Package org.ejbca.util

Examples of org.ejbca.util.IPatternLogger


    /**
   * Use this method to avoid having parts of the order-string logged when some values have not been stored before a writeln()
   */
    public IPatternLogger getPatternLogger() {
        IPatternLogger pl = new PatternLogger(this.PATTERN.matcher(this.orderString), this.orderString, this.accountLog, this.mLogDateFormat, this.mTimeZone);
    pl.paramPut(IOCSPLogger.CLIENT_IP,"0");
    pl.paramPut(IAuditLogger.OCSPREQUEST, "0");
    pl.paramPut(IAuditLogger.OCSPRESPONSE, "0");
    pl.paramPut(IOCSPLogger.STATUS, "-1");
    pl.paramPut(IAuditLogger.PROCESS_TIME, "-1");
        return pl;
  }
View Full Code Here


    final int localTransactionID;
    synchronized( this ) {
      this.mTransactionID += 1;
      localTransactionID = this.mTransactionID;
    }
    final IPatternLogger transactionLogger;
    final IPatternLogger auditLogger;
    final Date startTime = new Date();
    if (this.mDoTransactionLog) {
      transactionLogger = this.transactionLogger.getPatternLogger();
    } else {
      transactionLogger = new DummyPatternLogger()// Ignores everything
    }
    if (this.mDoAuditLog) {
      auditLogger = this.auditLogger.getPatternLogger();
    } else {
      auditLogger = new DummyPatternLogger()// Ignores everything
    }
    final String remoteAddress = request.getRemoteAddr();
    auditLogger.paramPut(IAuditLogger.OCSPREQUEST, ""); // No request bytes yet
    auditLogger.paramPut(IPatternLogger.LOG_ID, new Integer(localTransactionID));
    auditLogger.paramPut(IPatternLogger.SESSION_ID, this.m_SessionID);
    auditLogger.paramPut(IOCSPLogger.CLIENT_IP, remoteAddress);
    transactionLogger.paramPut(IPatternLogger.LOG_ID, new Integer(localTransactionID));
    transactionLogger.paramPut(IPatternLogger.SESSION_ID, this.m_SessionID);
    transactionLogger.paramPut(IOCSPLogger.CLIENT_IP, remoteAddress);

    try {
      // Read configuration values affecting the response, these can be dynamically updated from properties files in file system
      // Read default values here for each request since may take a millisecond to read the value
      // These values can be changed depending on if there are different configurations for different certificate profiles
      // In that case it is updated once we have read the certificate status of the certificate searched for.
      long maxAge = OcspConfiguration.getMaxAge(SecConst.CERTPROFILE_NO_PROFILE);
      long nextUpdate = OcspConfiguration.getUntilNextUpdate(SecConst.CERTPROFILE_NO_PROFILE);

      OCSPResp ocspresp = null;
      OCSPRespGenerator res = new OCSPRespGenerator();
      X509Certificate cacert = null; // CA-certificate used to sign response
      try {
        byte[] reqBytes = checkAndGetRequestBytes(request);
        // Start logging process time after we have received the request
        transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IAuditLogger.OCSPREQUEST, new String (Hex.encode(reqBytes)));
        OCSPReq req = null;
        try {
          req = new OCSPReq(reqBytes);         
        } catch (Exception e) {
          // When not being able to parse the request, we want to send a MalformedRequest back
          throw new MalformedRequestException(e);
        }
        if (req.getRequestorName() == null) {
          m_log.debug("Requestorname is null");
        } else {
          if (m_log.isDebugEnabled()) {
            m_log.debug("Requestorname is: "+req.getRequestorName().toString());           
          }
          transactionLogger.paramPut(ITransactionLogger.REQ_NAME, req.getRequestorName().toString());
        }
        // Make sure our signature keys are updated
        loadPrivateKeys(this.data.m_adm, null);

        /**
         * check the signature if contained in request.
         * if the request does not contain a signature
         * and the servlet is configured in the way
         * the a signature is required we send back
         * 'sigRequired' response.
         */
        if (m_log.isDebugEnabled()) {
          m_log.debug("Incoming OCSP request is signed : " + req.isSigned());
        }
        if (req.isSigned()) {
          X509Certificate signercert = OCSPUtil.checkRequestSignature(request.getRemoteAddr(), req, this.data.m_caCertCache);
          String signercertIssuerName = CertTools.getIssuerDN(signercert);
          BigInteger signercertSerNo = CertTools.getSerialNumber(signercert);
          String signercertSubjectName = CertTools.getSubjectDN(signercert);
          transactionLogger.paramPut(ITransactionLogger.SIGN_ISSUER_NAME_DN, signercertIssuerName);
          transactionLogger.paramPut(ITransactionLogger.SIGN_SERIAL_NO, signercert.getSerialNumber().toByteArray());
          transactionLogger.paramPut(ITransactionLogger.SIGN_SUBJECT_NAME, signercertSubjectName);
          transactionLogger.paramPut(IPatternLogger.REPLY_TIME, ITransactionLogger.REPLY_TIME);
          if (OcspConfiguration.getEnforceRequestSigning()) {
            // If it verifies OK, check if it is revoked
            final CertificateStatus status = this.data.certificateStoreSession.getStatus(CertTools.getIssuerDN(signercert), CertTools.getSerialNumber(signercert));
            // If rci == null it means the certificate does not exist in database, we then treat it as ok,
            // because it may be so that only revoked certificates is in the (external) OCSP database.
            if ( status.equals(CertificateStatus.REVOKED) ) {
              String serno = signercertSerNo.toString(16);
              String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.revoked", signercertSubjectName, signercertIssuerName, serno);
              m_log.info(infoMsg);
              throw new SignRequestSignatureException(infoMsg);
            }

            if (m_reqRestrictSignatures) {
              loadTrustDir();
              if ( m_reqRestrictMethod == OcspConfiguration.RESTRICTONSIGNER) {
                if (!OCSPUtil.checkCertInList(signercert, mTrustedReqSigSigners)) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else if (m_reqRestrictMethod == OcspConfiguration.RESTRICTONISSUER) {
                X509Certificate signerca = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(signercertIssuerName));
                if ((signerca == null) || (!OCSPUtil.checkCertInList(signerca, mTrustedReqSigIssuers)) ) {
                  String infoMsg = intres.getLocalizedMessage("ocsp.infosigner.notallowed", signercertSubjectName, signercertIssuerName, signercertSerNo.toString(16));
                  m_log.info(infoMsg);
                  throw new SignRequestSignatureException(infoMsg);
                }
              } else {
                throw new Exception("m_reqRestrictMethod="+m_reqRestrictMethod); // there must be an internal error. We do not want to send a response, just to be safe.
              }
            }
          }
        } else {
          if (OcspConfiguration.getEnforceRequestSigning()) {
            // Signature required
            throw new SignRequestException("Signature required");
          }
        }
       
        // Get the certificate status requests that are inside this OCSP req
        Req[] requests = req.getRequestList();
        transactionLogger.paramPut(ITransactionLogger.NUM_CERT_ID, requests.length);
        if (requests.length <= 0) {
          String infoMsg = intres.getLocalizedMessage("ocsp.errornoreqentities");
          m_log.info(infoMsg);
          {
            // All this just so we can create an error response
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
          }
          throw new MalformedRequestException(infoMsg);
        }
        int maxRequests = 100;
        if (requests.length > maxRequests) {
          String infoMsg = intres.getLocalizedMessage("ocsp.errortoomanyreqentities", maxRequests);
          m_log.info(infoMsg);
          {
            // All this just so we can create an error response
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
          }
          throw new MalformedRequestException(infoMsg);
        }

        if (m_log.isDebugEnabled()) {
          m_log.debug("The OCSP request contains " + requests.length + " simpleRequests.");
        }

        // Add standard response extensions
        Hashtable responseExtensions = OCSPUtil.getStandardResponseExtensions(req);
              transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
              auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
        // Look over the status requests
        ArrayList responseList = new ArrayList();
        for (int i = 0; i < requests.length; i++) {
          CertificateID certId = requests[i].getCertID();
          // now some Logging
          transactionLogger.paramPut(ITransactionLogger.SERIAL_NOHEX, certId.getSerialNumber().toByteArray());
          transactionLogger.paramPut(ITransactionLogger.DIGEST_ALGOR, certId.getHashAlgOID()); //todo, find text version of this or find out if it should be something else                   
          transactionLogger.paramPut(ITransactionLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
          transactionLogger.paramPut(ITransactionLogger.ISSUER_KEY, certId.getIssuerKeyHash());
          auditLogger.paramPut(IAuditLogger.ISSUER_KEY, certId.getIssuerKeyHash());
          auditLogger.paramPut(IAuditLogger.SERIAL_NOHEX, certId.getSerialNumber().toByteArray());
          auditLogger.paramPut(IAuditLogger.ISSUER_NAME_HASH, certId.getIssuerNameHash());
           byte[] hashbytes = certId.getIssuerNameHash();
          String hash = null;
          if (hashbytes != null) {
            hash = new String(Hex.encode(hashbytes));                     
          }
          String infoMsg = intres.getLocalizedMessage("ocsp.inforeceivedrequest", certId.getSerialNumber().toString(16), hash, request.getRemoteAddr());
          m_log.info(infoMsg);
          boolean unknownCA = false;
          // if the certId was issued by an unknown CA
          // The algorithm here:
          // We will sign the response with the CA that issued the first
          // certificate(certId) in the request. If the issuing CA is not available
          // on this server, we sign the response with the default responderId (from params in web.xml).
          // We have to look up the ca-certificate for each certId in the request though, as we will check
          // for revocation on the ca-cert as well when checking for revocation on the certId.
          cacert = this.data.m_caCertCache.findByOcspHash(certId)// Get the issuer of certId
          if (cacert == null) {
            // We could not find certificate for this request so get certificate for default responder
            cacert = this.data.m_caCertCache.findLatestBySubjectDN(HashID.getFromDN(this.data.m_defaultResponderId));
            unknownCA = true;
          }
          if (cacert == null) {
            String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacert", new String(Hex.encode(certId.getIssuerNameHash())), this.data.m_defaultResponderId);
            m_log.error(errMsg);
            continue;
          }
          if (unknownCA == true) {
            String errMsg = intres.getLocalizedMessage("ocsp.errorfindcacertusedefault", new String(Hex.encode(certId.getIssuerNameHash())));
            m_log.info(errMsg);
            // If we can not find the CA, answer UnknowStatus
            responseList.add(new OCSPResponseItem(certId, new UnknownStatus(), nextUpdate));
            transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN);
            transactionLogger.writeln();
            continue;
          } else {
            transactionLogger.paramPut(ITransactionLogger.ISSUER_NAME_DN, cacert.getSubjectDN().getName());
          }
          /*
           * Implement logic according to
           * chapter 2.7 in RFC2560
           *
           * 2.7  CA Key Compromise
           *    If an OCSP responder knows that a particular CA's private key has
           *    been compromised, it MAY return the revoked state for all
           *    certificates issued by that CA.
           */
          final org.bouncycastle.ocsp.CertificateStatus certStatus;
          transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD); // it seems to be correct
                    // Check if the cacert (or the default responderid) is revoked
                    final CertificateStatus cacertStatus = this.data.certificateStoreSession.getStatus(CertTools.getIssuerDN(cacert), CertTools.getSerialNumber(cacert));
          if ( !cacertStatus.equals(CertificateStatus.REVOKED) ) {
            // Check if cert is revoked
            final CertificateStatus status = this.data.certificateStoreSession.getStatus(cacert.getSubjectDN().getName(), certId.getSerialNumber());
            // If we have different maxAge and untilNextUpdate for different certificate profiles, we have to fetch these
            // values now that we have fetched the certificate status, that includes certificate profile.
                        nextUpdate = OcspConfiguration.getUntilNextUpdate(status.certificateProfileId);
                        maxAge = OcspConfiguration.getMaxAge(status.certificateProfileId);
                        if (m_log.isDebugEnabled()) {
                          m_log.debug("Set nextUpdate="+nextUpdate+", and maxAge="+maxAge+" for certificateProfileId="+status.certificateProfileId);
                        }

                        final String sStatus;
            if (status.equals(CertificateStatus.NOT_AVAILABLE)) {
              // No revocation info available for this cert, handle it
              if (m_log.isDebugEnabled()) {
                m_log.debug("Unable to find revocation information for certificate with serial '"
                    + certId.getSerialNumber().toString(16) + "'"
                    + " from issuer '" + cacert.getSubjectDN().getName() + "'");                               
              }
              // If we do not treat non existing certificates as good
              // OR
              // we don't actually handle requests for the CA issuing the certificate asked about
              // then we return unknown
              if ( (!m_nonExistingIsGood) || (this.data.m_caCertCache.findByOcspHash(certId) == null) ) {
                sStatus = "unknown";
                certStatus = new UnknownStatus();
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_UNKNOWN);
              } else {
                                sStatus = "good";
                                certStatus = null; // null means "good" in OCSP
                                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD);
                            }
            } else if ( status.equals(CertificateStatus.REVOKED) ) {
                // Revocation info available for this cert, handle it
                sStatus ="revoked";
                certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(status.revocationDate),
                                                               new CRLReason(status.revocationReason)));
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_REVOKED); //1 = revoked
            } else {
                sStatus = "good";
                certStatus = null;
                transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_GOOD);
            }
                        infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", sStatus, certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName());
                        m_log.info(infoMsg);
                        responseList.add(new OCSPResponseItem(certId, certStatus, nextUpdate));
                        transactionLogger.writeln();
          } else {
            certStatus = new RevokedStatus(new RevokedInfo(new DERGeneralizedTime(cacertStatus.revocationDate),
                new CRLReason(cacertStatus.revocationReason)));
            infoMsg = intres.getLocalizedMessage("ocsp.infoaddedstatusinfo", "revoked", certId.getSerialNumber().toString(16), cacert.getSubjectDN().getName());
            m_log.info(infoMsg);
            responseList.add(new OCSPResponseItem(certId, certStatus, nextUpdate));
            transactionLogger.paramPut(ITransactionLogger.CERT_STATUS, OCSPUnidResponse.OCSP_REVOKED);
            transactionLogger.writeln();
          }
          // Look for extension OIDs
          Iterator iter = m_extensionOids.iterator();
          while (iter.hasNext()) {
            String oidstr = (String)iter.next();
            DERObjectIdentifier oid = new DERObjectIdentifier(oidstr);
            X509Extensions reqexts = req.getRequestExtensions();
            if (reqexts != null) {
              X509Extension ext = reqexts.getExtension(oid);
              if (null != ext) {
                // We found an extension, call the extenstion class
                if (m_log.isDebugEnabled()) {
                  m_log.debug("Found OCSP extension oid: "+oidstr);
                }
                IOCSPExtension extObj = (IOCSPExtension)m_extensionMap.get(oidstr);
                if (extObj != null) {
                  // Find the certificate from the certId
                  X509Certificate cert = null;
                  cert = (X509Certificate)this.data.certificateStoreSession.findCertificateByIssuerAndSerno(this.data.m_adm, cacert.getSubjectDN().getName(), certId.getSerialNumber());
                  if (cert != null) {
                    // Call the OCSP extension
                    Hashtable retext = extObj.process(request, cert, certStatus);
                    if (retext != null) {
                      // Add the returned X509Extensions to the responseExtension we will add to the basic OCSP response
                      responseExtensions.putAll(retext);
                    } else {
                      String errMsg = intres.getLocalizedMessage("ocsp.errorprocessextension", extObj.getClass().getName()new Integer(extObj.getLastErrorCode()));
                      m_log.error(errMsg);
                    }
                  }
                }
              }
            }
          }
        } // end of huge for loop
        if (cacert != null) {
          // Add responseExtensions
          X509Extensions exts = new X509Extensions(responseExtensions);
          // generate the signed response object
          BasicOCSPResp basicresp = signOCSPResponse(req, responseList, exts, cacert);
          ocspresp = res.generate(OCSPRespGenerator.SUCCESSFUL, basicresp);
          auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
          transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.SUCCESSFUL);
        } else {
          // Only unknown CAs in requests and no default reponders cert
          String errMsg = intres.getLocalizedMessage("ocsp.errornocacreateresp");
          m_log.error(errMsg);
          throw new ServletException(errMsg);
        }
      } catch (MalformedRequestException e) {
            transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        m_log.info(errMsg);
        if (m_log.isDebugEnabled()) {
          m_log.debug(errMsg, e);
        }
        ocspresp = res.generate(OCSPRespGenerator.MALFORMED_REQUEST, null)// RFC 2560: responseBytes are not set on error.
        transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.MALFORMED_REQUEST);
        transactionLogger.writeln();
        auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.MALFORMED_REQUEST);
      } catch (SignRequestException e) {
            transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        m_log.info(errMsg); // No need to log the full exception here
        ocspresp = res.generate(OCSPRespGenerator.SIG_REQUIRED, null)// RFC 2560: responseBytes are not set on error.
        transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.SIG_REQUIRED);
        transactionLogger.writeln();
        auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.SIG_REQUIRED);
      } catch (SignRequestSignatureException e) {
            transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        m_log.info(errMsg); // No need to log the full exception here
        ocspresp = res.generate(OCSPRespGenerator.UNAUTHORIZED, null)// RFC 2560: responseBytes are not set on error.
        transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.UNAUTHORIZED);
        transactionLogger.writeln();
        auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.UNAUTHORIZED);
      } catch (InvalidKeyException e) {
            transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        m_log.info(errMsg, e);
        ocspresp = res.generate(OCSPRespGenerator.UNAUTHORIZED, null)// RFC 2560: responseBytes are not set on error.
        transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.UNAUTHORIZED);
        transactionLogger.writeln();
        auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.UNAUTHORIZED);
      } catch (Throwable e) {
            transactionLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        auditLogger.paramPut(IPatternLogger.PROCESS_TIME, IPatternLogger.PROCESS_TIME);
        String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
        m_log.error(errMsg, e);
        ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, null)// RFC 2560: responseBytes are not set on error.
        transactionLogger.paramPut(ITransactionLogger.STATUS, OCSPRespGenerator.INTERNAL_ERROR);
        transactionLogger.writeln();
        auditLogger.paramPut(IAuditLogger.STATUS, OCSPRespGenerator.INTERNAL_ERROR);
      }
      byte[] respBytes = ocspresp.getEncoded();
      auditLogger.paramPut(IAuditLogger.OCSPRESPONSE, new String (Hex.encode(respBytes)));
            auditLogger.writeln();
      auditLogger.flush();
      transactionLogger.flush();
      if (mDoSaferLogging){
        // See if the Errorhandler has found any problems
        if (hasErrorHandlerFailedSince(startTime)) {
          m_log.info("ProbableErrorhandler reported error, cannot answer request");
          ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, null)// RFC 2560: responseBytes are not set on error.
          respBytes = ocspresp.getEncoded();
        }
        // See if the Appender has reported any problems
        if (!canlog) {
          m_log.info("SaferDailyRollingFileAppender reported error, cannot answer request");
          ocspresp = res.generate(OCSPRespGenerator.INTERNAL_ERROR, null)// RFC 2560: responseBytes are not set on error.
          respBytes = ocspresp.getEncoded();
        }
      }
      response.setContentType("application/ocsp-response");
      //response.setHeader("Content-transfer-encoding", "binary");
      response.setContentLength(respBytes.length);
      addRfc5019CacheHeaders(request, response, ocspresp, maxAge);
      response.getOutputStream().write(respBytes);
      response.getOutputStream().flush();
    } catch (OCSPException e) {
      String errMsg = intres.getLocalizedMessage("ocsp.errorprocessreq", e.getMessage());
      m_log.error(errMsg, e);
      throw new ServletException(e);
    } catch (Exception e ) {
      m_log.error("", e);
      transactionLogger.flush();
      auditLogger.flush();
    }
    if (m_log.isTraceEnabled()) {
      m_log.trace("<service()");
    }
  }
View Full Code Here

  final private String orderString;
  final private String mLogDateFormat;
  final private String mTimeZone;

    public IPatternLogger getPatternLogger() {
        IPatternLogger pl = new PatternLogger(this.PATTERN.matcher(this.orderString), this.orderString, auditlog, this.mLogDateFormat, this.mTimeZone);
        pl.paramPut(IOCSPLogger.STATUS,"0");
        pl.paramPut(IOCSPLogger.CLIENT_IP,"0");
        pl.paramPut(ITransactionLogger.REQ_NAME,"0");
        pl.paramPut(ITransactionLogger.SIGN_ISSUER_NAME_DN,"0");
        pl.paramPut(ITransactionLogger.SIGN_SUBJECT_NAME,"0");
        pl.paramPut(ITransactionLogger.SIGN_SERIAL_NO,"0");
        pl.paramPut(ITransactionLogger.NUM_CERT_ID,"0");
        pl.paramPut(ITransactionLogger.ISSUER_NAME_DN,"0");
        pl.paramPut(IOCSPLogger.ISSUER_NAME_HASH,"0");
        pl.paramPut(IOCSPLogger.ISSUER_KEY,"0");
        pl.paramPut(ITransactionLogger.DIGEST_ALGOR,"0");
        pl.paramPut(IOCSPLogger.SERIAL_NOHEX,"0");
        pl.paramPut(ITransactionLogger.CERT_STATUS,"0");
        pl.paramPut(ITransactionLogger.PROCESS_TIME, "-1");
        return pl;
  }
View Full Code Here

    private IPatternLogger getNewPatternLogger() {
        if ( !this.doLog ) {
            return new DummyPatternLogger();
        }
        IPatternLogger pl = new PatternLogger(this.PATTERN.matcher(this.orderString), this.orderString, this.log, this.logDateFormat, this.timeZone);
        pl.paramPut(TransactionTags.ERROR_MESSAGE.toString(), "NO_ERROR");
        pl.paramPut(TransactionTags.METHOD.toString(), new Throwable().getStackTrace()[2].getMethodName());
        pl.paramPut(IPatternLogger.LOG_ID, Integer.toString(this.transactionID++));
        pl.paramPut(IPatternLogger.SESSION_ID, this.sessionID);
        return pl;
    }
View Full Code Here

   * @throws IllegalQueryException
     * @see org.ejbca.core.protocol.ws.common.IEjbcaWS#editUser(org.ejbca.core.protocol.ws.objects.UserDataVOWS)
   */ 
  public void editUser(final UserDataVOWS userdata)
      throws CADoesntExistsException, AuthorizationDeniedException, UserDoesntFullfillEndEntityProfile, EjbcaException, ApprovalException, WaitingForApprovalException {
        final IPatternLogger logger = TransactionLogger.getPatternLogger();
        try {
          final EjbcaWSHelper ejbhelper = new EjbcaWSHelper(wsContext, authorizationSession, caAdminSession, certificateProfileSession, certificateStoreSession, endEntityProfileSession, hardTokenSession, userAdminSession);
          final Admin admin = ejbhelper.getAdmin();
          logAdminName(admin,logger);
          final UserDataVO userdatavo = ejbhelper.convertUserDataVOWS(admin, userdata);
            if (userAdminSession.existsUser(admin, userdatavo.getUsername())) {
              if (log.isDebugEnabled()) {
                log.debug("User " + userdata.getUsername() + " exists, update the userdata. New status of user '"+userdata.getStatus()+"'." );         
              }
              userAdminSession.changeUser(admin,userdatavo,userdata.isClearPwd(), true);
            } else {
              if (log.isDebugEnabled()) {
                log.debug("New User " + userdata.getUsername() + ", adding userdata. New status of user '"+userdata.getStatus()+"'." );
              }
              userAdminSession.addUserFromWS(admin,userdatavo,userdata.isClearPwd());
            }
    } catch (UserDoesntFullfillEndEntityProfile e) {
      log.debug(e.toString());
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), e.toString());
      throw e;
    } catch (AuthorizationDeniedException e) {
            final String errorMessage = "AuthorizationDeniedException when editing user "+userdata.getUsername()+": "+e.getMessage();
      log.info(errorMessage);
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), errorMessage);
      throw e;
    } catch (PersistenceException e) {
      // The most likely reason is that the user already existed.
            throw EjbcaWSHelper.getEjbcaException(e, logger, ErrorCode.USER_ALREADY_EXISTS, Level.INFO);
        } catch (RuntimeException e) {  // ClassCastException, EJBException, ...
            throw EjbcaWSHelper.getInternalException(e, logger);
    } finally {
        logger.writeln();
            logger.flush();
        }
  }
View Full Code Here

  public List<UserDataVOWS> findUser(UserMatch usermatch) throws AuthorizationDeniedException, IllegalQueryException, EjbcaException {   
      List<UserDataVOWS> retval = null;
      if (log.isDebugEnabled()) {
            log.debug("Find user with match '"+usermatch.getMatchvalue()+"'.");
      }
        final IPatternLogger logger = TransactionLogger.getPatternLogger();
        try {
          final EjbcaWSHelper ejbhelper = new EjbcaWSHelper(wsContext, authorizationSession, caAdminSession, certificateProfileSession, certificateStoreSession, endEntityProfileSession, hardTokenSession, userAdminSession);
          final Admin admin = ejbhelper.getAdmin();
          logAdminName(admin,logger);
          final Query query = ejbhelper.convertUserMatch(admin, usermatch);           
          final Collection<UserDataVO> result = userAdminSession.query(admin, query, null,null, MAXNUMBEROFROWS); // also checks authorization
          if (result.size() > 0) {
            retval = new ArrayList<UserDataVOWS>(result.size());
            for (final UserDataVO userdata : result) {
              retval.add(ejbhelper.convertUserDataVO(admin,userdata));
            }
          }
        } catch(AuthorizationDeniedException e) {
          logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), e.toString());
          throw e;
        } catch (RuntimeException e) {  // ClassCastException, EJBException ...
          throw EjbcaWSHelper.getInternalException(e, logger);
        } finally {
          logger.writeln();
          logger.flush();
        }
    return retval;
  }
View Full Code Here

  @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
  public List<Certificate> findCerts(String username, boolean onlyValid) throws AuthorizationDeniedException, EjbcaException {
    if (log.isDebugEnabled()) {
          log.debug("Find certs for user '"+username+"'.");
    }
        final IPatternLogger logger = TransactionLogger.getPatternLogger();
    List<Certificate> retval = new ArrayList<Certificate>(0);
    try{
      final EjbcaWSHelper ejbhelper = new EjbcaWSHelper(wsContext, authorizationSession, caAdminSession, certificateProfileSession, certificateStoreSession, endEntityProfileSession, hardTokenSession, userAdminSession);
      final Admin admin = ejbhelper.getAdmin();
            logAdminName(admin,logger);
      if (userAdminSession.findUser(admin,username) != null) {  // checks authorization on CA and profiles and view_end_entity
        Collection<java.security.cert.Certificate> certs;
        if (onlyValid) {
          certs = certificateStoreSession.findCertificatesByUsernameAndStatus(admin, username, SecConst.CERT_ACTIVE);
        } else {
          certs = certificateStoreSession.findCertificatesByUsername(admin, username);
        }
        retval = ejbhelper.returnAuthorizedCertificates(admin, certs, onlyValid);
      } else {
        if (log.isDebugEnabled()) {
          log.debug(intres.getLocalizedMessage("ra.errorentitynotexist", username));       
        }
      }
        } catch (RuntimeException e) {  // EJBException ...
            throw EjbcaWSHelper.getInternalException(e, logger);
    } finally {
            logger.writeln();
            logger.flush();
        }
    return retval;
  }
View Full Code Here

      log.trace(">getLastCertChain: "+username);
    }
    final List<Certificate> retval = new ArrayList<Certificate>();
    EjbcaWSHelper ejbhelper = new EjbcaWSHelper(wsContext, authorizationSession, caAdminSession, certificateProfileSession, certificateStoreSession, endEntityProfileSession, hardTokenSession, userAdminSession);
    Admin admin = ejbhelper.getAdmin();
        final IPatternLogger logger = TransactionLogger.getPatternLogger();
        logAdminName(admin,logger);
    try {
      if (userAdminSession.findUser(admin, username) != null) { // checks authorization on CA and profiles and view_end_entity
        Collection<java.security.cert.Certificate> certs = certificateStoreSession.findCertificatesByUsername(admin,username);
        if (certs.size() > 0) {
          // The latest certificate will be first
          java.security.cert.Certificate lastcert = certs.iterator().next();
          if (lastcert != null) {
            log.debug("Found certificate for user with subjectDN: "+CertTools.getSubjectDN(lastcert)+" and serialNo: "+CertTools.getSerialNumberAsString(lastcert));
            retval.add(new Certificate(lastcert));
            // If we added a certificate, we will also append the CA certificate chain
            boolean selfSigned = false;
            int bar = 0; // to control so we don't enter an infinite loop. Max chain length is 10
            while ( (!selfSigned) && (bar < 10) ) {
              bar++;
              String issuerDN = CertTools.getIssuerDN(lastcert);
              Collection<java.security.cert.Certificate> cacerts = certificateStoreSession.findCertificatesBySubject(admin, issuerDN);
              if ( (cacerts == null) || (cacerts.size() == 0) ) {            
                log.info("No certificate found for CA with subjectDN: "+issuerDN);
                break;
              }
              Iterator<java.security.cert.Certificate> iter = cacerts.iterator();
              while (iter.hasNext()) {
                java.security.cert.Certificate cert = (java.security.cert.Certificate)iter.next();
                try {
                  lastcert.verify(cert.getPublicKey());
                  // this was the right certificate
                  retval.add(new Certificate(cert));
                  // To determine if we have found the last certificate or not
                  selfSigned = CertTools.isSelfSigned(cert);
                  // Find the next certificate in the chain now
                  lastcert = cert;
                  break; // Break of iteration over this CAs certs
                } catch (Exception e) {
                  log.debug("Failed verification when looking for CA certificate, this was not the correct CA certificate. IssuerDN: "+issuerDN+", serno: "+CertTools.getSerialNumberAsString(cert));
                }
              }             
            }
           
          } else {
            log.debug("Found no certificate (in non null list??) for user "+username);
          }
        } else {
          log.debug("Found no certificate for user "+username);
        }
      } else {
        String msg = intres.getLocalizedMessage("ra.errorentitynotexist", username);
        log.debug(msg);
      }
    } catch (CertificateEncodingException e) {
            throw EjbcaWSHelper.getInternalException(e, logger);
        } catch (RuntimeException e) {  // EJBException ...
            throw EjbcaWSHelper.getInternalException(e, logger);
        } finally {
            logger.writeln();
            logger.flush();
        }
    if (log.isTraceEnabled()) {
      log.trace("<getLastCertChain: "+username);
    }
    return retval;
View Full Code Here

   */
  public CertificateResponse crmfRequest(String username, String password,
      String crmf, String hardTokenSN, String responseType)
  throws CADoesntExistsException, AuthorizationDeniedException, NotFoundException, EjbcaException {

      final IPatternLogger logger = TransactionLogger.getPatternLogger();
      try {
          return new CertificateResponse(responseType, processCertReq(username, password,
                                                                      crmf, REQTYPE_CRMF, hardTokenSN, responseType, logger));
        } catch( CADoesntExistsException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch( AuthorizationDeniedException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch( NotFoundException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch (RuntimeException e) {  // ClassCastException, EJBException ...
            throw EjbcaWSHelper.getInternalException(e, logger);
      } finally {
          logger.writeln();
          logger.flush();
      }
  }
View Full Code Here

   */
  public CertificateResponse spkacRequest(String username, String password,
      String spkac, String hardTokenSN, String responseType)
  throws CADoesntExistsException, AuthorizationDeniedException, NotFoundException, EjbcaException {

      final IPatternLogger logger = TransactionLogger.getPatternLogger();
      try {
          return new CertificateResponse(responseType, processCertReq(username, password,
                                                                      spkac, REQTYPE_SPKAC, hardTokenSN, responseType, logger));
        } catch( CADoesntExistsException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch( AuthorizationDeniedException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch( NotFoundException t ) {
            logger.paramPut(TransactionTags.ERROR_MESSAGE.toString(), t.toString());
            throw t;
        } catch (RuntimeException e) {  // EJBException ...
            throw EjbcaWSHelper.getInternalException(e, logger);
        } finally {
            logger.writeln();
            logger.flush();
        }
  }
View Full Code Here

TOP

Related Classes of org.ejbca.util.IPatternLogger

Copyright © 2018 www.massapicom. All rights reserved.
All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.