diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java index 21a7694aa28..102f365ac11 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java @@ -37,7 +37,9 @@ public AccessSessionEstablishEvent(String messageID) { public static AccessSessionEstablishEvent createSuccessEvent( String clientIP, String serverIP, - String subjectID) { + String subjectID, + String certID, + String issuerID) { AccessSessionEstablishEvent event = new AccessSessionEstablishEvent( ACCESS_SESSION_ESTABLISH_SUCCESS); @@ -45,6 +47,8 @@ public static AccessSessionEstablishEvent createSuccessEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertSerialNum", certID); + event.setAttribute("IssuerDN", issuerID); event.setAttribute("Outcome", ILogger.SUCCESS); return event; @@ -54,6 +58,8 @@ public static AccessSessionEstablishEvent createFailureEvent( String clientIP, String serverIP, String subjectID, + String certID, + String issuerID, String info) { AccessSessionEstablishEvent event = new AccessSessionEstablishEvent( @@ -62,6 +68,8 @@ public static AccessSessionEstablishEvent createFailureEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertSerialNum", certID); + event.setAttribute("IssuerDN", issuerID); event.setAttribute("Outcome", ILogger.FAILURE); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java index 285ddff1b11..8279eaf620e 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java @@ -35,6 +35,8 @@ public static AccessSessionTerminatedEvent createEvent( String clientIP, String serverIP, String subjectID, + String certID, + String issuerID, String info) { AccessSessionTerminatedEvent event = new AccessSessionTerminatedEvent( @@ -43,6 +45,8 @@ public static AccessSessionTerminatedEvent createEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertSerialNum", certID); + event.setAttribute("IssuerDN", issuerID); event.setAttribute("Outcome", ILogger.SUCCESS); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java index f54641aee13..c828b062a29 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionEstablishEvent.java @@ -40,6 +40,17 @@ public static ClientAccessSessionEstablishEvent createSuccessEvent( String serverPort, String subjectID) { + return ClientAccessSessionEstablishEvent.createSuccessEvent(clientHost, serverHost, serverPort, subjectID, null, null); + } + + public static ClientAccessSessionEstablishEvent createSuccessEvent( + String clientHost, + String serverHost, + String serverPort, + String subjectID, + String certID, + String issuerID) { + ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS); @@ -47,6 +58,12 @@ public static ClientAccessSessionEstablishEvent createSuccessEvent( event.setAttribute("ServerHost", serverHost); event.setAttribute("ServerPort", serverPort); event.setAttribute("SubjectID", subjectID); + if (certID != null) { + event.setAttribute("CertSerialNum", certID); + } + if (issuerID != null) { + event.setAttribute("IssuerDN", issuerID); + } event.setAttribute("Outcome", ILogger.SUCCESS); return event; @@ -59,6 +76,19 @@ public static ClientAccessSessionEstablishEvent createFailureEvent( String subjectID, String info) { + return ClientAccessSessionEstablishEvent.createFailureEvent(clientHost, serverHost, serverPort, subjectID, null, null, + info); + } + + public static ClientAccessSessionEstablishEvent createFailureEvent( + String clientHost, + String serverHost, + String serverPort, + String subjectID, + String certID, + String issuerID, + String info) { + ClientAccessSessionEstablishEvent event = new ClientAccessSessionEstablishEvent( CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE); @@ -66,6 +96,12 @@ public static ClientAccessSessionEstablishEvent createFailureEvent( event.setAttribute("ServerHost", serverHost); event.setAttribute("ServerPort", serverPort); event.setAttribute("SubjectID", subjectID); + if (certID != null) { + event.setAttribute("CertSerialNum", certID); + } + if (issuerID != null) { + event.setAttribute("IssuerDN", issuerID); + } event.setAttribute("Outcome", ILogger.FAILURE); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java index cad0c97edde..4ed8cf4fb13 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/ClientAccessSessionTerminatedEvent.java @@ -36,6 +36,8 @@ public static ClientAccessSessionTerminatedEvent createEvent( String serverHost, String serverPort, String subjectID, + String certID, + String issuerID, String info) { ClientAccessSessionTerminatedEvent event = new ClientAccessSessionTerminatedEvent( @@ -45,6 +47,12 @@ public static ClientAccessSessionTerminatedEvent createEvent( event.setAttribute("ServerHost", serverHost); event.setAttribute("ServerPort", serverPort); event.setAttribute("SubjectID", subjectID); + if (certID != null) { + event.setAttribute("CertSerialNum", certID); + } + if (issuerID != null) { + event.setAttribute("IssuerDN", issuerID); + } event.setAttribute("Outcome", ILogger.SUCCESS); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/org/dogtagpki/server/PKIClientSocketListener.java b/base/server/src/main/java/org/dogtagpki/server/PKIClientSocketListener.java index 8e0ae24134d..9444797a5ff 100644 --- a/base/server/src/main/java/org/dogtagpki/server/PKIClientSocketListener.java +++ b/base/server/src/main/java/org/dogtagpki/server/PKIClientSocketListener.java @@ -17,11 +17,14 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server; +import java.math.BigInteger; import java.net.InetAddress; +import java.security.Principal; import java.util.HashMap; import java.util.Map; import java.util.WeakHashMap; +import org.mozilla.jss.crypto.X509Certificate; import org.mozilla.jss.ssl.SSLAlertDescription; import org.mozilla.jss.ssl.SSLAlertEvent; import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent; @@ -68,12 +71,19 @@ public void alertReceived(SSLAlertEvent event) { String serverPort = Integer.toString(socket.getPort()); SSLSecurityStatus status = socket.getStatus(); -/* + X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - String subjectID = subjectDN == null ? "" : subjectDN.toString(); -*/ String subjectID = "SYSTEM"; + String certID = null; + String issuerID = null; + if (peerCertificate != null) { + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? null : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? null : issuerDN.toString(); + } int description = event.getDescription(); String reason = "clientAlertReceived: " + SSLAlertDescription.valueOf(description).toString(); @@ -83,6 +93,8 @@ public void alertReceived(SSLAlertEvent event) { serverIP, serverPort, subjectID, + certID, + issuerID, reason)); //logger.debug(method + "CS_CLIENT_ACCESS_SESSION_TERMINATED"); @@ -93,6 +105,8 @@ public void alertReceived(SSLAlertEvent event) { logger.debug("- server: " + serverIP); logger.debug("- server port: " + serverPort); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); } catch (Exception e) { logger.warn("PKIClientSocketListener: " + e.getMessage(), e); @@ -115,7 +129,9 @@ public void alertSent(SSLAlertEvent event) { String clientIP; String serverIP; String serverPort; - String subjectID; + String subjectID = "SYSTEM"; + String certID = null; + String issuerID = null; if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { @@ -125,12 +141,16 @@ public void alertSent(SSLAlertEvent event) { serverIP = (String)info.get("serverIP"); serverPort = (String)info.get("serverPort"); subjectID = (String)info.get("subjectID"); + certID = (String) info.get("certID"); + issuerID = (String) info.get("issuerID"); auditEvent = ClientAccessSessionTerminatedEvent.createEvent( clientIP, serverIP, serverPort, subjectID, + certID, + issuerID, reason); } else { @@ -144,18 +164,24 @@ public void alertSent(SSLAlertEvent event) { serverPort = Integer.toString(socket.getPort()); SSLSecurityStatus status = socket.getStatus(); -/* + X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); -*/ - subjectID = "SYSTEM"; + if (peerCertificate != null) { + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? null : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? null : issuerDN.toString(); + } auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent( clientIP, serverIP, serverPort, subjectID, + certID, + issuerID, reason); } @@ -167,6 +193,8 @@ public void alertSent(SSLAlertEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); logger.debug("- server port: " + serverPort); } catch (Exception e) { @@ -216,18 +244,27 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { String serverPort = Integer.toString(socket.getPort()); SSLSecurityStatus status = socket.getStatus(); -/* + X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - String subjectID = subjectDN == null ? "" : subjectDN.toString(); -*/ String subjectID = "SYSTEM"; + String certID = null; + String issuerID = null; + if (peerCertificate != null) { + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "SYSTEM" :subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? null : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? null : issuerDN.toString(); + } logger.debug("PKIClientSocketListener: Handshake completed:"); logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- server port: " + serverPort); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); // store socket info in socketInfos map Map info = new HashMap<>(); @@ -235,13 +272,17 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { info.put("serverIP", serverIP); info.put("serverPort", serverPort); info.put("subjectID", subjectID); + info.put("certID", certID); + info.put("issuerID", issuerID); socketInfos.put(socket, info); signedAuditLogger.log(ClientAccessSessionEstablishEvent.createSuccessEvent( clientIP, serverIP, serverPort, - subjectID)); + subjectID, + certID, + issuerID)); } catch (Exception e) { logger.warn("PKIClientSocketListener: " + e.getMessage(), e); diff --git a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java index a2479b1e8fc..2234fb33d28 100644 --- a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java +++ b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server; +import java.math.BigInteger; import java.net.InetAddress; import java.security.Principal; import java.util.HashMap; @@ -86,6 +87,8 @@ public void alertReceived(SSLAlertEvent event) { String clientIP = defaultUnknown; String serverIP = defaultUnknown; String subjectID = defaultUnknown; + String certID = defaultUnknown; + String issuerID = defaultUnknown; String hostname = defaultUnknown; SSLSecurityStatus status = null; @@ -97,8 +100,14 @@ public void alertReceived(SSLAlertEvent event) { status = socket.getStatus(); X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); + if (peerCertificate != null){ + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } } else { if(sslEngine != null) { JSSSession session = sslEngine.getSession(); @@ -108,6 +117,8 @@ public void alertReceived(SSLAlertEvent event) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); } } if(session.getRemoteAddr() != null) { @@ -127,13 +138,16 @@ public void alertReceived(SSLAlertEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); signedAuditLogger.log(AccessSessionTerminatedEvent.createEvent( clientIP, serverIP, subjectID, + certID, + issuerID, reason)); - } catch (Exception e) { logger.error("PKIServerSocketListener: " + e.getMessage(), e); } @@ -156,6 +170,8 @@ public void alertSent(SSLAlertEvent event) { String clientIP = defaultUnknown; String serverIP = defaultUnknown; String subjectID = defaultUnknown; + String certID = defaultUnknown; + String issuerID = defaultUnknown; InetAddress clientAddress = null; InetAddress serverAddress = null; @@ -163,34 +179,40 @@ public void alertSent(SSLAlertEvent event) { if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { // get socket info from socketInfos map since socket has been closed - if(socket != null) { - Map info = socketInfos.get(socket); - clientIP = (String)info.get("clientIP"); - serverIP = (String)info.get("serverIP"); - subjectID = (String)info.get("subjectID"); - } else { - if(sslEngine != null) { - JSSSession session = sslEngine.getSession(); - if(session != null) { - Certificate[] certs = session.getPeerCertificates(); - if(certs != null) { - X509Certificate cert = (X509Certificate) certs[0]; - subjectID = cert.getSubjectDN().toString(); - } - if(session.getRemoteAddr() != null) { - clientIP = session.getRemoteAddr(); - } - if(session.getLocalAddr() != null) { - serverIP = session.getLocalAddr(); + if(socket != null) { + Map info = socketInfos.get(socket); + clientIP = (String)info.get("clientIP"); + serverIP = (String)info.get("serverIP"); + subjectID = (String)info.get("subjectID"); + certID = (String)info.get("certID"); + issuerID = (String)info.get("issuerID"); + } else { + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); + if(session != null) { + Certificate[] certs = session.getPeerCertificates(); + if(certs != null) { + X509Certificate cert = (X509Certificate) certs[0]; + subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); + } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } } - } - auditEvent = AccessSessionTerminatedEvent.createEvent( + auditEvent = AccessSessionTerminatedEvent.createEvent( clientIP, serverIP, subjectID, + certID, + issuerID, reason); } else { @@ -203,9 +225,14 @@ public void alertSent(SSLAlertEvent event) { SSLSecurityStatus status = socket.getStatus(); X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); - + if (peerCertificate != null) { + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } } else { if(sslEngine != null) { JSSSession session = sslEngine.getSession(); @@ -215,6 +242,8 @@ public void alertSent(SSLAlertEvent event) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); } } if(session.getRemoteAddr() != null) { @@ -231,6 +260,8 @@ public void alertSent(SSLAlertEvent event) { clientIP, serverIP, subjectID, + certID, + issuerID, reason); } @@ -239,6 +270,8 @@ public void alertSent(SSLAlertEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); signedAuditLogger.log(auditEvent); @@ -284,6 +317,10 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { X509Certificate peerCertificate = null; Principal subjectDN = null; String subjectID = defaultUnknown; + BigInteger serial = null; + String certID = defaultUnknown; + Principal issuerDN = null; + String issuerID = defaultUnknown; if(socket != null) { if(invalidateAfterHandshake) { @@ -298,13 +335,21 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { status = socket.getStatus(); peerCertificate = status.getPeerCertificate(); - subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); + if (peerCertificate != null) { + subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } // store socket info in socketInfos map Map info = new HashMap<>(); info.put("clientIP", clientIP); info.put("serverIP", serverIP); info.put("subjectID", subjectID); + info.put("certID", certID); + info.put("issuerID", issuerID); socketInfos.put(socket, info); } else { if(sslEngine != null) { @@ -321,8 +366,13 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { if(certs != null) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { - subjectID = cert.getSubjectDN().toString(); - } + subjectDN = cert.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + serial = cert.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + issuerDN = cert.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } } } if(session.getRemoteAddr() != null) { @@ -337,11 +387,15 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); signedAuditLogger.log(AccessSessionEstablishEvent.createSuccessEvent( clientIP, serverIP, - subjectID)); + subjectID, + certID, + issuerID)); } catch (Exception e) { logger.error("PKIServerSocketListener: " + e.getMessage(), e); }