Skip to content

Commit

Permalink
Add serial and issuer to SSL logs and audits
Browse files Browse the repository at this point in the history 
When creating an SSL connection, logs and audits  where reporting only the
certificate subject. Since the certificate could be issued from other CAs
it could be difficult to identify.
This commit adds the issuer and the serial number of the certificate
in both the audit and log messages for a better identification.
  • Loading branch information
@fmarco76
fmarco76 committed May 29, 2024
1 parent 1a78063 commit 684f154
Show file tree
Hide file tree
Showing 6 changed files with 199 additions and 48 deletions.
10 changes: 9 additions & 1 deletion .../server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,14 +37,18 @@ public AccessSessionEstablishEvent(String messageID) {
public static AccessSessionEstablishEvent createSuccessEvent(
String clientIP,
String serverIP,
String subjectID) {
String subjectID,
String certID,
String issuerID) {

AccessSessionEstablishEvent event = new AccessSessionEstablishEvent(
ACCESS_SESSION_ESTABLISH_SUCCESS);

event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertSerialNum", certID);
event.setAttribute("IssuerDN", issuerID);
event.setAttribute("Outcome", ILogger.SUCCESS);

return event;
Expand All @@ -54,6 +58,8 @@ public static AccessSessionEstablishEvent createFailureEvent(
String clientIP,
String serverIP,
String subjectID,
String certID,
String issuerID,
String info) {

AccessSessionEstablishEvent event = new AccessSessionEstablishEvent(
Expand All @@ -62,6 +68,8 @@ public static AccessSessionEstablishEvent createFailureEvent(
event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertSerialNum", certID);
event.setAttribute("IssuerDN", issuerID);
event.setAttribute("Outcome", ILogger.FAILURE);
event.setAttribute("Info", info);

Expand Down
4 changes: 4 additions & 0 deletions ...server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ public static AccessSessionTerminatedEvent createEvent(
String clientIP,
String serverIP,
String subjectID,
String certID,
String issuerID,
String info) {

AccessSessionTerminatedEvent event = new AccessSessionTerminatedEvent(
Expand All @@ -43,6 +45,8 @@ public static AccessSessionTerminatedEvent createEvent(
event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertSerialNum", certID);
event.setAttribute("IssuerDN", issuerID);
event.setAttribute("Outcome", ILogger.SUCCESS);
event.setAttribute("Info", info);

Expand Down
36 changes: 36 additions & 0 deletions ...r/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,30 @@ public static ClientAccessSessionEstablishEvent createSuccessEvent(
String serverPort,
String subjectID) {

return ClientAccessSessionEstablishEvent.createSuccessEvent(clientHost, serverHost, serverPort, subjectID, null, null);
}

public static ClientAccessSessionEstablishEvent createSuccessEvent(
String clientHost,
String serverHost,
String serverPort,
String subjectID,
String certID,
String issuerID) {

ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(
CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS);

event.setAttribute("ClientHost", clientHost);
event.setAttribute("ServerHost", serverHost);
event.setAttribute("ServerPort", serverPort);
event.setAttribute("SubjectID", subjectID);
if (certID != null) {
event.setAttribute("CertSerialNum", certID);
}
if (issuerID != null) {
event.setAttribute("IssuerDN", issuerID);
}
event.setAttribute("Outcome", ILogger.SUCCESS);

return event;
Expand All @@ -59,13 +76,32 @@ public static ClientAccessSessionEstablishEvent createFailureEvent(
String subjectID,
String info) {

return ClientAccessSessionEstablishEvent.createFailureEvent(clientHost, serverHost, serverPort, subjectID, null, null,
info);
}

public static ClientAccessSessionEstablishEvent createFailureEvent(
String clientHost,
String serverHost,
String serverPort,
String subjectID,
String certID,
String issuerID,
String info) {

ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent(
CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE);

event.setAttribute("ClientHost", clientHost);
event.setAttribute("ServerHost", serverHost);
event.setAttribute("ServerPort", serverPort);
event.setAttribute("SubjectID", subjectID);
if (certID != null) {
event.setAttribute("CertSerialNum", certID);
}
if (issuerID != null) {
event.setAttribute("IssuerDN", issuerID);
}
event.setAttribute("Outcome", ILogger.FAILURE);
event.setAttribute("Info", info);

Expand Down
8 changes: 8 additions & 0 deletions .../src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ public static ClientAccessSessionTerminatedEvent createEvent(
String serverHost,
String serverPort,
String subjectID,
String certID,
String issuerID,
String info) {

ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent(
Expand All @@ -45,6 +47,12 @@ public static ClientAccessSessionTerminatedEvent createEvent(
event.setAttribute("ServerHost", serverHost);
event.setAttribute("ServerPort", serverPort);
event.setAttribute("SubjectID", subjectID);
if (certID != null) {
event.setAttribute("CertSerialNum", certID);
}
if (issuerID != null) {
event.setAttribute("IssuerDN", issuerID);
}
event.setAttribute("Outcome", ILogger.SUCCESS);
event.setAttribute("Info", info);

Expand Down
71 changes: 56 additions & 15 deletions base/server/src/main/java/org/dogtagpki/server/PKIClientSocketListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,14 @@
// --- END COPYRIGHT BLOCK ---
package org.dogtagpki.server;

import java.math.BigInteger;
import java.net.InetAddress;
import java.security.Principal;
import java.util.HashMap;
import java.util.Map;
import java.util.WeakHashMap;

import org.mozilla.jss.crypto.X509Certificate;
import org.mozilla.jss.ssl.SSLAlertDescription;
import org.mozilla.jss.ssl.SSLAlertEvent;
import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
Expand Down Expand Up @@ -68,12 +71,19 @@ public void alertReceived(SSLAlertEvent event) {
String serverPort = Integer.toString(socket.getPort());

SSLSecurityStatus status = socket.getStatus();
/*

X509Certificate peerCertificate = status.getPeerCertificate();
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
String subjectID = subjectDN == null ? "" : subjectDN.toString();
*/
String subjectID = "SYSTEM";
String certID = null;
String issuerID = null;
if (peerCertificate != null) {
Principal subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString();
BigInteger serial = peerCertificate.getSerialNumber();
certID = serial == null ? null : serial.toString();
Principal issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? null : issuerDN.toString();
}

int description = event.getDescription();
String reason = "clientAlertReceived: " + SSLAlertDescription.valueOf(description).toString();
Expand All @@ -83,6 +93,8 @@ public void alertReceived(SSLAlertEvent event) {
serverIP,
serverPort,
subjectID,
certID,
issuerID,
reason));

//logger.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED");
Expand All @@ -93,6 +105,8 @@ public void alertReceived(SSLAlertEvent event) {
logger.debug("- server: " + serverIP);
logger.debug("- server port: " + serverPort);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);

} catch (Exception e) {
logger.warn("PKIClientSocketListener: " + e.getMessage(), e);
Expand All @@ -115,7 +129,9 @@ public void alertSent(SSLAlertEvent event) {
String clientIP;
String serverIP;
String serverPort;
String subjectID;
String subjectID = "SYSTEM";
String certID = null;
String issuerID = null;

if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {

Expand All @@ -125,12 +141,16 @@ public void alertSent(SSLAlertEvent event) {
serverIP = (String)info.get("serverIP");
serverPort = (String)info.get("serverPort");
subjectID = (String)info.get("subjectID");
certID = (String) info.get("certID");
issuerID = (String) info.get("issuerID");

auditEvent = ClientAccessSessionTerminatedEvent.createEvent(
clientIP,
serverIP,
serverPort,
subjectID,
certID,
issuerID,
reason);

} else {
Expand All @@ -144,18 +164,24 @@ public void alertSent(SSLAlertEvent event) {
serverPort = Integer.toString(socket.getPort());

SSLSecurityStatus status = socket.getStatus();
/*

X509Certificate peerCertificate = status.getPeerCertificate();
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
*/
subjectID = "SYSTEM";
if (peerCertificate != null) {
Principal subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString();
BigInteger serial = peerCertificate.getSerialNumber();
certID = serial == null ? null : serial.toString();
Principal issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? null : issuerDN.toString();
}

auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
clientIP,
serverIP,
serverPort,
subjectID,
certID,
issuerID,
reason);

}
Expand All @@ -167,6 +193,8 @@ public void alertSent(SSLAlertEvent event) {
logger.debug("- client: " + clientIP);
logger.debug("- server: " + serverIP);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);
logger.debug("- server port: " + serverPort);

} catch (Exception e) {
Expand Down Expand Up @@ -216,32 +244,45 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
String serverPort = Integer.toString(socket.getPort());

SSLSecurityStatus status = socket.getStatus();
/*

X509Certificate peerCertificate = status.getPeerCertificate();
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
String subjectID = subjectDN == null ? "" : subjectDN.toString();
*/
String subjectID = "SYSTEM";
String certID = null;
String issuerID = null;
if (peerCertificate != null) {
Principal subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString();
BigInteger serial = peerCertificate.getSerialNumber();
certID = serial == null ? null : serial.toString();
Principal issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? null : issuerDN.toString();
}

logger.debug("PKIClientSocketListener: Handshake completed:");
logger.debug("- client: " + clientIP);
logger.debug("- server: " + serverIP);
logger.debug("- server port: " + serverPort);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);

// store socket info in socketInfos map
Map<String,Object> info = new HashMap<>();
info.put("clientIP", clientIP);
info.put("serverIP", serverIP);
info.put("serverPort", serverPort);
info.put("subjectID", subjectID);
info.put("certID", certID);
info.put("issuerID", issuerID);
socketInfos.put(socket, info);

signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent(
clientIP,
serverIP,
serverPort,
subjectID));
subjectID,
certID,
issuerID));

} catch (Exception e) {
logger.warn("PKIClientSocketListener: " + e.getMessage(), e);
Expand Down
Loading

0 comments on commit 684f154

Please sign in to comment.