From 629610abe68885dfa2664873c9792e5e79f3a2dd Mon Sep 17 00:00:00 2001 From: Marco Fargetta Date: Wed, 22 May 2024 16:10:18 +0200 Subject: [PATCH] Add serial and issuer to SSL logs and audits When acting as server SSL logs where reporting in log and audit only the certificate subject. Since a client could use a certificate from other CAs to access, the issuer and the serial number of the certificate are included in the audit for a better identification. --- .../event/AccessSessionEstablishEvent.java | 10 +- .../event/AccessSessionTerminatedEvent.java | 4 + .../server/PKIServerSocketListener.java | 116 +++++++++++++----- 3 files changed, 98 insertions(+), 32 deletions(-) diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java index d7718439f4d..c6aeab7e626 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionEstablishEvent.java @@ -35,7 +35,9 @@ public AccessSessionEstablishEvent(String messageID) { public static AccessSessionEstablishEvent createSuccessEvent( String clientIP, String serverIP, - String subjectID) { + String subjectID, + String certID, + String issuerID) { AccessSessionEstablishEvent event = new AccessSessionEstablishEvent( ACCESS_SESSION_ESTABLISH_SUCCESS); @@ -43,6 +45,8 @@ public static AccessSessionEstablishEvent createSuccessEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertID", certID); + event.setAttribute("IssuerID", issuerID); event.setAttribute("Outcome", ILogger.SUCCESS); return event; @@ -52,6 +56,8 @@ public static AccessSessionEstablishEvent createFailureEvent( String clientIP, String serverIP, String subjectID, + String certID, + String issuerID, String info) { AccessSessionEstablishEvent event = new AccessSessionEstablishEvent( @@ -60,6 +66,8 @@ public static AccessSessionEstablishEvent createFailureEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertID", certID); + event.setAttribute("IssuerID", issuerID); event.setAttribute("Outcome", ILogger.FAILURE); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java index 912a1735220..d86b4aacf22 100644 --- a/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java +++ b/base/server/src/main/java/com/netscape/certsrv/logging/event/AccessSessionTerminatedEvent.java @@ -33,6 +33,8 @@ public static AccessSessionTerminatedEvent createEvent( String clientIP, String serverIP, String subjectID, + String certID, + String issuerID, String info) { AccessSessionTerminatedEvent event = new AccessSessionTerminatedEvent( @@ -41,6 +43,8 @@ public static AccessSessionTerminatedEvent createEvent( event.setAttribute("ClientIP", clientIP); event.setAttribute("ServerIP", serverIP); event.setAttribute("SubjectID", subjectID); + event.setAttribute("CertID", certID); + event.setAttribute("IssuerID", issuerID); event.setAttribute("Outcome", ILogger.SUCCESS); event.setAttribute("Info", info); diff --git a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java index 2cf94e3759c..75d3c9b1d4c 100644 --- a/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java +++ b/base/server/src/main/java/org/dogtagpki/server/PKIServerSocketListener.java @@ -17,6 +17,7 @@ // --- END COPYRIGHT BLOCK --- package org.dogtagpki.server; +import java.math.BigInteger; import java.net.InetAddress; import java.security.Principal; import java.security.cert.Certificate; @@ -93,6 +94,8 @@ public void alertReceived(SSLAlertEvent event) { String clientIP = defaultUnknown; String serverIP = defaultUnknown; String subjectID = defaultUnknown; + String certID = defaultUnknown; + String issuerID = defaultUnknown; String hostname = defaultUnknown; SSLSecurityStatus status = null; @@ -104,8 +107,14 @@ public void alertReceived(SSLAlertEvent event) { status = socket.getStatus(); X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); + if (peerCertificate != null){ + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } } else { if(sslEngine != null) { JSSSession session = sslEngine.getSession(); @@ -115,6 +124,8 @@ public void alertReceived(SSLAlertEvent event) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); } } if(session.getRemoteAddr() != null) { @@ -134,13 +145,16 @@ public void alertReceived(SSLAlertEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); auditor.log(AccessSessionTerminatedEvent.createEvent( clientIP, serverIP, subjectID, + certID, + issuerID, reason)); - } catch (Exception e) { logger.error("PKIServerSocketListener: " + e.getMessage(), e); } @@ -166,6 +180,8 @@ public void alertSent(SSLAlertEvent event) { String clientIP = defaultUnknown; String serverIP = defaultUnknown; String subjectID = defaultUnknown; + String certID = defaultUnknown; + String issuerID = defaultUnknown; InetAddress clientAddress = null; InetAddress serverAddress = null; @@ -173,34 +189,40 @@ public void alertSent(SSLAlertEvent event) { if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) { // get socket info from socketInfos map since socket has been closed - if(socket != null) { - Map info = socketInfos.get(socket); - clientIP = (String)info.get("clientIP"); - serverIP = (String)info.get("serverIP"); - subjectID = (String)info.get("subjectID"); - } else { - if(sslEngine != null) { - JSSSession session = sslEngine.getSession(); - if(session != null) { - Certificate[] certs = session.getPeerCertificates(); - if(certs != null) { - X509Certificate cert = (X509Certificate) certs[0]; - subjectID = cert.getSubjectDN().toString(); - } - if(session.getRemoteAddr() != null) { - clientIP = session.getRemoteAddr(); - } - if(session.getLocalAddr() != null) { - serverIP = session.getLocalAddr(); + if(socket != null) { + Map info = socketInfos.get(socket); + clientIP = (String)info.get("clientIP"); + serverIP = (String)info.get("serverIP"); + subjectID = (String)info.get("subjectID"); + certID = (String)info.get("certID"); + issuerID = (String)info.get("issuerID"); + } else { + if(sslEngine != null) { + JSSSession session = sslEngine.getSession(); + if(session != null) { + Certificate[] certs = session.getPeerCertificates(); + if(certs != null) { + X509Certificate cert = (X509Certificate) certs[0]; + subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); + } + if(session.getRemoteAddr() != null) { + clientIP = session.getRemoteAddr(); + } + if(session.getLocalAddr() != null) { + serverIP = session.getLocalAddr(); + } } } } - } - auditEvent = AccessSessionTerminatedEvent.createEvent( + auditEvent = AccessSessionTerminatedEvent.createEvent( clientIP, serverIP, subjectID, + certID, + issuerID, reason); } else { @@ -213,9 +235,14 @@ public void alertSent(SSLAlertEvent event) { SSLSecurityStatus status = socket.getStatus(); X509Certificate peerCertificate = status.getPeerCertificate(); - Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); - + if (peerCertificate != null) { + Principal subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + BigInteger serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + Principal issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } } else { if(sslEngine != null) { JSSSession session = sslEngine.getSession(); @@ -225,6 +252,8 @@ public void alertSent(SSLAlertEvent event) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { subjectID = cert.getSubjectDN().toString(); + certID = cert.getSerialNumber().toString(); + issuerID = cert.getIssuerDN().toString(); } } if(session.getRemoteAddr() != null) { @@ -241,6 +270,8 @@ public void alertSent(SSLAlertEvent event) { clientIP, serverIP, subjectID, + certID, + issuerID, reason); } @@ -249,6 +280,8 @@ public void alertSent(SSLAlertEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); auditor.log(auditEvent); @@ -278,6 +311,10 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { X509Certificate peerCertificate = null; Principal subjectDN = null; String subjectID = defaultUnknown; + BigInteger serial = null; + String certID = defaultUnknown; + Principal issuerDN = null; + String issuerID = defaultUnknown; if(socket != null) { clientAddress = socket.getInetAddress(); @@ -287,13 +324,21 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { status = socket.getStatus(); peerCertificate = status.getPeerCertificate(); - subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN(); - subjectID = subjectDN == null ? "" : subjectDN.toString(); + if (peerCertificate != null) { + subjectDN = peerCertificate.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + serial = peerCertificate.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + issuerDN = peerCertificate.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); + } // store socket info in socketInfos map Map info = new HashMap<>(); info.put("clientIP", clientIP); info.put("serverIP", serverIP); info.put("subjectID", subjectID); + info.put("certID", certID); + info.put("issuerID", issuerID); socketInfos.put(socket, info); } else { if(sslEngine != null) { @@ -303,7 +348,12 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { if(certs != null) { X509Certificate cert = (X509Certificate) certs[0]; if(cert != null) { - subjectID = cert.getSubjectDN().toString(); + subjectDN = cert.getSubjectDN(); + subjectID = subjectDN == null ? "" : subjectDN.toString(); + serial = cert.getSerialNumber(); + certID = serial == null ? "" : serial.toString(); + issuerDN = cert.getIssuerDN(); + issuerID = issuerDN == null ? "" : issuerDN.toString(); } } } @@ -319,11 +369,15 @@ public void handshakeCompleted(SSLHandshakeCompletedEvent event) { logger.debug("- client: " + clientIP); logger.debug("- server: " + serverIP); logger.debug("- subject: " + subjectID); + logger.debug("- serial: " + certID); + logger.debug("- issuer: " + issuerID); auditor.log(AccessSessionEstablishEvent.createSuccessEvent( clientIP, serverIP, - subjectID)); + subjectID, + certID, + issuerID)); } catch (Exception e) { logger.error("PKIServerSocketListener: " + e.getMessage(), e); }