From 0df4ba1372e0a5942806fda3b56f0b9ea70c6e05 Mon Sep 17 00:00:00 2001 From: Ade Lee Date: Thu, 18 May 2017 01:27:12 -0400 Subject: Encapsulate key retrieval audit events Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c --- .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 25 ++++++++++----------- .../src/com/netscape/cms/servlet/key/GetPk12.java | 26 ++++++++++------------ 2 files changed, 24 insertions(+), 27 deletions(-) (limited to 'base/server/cms/src') diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java index f0065e116..b28132d0e 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java @@ -35,8 +35,9 @@ import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; @@ -207,14 +208,13 @@ public class GetAsyncPk12 extends CMSServlet { resp.getOutputStream().write(pkcs12); mRenderResult = false; - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + audit(new SecurityDataExportEvent( agent, ILogger.SUCCESS, - reqID, - ""); - - audit(auditMessage); + new RequestId(reqID), + null, + null, + null)); return; } catch (IOException e) { @@ -233,14 +233,13 @@ public class GetAsyncPk12 extends CMSServlet { } if ((agent != null) && (reqID != null)) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + audit(new SecurityDataExportEvent( agent, ILogger.FAILURE, - reqID, - ""); - - audit(auditMessage); + new RequestId(reqID), + null, + null, + null)); } try { diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java index 9bb52cd9a..c878605d5 100644 --- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java +++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java @@ -36,8 +36,9 @@ import com.netscape.certsrv.base.IArgBlock; import com.netscape.certsrv.base.SessionContext; import com.netscape.certsrv.common.ICMSRequest; import com.netscape.certsrv.kra.IKeyRecoveryAuthority; -import com.netscape.certsrv.logging.AuditEvent; import com.netscape.certsrv.logging.ILogger; +import com.netscape.certsrv.logging.event.SecurityDataExportEvent; +import com.netscape.certsrv.request.RequestId; import com.netscape.cms.servlet.base.CMSServlet; import com.netscape.cms.servlet.common.CMSRequest; import com.netscape.cms.servlet.common.CMSTemplate; @@ -201,15 +202,13 @@ public class GetPk12 extends CMSServlet { resp.getOutputStream().write(pkcs12); mRenderResult = false; - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS, + audit(new SecurityDataExportEvent( agent, ILogger.SUCCESS, - recoveryID, - ""); - - audit(auditMessage); - + new RequestId(recoveryID), + null, + null, + null)); return; } catch (IOException e) { header.addStringValue(OUT_ERROR, @@ -227,14 +226,13 @@ public class GetPk12 extends CMSServlet { } if ((agent != null) && (recoveryID != null)) { - auditMessage = CMS.getLogMessage( - AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE, + audit(new SecurityDataExportEvent( agent, ILogger.FAILURE, - recoveryID, - ""); - - audit(auditMessage); + new RequestId(recoveryID), + null, + null, + null)); } try { -- cgit