3 files changed, 143 insertions, 1 deletions

diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
index 2ca0285a4..c66227c8d 100644
--- a/base/server/cms/src/CMakeLists.txt
+++ b/base/server/cms/src/CMakeLists.txt
@@ -107,7 +107,8 @@ javac(pki-cms-classes
         ${XALAN_JAR} ${XERCES_JAR}
         ${JSS_JAR} ${SYMKEY_JAR}
         ${LDAPJDK_JAR}
-        ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${VELOCITY_JAR}
+        ${SERVLET_JAR} ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR}
+        ${TOMCATJSS_JAR} ${VELOCITY_JAR}
         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR}
         ${PKI_NSUTIL_JAR} ${PKI_CMSUTIL_JAR} ${PKI_CERTSRV_JAR} ${PKI_TOMCAT_JAR}
     OUTPUT_DIR
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
index 5521d1470..cfbf724e7 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSStartServlet.java
@@ -26,6 +26,9 @@ import javax.servlet.http.HttpServlet;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.tomcat.util.net.jss.TomcatJSS;
+import org.dogtagpki.server.PKIServerSocketListener;
+
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.cms.realm.PKIRealm;
@@ -118,6 +121,10 @@ public class CMSStartServlet extends HttpServlet {
 
         // Register realm for this subsystem
         ProxyRealm.registerRealm(subsystem, new PKIRealm());
+
+        // Register TomcatJSS socket listener
+        TomcatJSS tomcatJss = TomcatJSS.getInstance();
+        tomcatJss.addSocketListener(new PKIServerSocketListener());
     }
 
     public void doGet(HttpServletRequest req, HttpServletResponse res)
diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
new file mode 100644
index 000000000..f147c7710
--- /dev/null
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -0,0 +1,134 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package org.dogtagpki.server;
+
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.SocketAddress;
+import java.security.Principal;
+
+import org.mozilla.jss.crypto.X509Certificate;
+import org.mozilla.jss.ssl.SSLAlertDescription;
+import org.mozilla.jss.ssl.SSLAlertEvent;
+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
+import org.mozilla.jss.ssl.SSLSecurityStatus;
+import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketListener;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.logging.IAuditor;
+
+public class PKIServerSocketListener implements SSLSocketListener {
+
+    private static Logger logger = LoggerFactory.getLogger(PKIServerSocketListener.class);
+
+    @Override
+    public void alertReceived(SSLAlertEvent event) {
+    }
+
+    @Override
+    public void alertSent(SSLAlertEvent event) {
+        try {
+            SSLSocket socket = event.getSocket();
+
+            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress serverAddress = socket.getLocalAddress();
+            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+
+            SSLSecurityStatus status = socket.getStatus();
+            X509Certificate peerCertificate = status.getPeerCertificate();
+            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+            String subjectID = subjectDN == null ? "" : subjectDN.toString();
+
+            int description = event.getDescription();
+            String reason = SSLAlertDescription.valueOf(description).toString();
+
+            logger.debug("SSL alert sent:");
+            logger.debug(" - client: " + clientAddress);
+            logger.debug(" - server: " + serverAddress);
+            logger.debug(" - reason: " + reason);
+
+            IAuditor auditor = CMS.getAuditor();
+
+            if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {
+
+                String auditMessage = CMS.getLogMessage(
+                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+                        clientIP,
+                        serverIP,
+                        subjectID);
+
+                auditor.log(auditMessage);
+
+            } else {
+
+                String auditMessage = CMS.getLogMessage(
+                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE",
+                        clientIP,
+                        serverIP,
+                        subjectID,
+                        reason);
+
+                auditor.log(auditMessage);
+            }
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+
+    @Override
+    public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
+        try {
+            SSLSocket socket = event.getSocket();
+
+            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress serverAddress = socket.getLocalAddress();
+            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+
+            SSLSecurityStatus status = socket.getStatus();
+            X509Certificate peerCertificate = status.getPeerCertificate();
+            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+            String subjectID = subjectDN == null ? "" : subjectDN.toString();
+
+            logger.debug("Handshake completed:");
+            logger.debug(" - client: " + clientAddress);
+            logger.debug(" - server: " + serverAddress);
+            logger.debug(" - subject: " + subjectDN);
+
+            IAuditor auditor = CMS.getAuditor();
+
+            String auditMessage = CMS.getLogMessage(
+                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS",
+                    clientIP,
+                    serverIP,
+                    subjectID);
+
+            auditor.log(auditMessage);
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}