CMSRequestDAO { request.setExtData(IRequest.SECURITY_DATA_ALGORITHM, keyAlgorithm); } + request.setExtData(IRequest.ATTR_REQUEST_OWNER, owner); + queue.processRequest(request); queue.markAsServiced(request); @@ -206,7 +209,8 @@ public class KeyRequestDAO extends CMSRequestDAO { * @return info on the recovery request created * @throws EBaseException */ - public KeyRequestResponse submitRequest(KeyRecoveryRequest data, UriInfo uriInfo) throws EBaseException { + public KeyRequestResponse submitRequest(KeyRecoveryRequest data, UriInfo uriInfo, String requestor) + throws EBaseException { // set data using request.setExtData(field, data) String wrappedSessionKeyStr = data.getTransWrappedSessionKey(); @@ -246,12 +250,16 @@ public class KeyRequestDAO extends CMSRequestDAO { request.setExtData(ATTR_SERIALNO, keyId.toString()); + request.setExtData(IRequest.ATTR_REQUEST_OWNER, requestor); + request.setExtData(IRequest.ATTR_APPROVE_AGENTS, requestor); + queue.processRequest(request); return createKeyRequestResponse(request, uriInfo); } - public KeyRequestResponse submitRequest(SymKeyGenerationRequest data, UriInfo uriInfo) throws EBaseException { + public KeyRequestResponse submitRequest(SymKeyGenerationRequest data, UriInfo uriInfo, String owner) + throws EBaseException { String clientKeyId = data.getClientKeyId(); String algName = data.getKeyAlgorithm(); Integer keySize = data.getKeySize(); @@ -298,6 +306,7 @@ public class KeyRequestDAO extends CMSRequestDAO { request.setExtData(IRequest.SYMKEY_GEN_USAGES, StringUtils.join(usages, ",")); request.setExtData(IRequest.SECURITY_DATA_CLIENT_KEY_ID, clientKeyId); + request.setExtData(IRequest.ATTR_REQUEST_OWNER, owner); if (transWrappedSessionKey != null) { request.setExtData(IRequest.SYMKEY_TRANS_WRAPPED_SESSION_KEY, |