Skip to content

Commit

Permalink
Add serial and issuer to SSL logs and audits
Browse files Browse the repository at this point in the history 
When acting as server SSL logs where reporting in log and audit only the
certificate subject. Since a client could use a certificate from other CAs
to access, the issuer and the serial number of the certificate are
included in the audit for a better identification.
  • Loading branch information
@fmarco76
fmarco76 committed May 22, 2024
1 parent 7a4103c commit 629610a
Show file tree
Hide file tree
Showing 3 changed files with 98 additions and 32 deletions.
10 changes: 9 additions & 1 deletion .../server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,18 @@ public AccessSessionEstablishEvent(String messageID) {
public static AccessSessionEstablishEvent createSuccessEvent(
String clientIP,
String serverIP,
String subjectID) {
String subjectID,
String certID,
String issuerID) {

AccessSessionEstablishEvent event = new AccessSessionEstablishEvent(
ACCESS_SESSION_ESTABLISH_SUCCESS);

event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertID", certID);
event.setAttribute("IssuerID", issuerID);
event.setAttribute("Outcome", ILogger.SUCCESS);

return event;
Expand All @@ -52,6 +56,8 @@ public static AccessSessionEstablishEvent createFailureEvent(
String clientIP,
String serverIP,
String subjectID,
String certID,
String issuerID,
String info) {

AccessSessionEstablishEvent event = new AccessSessionEstablishEvent(
Expand All @@ -60,6 +66,8 @@ public static AccessSessionEstablishEvent createFailureEvent(
event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertID", certID);
event.setAttribute("IssuerID", issuerID);
event.setAttribute("Outcome", ILogger.FAILURE);
event.setAttribute("Info", info);

Expand Down
4 changes: 4 additions & 0 deletions ...server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ public static AccessSessionTerminatedEvent createEvent(
String clientIP,
String serverIP,
String subjectID,
String certID,
String issuerID,
String info) {

AccessSessionTerminatedEvent event = new AccessSessionTerminatedEvent(
Expand All @@ -41,6 +43,8 @@ public static AccessSessionTerminatedEvent createEvent(
event.setAttribute("ClientIP", clientIP);
event.setAttribute("ServerIP", serverIP);
event.setAttribute("SubjectID", subjectID);
event.setAttribute("CertID", certID);
event.setAttribute("IssuerID", issuerID);
event.setAttribute("Outcome", ILogger.SUCCESS);
event.setAttribute("Info", info);

Expand Down
116 changes: 85 additions & 31 deletions base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
// --- END COPYRIGHT BLOCK ---
package org.dogtagpki.server;

import java.math.BigInteger;
import java.net.InetAddress;
import java.security.Principal;
import java.security.cert.Certificate;
Expand Down Expand Up @@ -93,6 +94,8 @@ public void alertReceived(SSLAlertEvent event) {
String clientIP = defaultUnknown;
String serverIP = defaultUnknown;
String subjectID = defaultUnknown;
String certID = defaultUnknown;
String issuerID = defaultUnknown;
String hostname = defaultUnknown;
SSLSecurityStatus status = null;

Expand All @@ -104,8 +107,14 @@ public void alertReceived(SSLAlertEvent event) {

status = socket.getStatus();
X509Certificate peerCertificate = status.getPeerCertificate();
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
if (peerCertificate != null){
Principal subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
BigInteger serial = peerCertificate.getSerialNumber();
certID = serial == null ? "" : serial.toString();
Principal issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? "" : issuerDN.toString();
}
} else {
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
Expand All @@ -115,6 +124,8 @@ public void alertReceived(SSLAlertEvent event) {
X509Certificate cert = (X509Certificate) certs[0];
if(cert != null) {
subjectID = cert.getSubjectDN().toString();
certID = cert.getSerialNumber().toString();
issuerID = cert.getIssuerDN().toString();
}
}
if(session.getRemoteAddr() != null) {
Expand All @@ -134,13 +145,16 @@ public void alertReceived(SSLAlertEvent event) {
logger.debug("- client: " + clientIP);
logger.debug("- server: " + serverIP);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);

auditor.log(AccessSessionTerminatedEvent.createEvent(
clientIP,
serverIP,
subjectID,
certID,
issuerID,
reason));

} catch (Exception e) {
logger.error("PKIServerSocketListener: " + e.getMessage(), e);
}
Expand All @@ -166,41 +180,49 @@ public void alertSent(SSLAlertEvent event) {
String clientIP = defaultUnknown;
String serverIP = defaultUnknown;
String subjectID = defaultUnknown;
String certID = defaultUnknown;
String issuerID = defaultUnknown;

InetAddress clientAddress = null;
InetAddress serverAddress = null;

if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {

// get socket info from socketInfos map since socket has been closed
if(socket != null) {
Map<String,Object> info = socketInfos.get(socket);
clientIP = (String)info.get("clientIP");
serverIP = (String)info.get("serverIP");
subjectID = (String)info.get("subjectID");
} else {
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
X509Certificate cert = (X509Certificate) certs[0];
subjectID = cert.getSubjectDN().toString();
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
if(socket != null) {
Map<String,Object> info = socketInfos.get(socket);
clientIP = (String)info.get("clientIP");
serverIP = (String)info.get("serverIP");
subjectID = (String)info.get("subjectID");
certID = (String)info.get("certID");
issuerID = (String)info.get("issuerID");
} else {
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
if(session != null) {
Certificate[] certs = session.getPeerCertificates();
if(certs != null) {
X509Certificate cert = (X509Certificate) certs[0];
subjectID = cert.getSubjectDN().toString();
certID = cert.getSerialNumber().toString();
issuerID = cert.getIssuerDN().toString();
}
if(session.getRemoteAddr() != null) {
clientIP = session.getRemoteAddr();
}
if(session.getLocalAddr() != null) {
serverIP = session.getLocalAddr();
}
}
}
}
}

auditEvent = AccessSessionTerminatedEvent.createEvent(
auditEvent = AccessSessionTerminatedEvent.createEvent(
clientIP,
serverIP,
subjectID,
certID,
issuerID,
reason);

} else {
Expand All @@ -213,9 +235,14 @@ public void alertSent(SSLAlertEvent event) {

SSLSecurityStatus status = socket.getStatus();
X509Certificate peerCertificate = status.getPeerCertificate();
Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();

if (peerCertificate != null) {
Principal subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
BigInteger serial = peerCertificate.getSerialNumber();
certID = serial == null ? "" : serial.toString();
Principal issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? "" : issuerDN.toString();
}
} else {
if(sslEngine != null) {
JSSSession session = sslEngine.getSession();
Expand All @@ -225,6 +252,8 @@ public void alertSent(SSLAlertEvent event) {
X509Certificate cert = (X509Certificate) certs[0];
if(cert != null) {
subjectID = cert.getSubjectDN().toString();
certID = cert.getSerialNumber().toString();
issuerID = cert.getIssuerDN().toString();
}
}
if(session.getRemoteAddr() != null) {
Expand All @@ -241,6 +270,8 @@ public void alertSent(SSLAlertEvent event) {
clientIP,
serverIP,
subjectID,
certID,
issuerID,
reason);
}

Expand All @@ -249,6 +280,8 @@ public void alertSent(SSLAlertEvent event) {
logger.debug("- client: " + clientIP);
logger.debug("- server: " + serverIP);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);

auditor.log(auditEvent);

Expand Down Expand Up @@ -278,6 +311,10 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
X509Certificate peerCertificate = null;
Principal subjectDN = null;
String subjectID = defaultUnknown;
BigInteger serial = null;
String certID = defaultUnknown;
Principal issuerDN = null;
String issuerID = defaultUnknown;

if(socket != null) {
clientAddress = socket.getInetAddress();
Expand All @@ -287,13 +324,21 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {

status = socket.getStatus();
peerCertificate = status.getPeerCertificate();
subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
if (peerCertificate != null) {
subjectDN = peerCertificate.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
serial = peerCertificate.getSerialNumber();
certID = serial == null ? "" : serial.toString();
issuerDN = peerCertificate.getIssuerDN();
issuerID = issuerDN == null ? "" : issuerDN.toString();
}
// store socket info in socketInfos map
Map<String,Object> info = new HashMap<>();
info.put("clientIP", clientIP);
info.put("serverIP", serverIP);
info.put("subjectID", subjectID);
info.put("certID", certID);
info.put("issuerID", issuerID);
socketInfos.put(socket, info);
} else {
if(sslEngine != null) {
Expand All @@ -303,7 +348,12 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
if(certs != null) {
X509Certificate cert = (X509Certificate) certs[0];
if(cert != null) {
subjectID = cert.getSubjectDN().toString();
subjectDN = cert.getSubjectDN();
subjectID = subjectDN == null ? "" : subjectDN.toString();
serial = cert.getSerialNumber();
certID = serial == null ? "" : serial.toString();
issuerDN = cert.getIssuerDN();
issuerID = issuerDN == null ? "" : issuerDN.toString();
}
}
}
Expand All @@ -319,11 +369,15 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
logger.debug("- client: " + clientIP);
logger.debug("- server: " + serverIP);
logger.debug("- subject: " + subjectID);
logger.debug("- serial: " + certID);
logger.debug("- issuer: " + issuerID);

auditor.log(AccessSessionEstablishEvent.createSuccessEvent(
clientIP,
serverIP,
subjectID));
subjectID,
certID,
issuerID));
} catch (Exception e) {
logger.error("PKIServerSocketListener: " + e.getMessage(), e);
}
Expand Down

0 comments on commit 629610a

Please sign in to comment.