revive audit log signing. Framework is there, but 1. audit signing cert is not created by default at post-install config wizard 2. AuditVerify tool is broken 3. newer subsystems such as TKS needs more audit messages
Created attachment 329749 [details] audit framework change for base/
Created attachment 329750 [details] caAuditSigningCert.profile for local ca
Created attachment 329751 [details] caInternalAuthAuditSigningCert.cfg for remote subsystems
Created attachment 329752 [details] signed audit spec file changes in dogtag
jmagne please review.
Attachements id=329749, 329750, 329571, 329752 +jmagne. Also, the .profile attachment confuses the system. Might want to make it of type text next time.
Created attachment 329771 [details] reload caAuditSigningCert.profile with type text
$ svn commit Sending base/ca/shared/conf/CS.cfg Adding base/ca/shared/conf/caAuditSigningCert.profile Adding base/ca/shared/profiles/ca/caInternalAuthAuditSigningCert.cfg Sending base/common/src/LogMessages_en.properties Sending base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java Sending base/java-tools/build.xml Sending base/java-tools/src/com/netscape/cmstools/AuditVerify.java Sending base/kra/shared/conf/CS.cfg Sending base/ocsp/shared/conf/CS.cfg Sending base/tks/shared/conf/CS.cfg Sending dogtag/ca/pki-ca.spec Sending dogtag/common/pki-common.spec Sending dogtag/java-tools/pki-java-tools.spec Sending dogtag/kra/pki-kra.spec Sending dogtag/ocsp/pki-ocsp.spec Sending dogtag/tks/pki-tks.spec Transmitting file data ................ Committed revision 183.
How to test (for CA, DRM/KRA, TKS, OCSP): 1. edit CS.cfg and change value of log.instance.SignedAudit.logSigning from false to true. 2. restart subsystem 3. do something (enrollment, add user, etc.) to trigger some audit logging 4. go to the CA and find the cert "... Audit Signing Certificate...", copy the base64 encoding and paste it in a file, say audit.cert 5. create nss db and import the cert 6. run AuditVerify to verify the audit logs note: the first signature verified will always fail due to the extra data written to the log file before signed audit begins. I might file a separate bug to fix that.
Verified: [root@qe-blade-11 results]# AuditVerify -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca" -a /home/jgalipea/loglist.txt -v ====== File: /var/lib/pki-ca/logs/signedAudit/ca_audit ====== Line 124: VERIFICATION FAILED: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:1 to /var/lib/pki-ca/logs/signedAudit/ca_audit:123 Line 126: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:124 to /var/lib/pki-ca/logs/signedAudit/ca_audit:125 Line 128: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:126 to /var/lib/pki-ca/logs/signedAudit/ca_audit:127 Line 131: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:128 to /var/lib/pki-ca/logs/signedAudit/ca_audit:130 Line 134: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:131 to /var/lib/pki-ca/logs/signedAudit/ca_audit:133 Line 137: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:134 to /var/lib/pki-ca/logs/signedAudit/ca_audit:136 Line 139: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:137 to /var/lib/pki-ca/logs/signedAudit/ca_audit:138 Line 143: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:139 to /var/lib/pki-ca/logs/signedAudit/ca_audit:142 Line 146: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:143 to /var/lib/pki-ca/logs/signedAudit/ca_audit:145 Line 149: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:146 to /var/lib/pki-ca/logs/signedAudit/ca_audit:148 Line 153: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:149 to /var/lib/pki-ca/logs/signedAudit/ca_audit:152 Line 155: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:153 to /var/lib/pki-ca/logs/signedAudit/ca_audit:154 Line 158: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:155 to /var/lib/pki-ca/logs/signedAudit/ca_audit:157 Line 162: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:158 to /var/lib/pki-ca/logs/signedAudit/ca_audit:161 Line 166: verification succeeded: signature of /var/lib/pki-ca/logs/signedAudit/ca_audit:162 to /var/lib/pki-ca/logs/signedAudit/ca_audit:165 Verification process complete. Valid signatures: 14 Invalid signatures: 1