diff --git a/CHANGELOG.md b/CHANGELOG.md
index a886ad5e..e7f953b1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -128,6 +128,10 @@ feat: implement configurable recipient
fix: extension processing in CMP client
-### 4.1.0 (Dec 14 2024)
+### 4.1.0 (Dec 14 2023)
feat: revocation checking via inventory interface
+
+### 4.1.2 (Feb 28 2024)
+
+feat: add logging while accessing configuration data
diff --git a/README.md b/README.md
index 507e5b3f..05ae53c6 100644
--- a/README.md
+++ b/README.md
@@ -170,6 +170,10 @@ between CMP RA component, downstream interface, and upstream interface:
which supports dynamic changes.
* Where appropriate, they may depend on a certificate profile
optionally given in CMP request headers.
+* If accessing the configuration interface shall be logged, the SLF4J-Logger of
+ com.siemens.pki.cmpracomponent.util.ConfigLogger must be set to DEBUG, e.g.
+ start with
+ -Dorg.slf4j.simpleLogger.log.com.siemens.pki.cmpracomponent.util.ConfigLogger=debug
## Interfaces to inventory for certification request validation
diff --git a/pom.xml b/pom.xml
index 71ef8b8e..f5816533 100644
--- a/pom.xml
+++ b/pom.xml
@@ -8,7 +8,7 @@
com.siemens.pki
CmpRaComponent
jar
- 4.1.1
+ 4.1.2
UTF-8
.
diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java
index 05db0f48..f873ba5f 100644
--- a/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java
+++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/ClientRequestHandler.java
@@ -35,6 +35,7 @@
import com.siemens.pki.cmpracomponent.msgvalidation.MessageHeaderValidator;
import com.siemens.pki.cmpracomponent.msgvalidation.ProtectionValidator;
import com.siemens.pki.cmpracomponent.msgvalidation.ValidatorIF;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import com.siemens.pki.cmpracomponent.util.FileTracer;
import com.siemens.pki.cmpracomponent.util.MessageDumper;
import java.security.GeneralSecurityException;
@@ -81,17 +82,27 @@ class ValidatorAndProtector {
public ValidatorAndProtector(NestedEndpointContext nestedEndpoint)
throws GeneralSecurityException, CmpProcessingException {
- final VerificationContext inputVerification = nestedEndpoint.getInputVerification();
headerValidator = new MessageHeaderValidator(NESTED_INTERFACE_NAME);
outputProtection = new MsgOutputProtector(nestedEndpoint, NESTED_INTERFACE_NAME);
- this.inputVerification = inputVerification;
- protectionValidator = new ProtectionValidator(NESTED_INTERFACE_NAME, inputVerification);
+ this.inputVerification = ConfigLogger.logOptional(
+ NESTED_INTERFACE_NAME,
+ "NestedEndpointContext.getInputVerification()",
+ nestedEndpoint::getInputVerification);
+ protectionValidator = new ProtectionValidator(
+ NESTED_INTERFACE_NAME,
+ ConfigLogger.logOptional(
+ NESTED_INTERFACE_NAME,
+ "NestedEndpointContext.getInputVerification()",
+ nestedEndpoint::getInputVerification));
bodyValidator = new MessageBodyValidator(NESTED_INTERFACE_NAME, (x, y) -> false, null, certProfile);
}
private ValidatorAndProtector(String certProfile, final CmpMessageInterface upstreamConfiguration)
throws GeneralSecurityException, CmpProcessingException {
- this.inputVerification = upstreamConfiguration.getInputVerification();
+ this.inputVerification = ConfigLogger.logOptional(
+ INTERFACE_NAME,
+ "CmpMessageInterface.getInputVerification()",
+ upstreamConfiguration::getInputVerification);
headerValidator = new MessageHeaderValidator(INTERFACE_NAME);
outputProtection = new MsgOutputProtector(upstreamConfiguration, INTERFACE_NAME, null);
protectionValidator = new ProtectionValidator(INTERFACE_NAME, inputVerification);
@@ -155,8 +166,12 @@ private void validateResponse(final PKIMessage response) throws BaseCmpException
this.upstreamExchange = upstreamExchange;
this.certProfile = certProfile;
validatorAndProtector = new ValidatorAndProtector(certProfile, upstreamConfiguration);
- nestedValidatorAndProtector =
- ifNotNull(upstreamConfiguration.getNestedEndpointContext(), ValidatorAndProtector::new);
+ nestedValidatorAndProtector = ifNotNull(
+ ConfigLogger.logOptional(
+ INTERFACE_NAME,
+ "CmpMessageInterface.getNestedEndpointContext()",
+ upstreamConfiguration::getNestedEndpointContext),
+ ValidatorAndProtector::new);
}
PKIMessage buildFurtherRequest(final PKIMessage formerResponse, final PKIBody requestBody) throws Exception {
diff --git a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
index 6bc37114..87ea3e6f 100644
--- a/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
+++ b/src/main/java/com/siemens/pki/cmpclientcomponent/main/CmpClient.java
@@ -28,6 +28,7 @@
import com.siemens.pki.cmpracomponent.configuration.GetCaCertificatesHandler;
import com.siemens.pki.cmpracomponent.configuration.GetCertificateRequestTemplateHandler;
import com.siemens.pki.cmpracomponent.configuration.GetRootCaCertificateUpdateHandler;
+import com.siemens.pki.cmpracomponent.configuration.VerificationContext;
import com.siemens.pki.cmpracomponent.cryptoservices.AlgorithmHelper;
import com.siemens.pki.cmpracomponent.cryptoservices.CertUtility;
import com.siemens.pki.cmpracomponent.cryptoservices.CmsDecryptor;
@@ -131,6 +132,8 @@ public interface EnrollmentResult {
private static final Logger LOGGER = LoggerFactory.getLogger(CmpClient.class);
+ private static final String INTERFACE_NAME = "cmpclient";
+
private final ClientRequestHandler requestHandler;
private final ClientContext clientContext;
@@ -451,14 +454,16 @@ public EnrollmentResult invokeEnrollment() {
case PKIBody.TYPE_CERT_REQ:
case PKIBody.TYPE_INIT_REQ: {
final String subject = enrollmentContext.getSubject();
- final Extension[] extensions = ifNotNull(enrollmentContext.getExtensions(), exts -> exts.stream()
- .map(ext -> new Extension(
- new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), ext.getValue()))
- .toArray(Extension[]::new));
+ final Extension[] arrayOfExtensions =
+ ifNotNull(enrollmentContext.getExtensions(), exts -> exts.stream()
+ .map(ext -> new Extension(
+ new ASN1ObjectIdentifier(ext.getId()), ext.isCritical(), ext.getValue()))
+ .toArray(Extension[]::new));
+ final Extensions extensions = ifNotNull(arrayOfExtensions, Extensions::new);
final CertTemplateBuilder ctb = new CertTemplateBuilder()
.setSubject(ifNotNull(subject, X500Name::new))
.setPublicKey(enrolledPublicKeyInfo)
- .setExtensions((Extensions) ifNotNull(extensions, Extensions::new));
+ .setExtensions(extensions);
requestBody = PkiMessageGenerator.generateIrCrKurBody(
enrollmentType, ctb.build(), null, enrolledPrivateKey);
pvno = enrolledPrivateKey == null ? PKIHeader.CMP_2021 : PKIHeader.CMP_2000;
@@ -511,7 +516,12 @@ public EnrollmentResult invokeEnrollment() {
LOGGER.error("wrong or missing local credentials, no key decryption possible");
return null;
}
- final DataSignVerifier verifier = new DataSignVerifier(requestHandler.getInputVerification());
+ final VerificationContext inputVerification = requestHandler.getInputVerification();
+ if (inputVerification == null) {
+ LOGGER.error("wrong or missing local trust, no key verification possible");
+ return null;
+ }
+ final DataSignVerifier verifier = new DataSignVerifier(inputVerification, INTERFACE_NAME);
final byte[] decryptedKey = decryptor.decrypt(EnvelopedData.getInstance(
certifiedKeyPair.getPrivateKey().getValue()));
enrolledPrivateKey = verifier.verifySignedKey(decryptedKey);
@@ -533,7 +543,7 @@ public EnrollmentResult invokeEnrollment() {
if (enrollmentContext.getEnrollmentTrust() != null) {
try {
final List extends X509Certificate> validationResult = new TrustCredentialAdapter(
- enrollmentContext.getEnrollmentTrust())
+ enrollmentContext.getEnrollmentTrust(), INTERFACE_NAME)
.validateCertAgainstTrust(
enrolledCertAsX509,
CertUtility.asX509Certificates(responseMessage.getExtraCerts()));
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java
index 35ec81b6..2a7b77f4 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/BaseCredentialService.java
@@ -18,6 +18,7 @@
package com.siemens.pki.cmpracomponent.cryptoservices;
import com.siemens.pki.cmpracomponent.configuration.SignatureCredentialContext;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
@@ -29,17 +30,21 @@
public class BaseCredentialService {
private final SignatureCredentialContext config;
+ final String interfaceName;
/**
* ctor
* @param config related config
+ * @param interfaceName CMP interface name for logging
*/
- public BaseCredentialService(final SignatureCredentialContext config) {
+ public BaseCredentialService(final SignatureCredentialContext config, String interfaceName) {
this.config = config;
+ this.interfaceName = interfaceName;
}
protected List getCertChain() {
- return config.getCertificateChain();
+ return ConfigLogger.log(
+ interfaceName, "SignatureCredentialContext.getCertificateChain()", config::getCertificateChain);
}
/**
@@ -47,7 +52,7 @@ protected List getCertChain() {
* @return end certificate
*/
public X509Certificate getEndCertificate() {
- return config.getCertificateChain().get(0);
+ return getCertChain().get(0);
}
/**
@@ -55,7 +60,7 @@ public X509Certificate getEndCertificate() {
* @return private key related to end certificate
*/
public PrivateKey getPrivateKey() {
- return config.getPrivateKey();
+ return ConfigLogger.log(interfaceName, "SignatureCredentialContext.getPrivateKey()", config::getPrivateKey);
}
protected AlgorithmIdentifier getSignatureAlgorithm() {
@@ -63,6 +68,9 @@ protected AlgorithmIdentifier getSignatureAlgorithm() {
}
protected String getSignatureAlgorithmName() {
- return config.getSignatureAlgorithmName();
+ return ConfigLogger.log(
+ interfaceName,
+ "SignatureCredentialContext.getSignatureAlgorithmName()",
+ config::getSignatureAlgorithmName);
}
}
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java
index 1f95d6a2..7104090c 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/CmsEncryptorBase.java
@@ -18,11 +18,17 @@
package com.siemens.pki.cmpracomponent.cryptoservices;
import com.siemens.pki.cmpracomponent.configuration.CkgContext;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import org.bouncycastle.asn1.cms.EnvelopedData;
import org.bouncycastle.asn1.cms.SignedData;
-import org.bouncycastle.cms.*;
+import org.bouncycastle.cms.CMSAlgorithm;
+import org.bouncycastle.cms.CMSEnvelopedData;
+import org.bouncycastle.cms.CMSEnvelopedDataGenerator;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.RecipientInfoGenerator;
import org.bouncycastle.cms.jcajce.JceCMSContentEncryptorBuilder;
/**
@@ -32,9 +38,15 @@ public class CmsEncryptorBase {
private final CMSEnvelopedDataGenerator envGen = new CMSEnvelopedDataGenerator();
private final CkgContext config;
+ private final String interfaceName;
- protected CmsEncryptorBase(final CkgContext config) {
+ protected CmsEncryptorBase(final CkgContext config, String interfaceName) {
this.config = config;
+ this.interfaceName = interfaceName;
+ }
+
+ protected void addRecipientInfoGenerator(final RecipientInfoGenerator recipientGenerator) {
+ envGen.addRecipientInfoGenerator(recipientGenerator);
}
/**
@@ -49,7 +61,10 @@ protected CmsEncryptorBase(final CkgContext config) {
public EnvelopedData encrypt(final byte[] msg) throws CMSException, NoSuchAlgorithmException {
final CMSEnvelopedData cmsEnvData = envGen.generate(
new CMSProcessableByteArray(msg),
- new JceCMSContentEncryptorBuilder(AlgorithmHelper.getKeyEncryptionOID(config.getContentEncryptionAlg()))
+ new JceCMSContentEncryptorBuilder(AlgorithmHelper.getKeyEncryptionOID(ConfigLogger.log(
+ interfaceName,
+ "CkgContext.getContentEncryptionAlg()",
+ config::getContentEncryptionAlg)))
.setProvider(CertUtility.getBouncyCastleProvider())
.build());
return EnvelopedData.getInstance(cmsEnvData.toASN1Structure().getContent());
@@ -71,8 +86,4 @@ public EnvelopedData encrypt(final SignedData data) throws CMSException, IOExcep
.build());
return EnvelopedData.getInstance(cmsEnvData.toASN1Structure().getContent());
}
-
- protected void addRecipientInfoGenerator(final RecipientInfoGenerator recipientGenerator) {
- envGen.addRecipientInfoGenerator(recipientGenerator);
- }
}
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java
index 5c918838..05a7e9cd 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSignVerifier.java
@@ -100,9 +100,10 @@ private static byte[] verifySignature(
/**
* ctor
* @param config context used for verification
+ * @param interfaceName CMP interface name for logging
*/
- public DataSignVerifier(final VerificationContext config) {
- super(config);
+ public DataSignVerifier(final VerificationContext config, String interfaceName) {
+ super(config, interfaceName);
}
private boolean validate(final X509CertificateHolder cert, final List allCerts)
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java
index 6f87b511..0ada2a5b 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/DataSigner.java
@@ -81,25 +81,28 @@ public DataSigner(final BaseCredentialService credentialService)
* ctor
* @param privateKey private key used for signing
* @param endCertificate certificate used for signing
+ * @param interfaceName CMP interface name for logging
* @throws CertificateEncodingException in case of error
* @throws OperatorCreationException in case of error
* @throws IOException in case of error
* @throws CMSException in case of error
*/
- public DataSigner(final PrivateKey privateKey, final X509Certificate endCertificate)
+ public DataSigner(final PrivateKey privateKey, final X509Certificate endCertificate, String interfaceName)
throws CertificateEncodingException, OperatorCreationException, IOException, CMSException {
- this(new BaseCredentialService(new SignatureCredentialContext() {
+ this(new BaseCredentialService(
+ new SignatureCredentialContext() {
- @Override
- public List getCertificateChain() {
- return Collections.singletonList(endCertificate);
- }
+ @Override
+ public List getCertificateChain() {
+ return Collections.singletonList(endCertificate);
+ }
- @Override
- public PrivateKey getPrivateKey() {
- return privateKey;
- }
- }));
+ @Override
+ public PrivateKey getPrivateKey() {
+ return privateKey;
+ }
+ },
+ interfaceName));
}
/**
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java
index 3e3c3b4b..c492565c 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyAgreementEncryptor.java
@@ -20,6 +20,7 @@
import com.siemens.pki.cmpracomponent.configuration.CkgContext;
import com.siemens.pki.cmpracomponent.configuration.CkgKeyAgreementContext;
import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
@@ -49,8 +50,9 @@ public KeyAgreementEncryptor(
final int initialRequestType,
final String interfaceName)
throws GeneralSecurityException, CmpEnrollmentException {
- super(config);
- final CkgKeyAgreementContext keyAgreementContext = config.getKeyAgreementContext();
+ super(config, interfaceName);
+ final CkgKeyAgreementContext keyAgreementContext =
+ ConfigLogger.log(interfaceName, "CkgContext.getKeyAgreementContext()", config::getKeyAgreementContext);
if (keyAgreementContext == null) {
throw new CmpEnrollmentException(
initialRequestType,
@@ -59,12 +61,27 @@ public KeyAgreementEncryptor(
"support for key management technique Key Agreement is not configured for central key generation");
}
final JceKeyAgreeRecipientInfoGenerator infGen = new JceKeyAgreeRecipientInfoGenerator(
- AlgorithmHelper.getKeyAgreementOID(keyAgreementContext.getKeyAgreementAlg()),
- keyAgreementContext.getOwnPrivateKey(),
- keyAgreementContext.getOwnPublicKey(),
- AlgorithmHelper.getKekOID(keyAgreementContext.getKeyEncryptionAlg()));
+ AlgorithmHelper.getKeyAgreementOID(ConfigLogger.log(
+ interfaceName,
+ "CkgKeyAgreementContext.getKeyAgreementAlg()",
+ keyAgreementContext::getKeyAgreementAlg)),
+ ConfigLogger.log(
+ interfaceName,
+ "CkgKeyAgreementContext.getOwnPrivateKey()",
+ keyAgreementContext::getOwnPrivateKey),
+ ConfigLogger.log(
+ interfaceName,
+ "CkgKeyAgreementContext.getOwnPublicKey()",
+ keyAgreementContext::getOwnPublicKey),
+ AlgorithmHelper.getKekOID(ConfigLogger.log(
+ interfaceName,
+ "CkgKeyAgreementContext.getKeyEncryptionAlg()",
+ keyAgreementContext::getKeyEncryptionAlg)));
- infGen.addRecipient(keyAgreementContext.getRecipient(protectingCert));
+ infGen.addRecipient(ConfigLogger.log(
+ interfaceName,
+ "CkgKeyAgreementContext.getRecipient(X509Certificate)",
+ () -> keyAgreementContext.getRecipient(protectingCert)));
addRecipientInfoGenerator(infGen.setProvider(CertUtility.getBouncyCastleProvider()));
}
}
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java
index a7628386..e54a4f89 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/KeyTransportEncryptor.java
@@ -20,6 +20,7 @@
import com.siemens.pki.cmpracomponent.configuration.CkgContext;
import com.siemens.pki.cmpracomponent.configuration.CkgKeyTransportContext;
import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
@@ -49,8 +50,9 @@ public KeyTransportEncryptor(
final int initialRequestType,
final String interfaceName)
throws NoSuchAlgorithmException, CmpEnrollmentException {
- super(config);
- final CkgKeyTransportContext transportContext = config.getKeyTransportContext();
+ super(config, interfaceName);
+ final CkgKeyTransportContext transportContext =
+ ConfigLogger.log(interfaceName, "CkgContext.getKeyTransportContext()", config::getKeyTransportContext);
if (transportContext == null) {
throw new CmpEnrollmentException(
initialRequestType,
@@ -59,7 +61,10 @@ public KeyTransportEncryptor(
"support for key management technique Key Transport is not configured for central key generation");
}
final JcaX509ExtensionUtils jcaX509ExtensionUtils = new JcaX509ExtensionUtils();
- final X509Certificate encryptionCert = transportContext.getRecipient(protectingCert);
+ final X509Certificate encryptionCert = ConfigLogger.log(
+ interfaceName,
+ "CkgKeyTransportContext.getRecipient(X509Certificate)",
+ () -> transportContext.getRecipient(protectingCert));
final PublicKey publicKey = encryptionCert.getPublicKey();
addRecipientInfoGenerator(new JceKeyTransRecipientInfoGenerator(
jcaX509ExtensionUtils
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java
index 9d515e4a..d5f954d4 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/PasswordEncryptor.java
@@ -21,6 +21,7 @@
import com.siemens.pki.cmpracomponent.configuration.CkgPasswordContext;
import com.siemens.pki.cmpracomponent.configuration.SharedSecretCredentialContext;
import com.siemens.pki.cmpracomponent.msgvalidation.CmpEnrollmentException;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.security.NoSuchAlgorithmException;
import org.bouncycastle.asn1.cmp.PKIFailureInfo;
import org.bouncycastle.cms.PasswordRecipient;
@@ -42,8 +43,9 @@ public class PasswordEncryptor extends CmsEncryptorBase {
*/
public PasswordEncryptor(final CkgContext config, final int initialRequestType, final String interfaceName)
throws NoSuchAlgorithmException, CmpEnrollmentException {
- super(config);
- final CkgPasswordContext passwordContext = config.getPasswordContext();
+ super(config, interfaceName);
+ final CkgPasswordContext passwordContext =
+ ConfigLogger.log(interfaceName, "CkgContext.getPasswordContext()", config::getPasswordContext);
if (passwordContext == null) {
throw new CmpEnrollmentException(
initialRequestType,
@@ -51,13 +53,29 @@ public PasswordEncryptor(final CkgContext config, final int initialRequestType,
PKIFailureInfo.notAuthorized,
"support for key management technique Password-Based is not configured for central key generation");
}
- final SharedSecretCredentialContext encryptionCredentials = passwordContext.getEncryptionCredentials();
+ final SharedSecretCredentialContext encryptionCredentials = ConfigLogger.log(
+ interfaceName,
+ "CkgPasswordContext.getEncryptionCredentials()",
+ passwordContext::getEncryptionCredentials);
addRecipientInfoGenerator(new JcePasswordRecipientInfoGenerator(
- AlgorithmHelper.getKeyEncryptionOID(passwordContext.getKekAlg()),
- AlgorithmHelper.convertSharedSecretToPassword(encryptionCredentials.getSharedSecret()))
+ AlgorithmHelper.getKeyEncryptionOID(ConfigLogger.log(
+ interfaceName, "CkgPasswordContext.getKekAlg()", passwordContext::getKekAlg)),
+ AlgorithmHelper.convertSharedSecretToPassword(ConfigLogger.log(
+ interfaceName,
+ "SharedSecretCredentialContext.getSharedSecret()",
+ encryptionCredentials::getSharedSecret)))
.setProvider(CertUtility.getBouncyCastleProvider())
.setPasswordConversionScheme(PasswordRecipient.PKCS5_SCHEME2_UTF8)
- .setPRF(AlgorithmHelper.getPrf(encryptionCredentials.getPrf()))
- .setSaltAndIterationCount(encryptionCredentials.getSalt(), encryptionCredentials.getIterationCount()));
+ .setPRF(AlgorithmHelper.getPrf(ConfigLogger.log(
+ interfaceName, "SharedSecretCredentialContext.getPrf()", encryptionCredentials::getPrf)))
+ .setSaltAndIterationCount(
+ ConfigLogger.log(
+ interfaceName,
+ "SharedSecretCredentialContext.getSalt()",
+ encryptionCredentials::getSalt),
+ ConfigLogger.log(
+ interfaceName,
+ "SharedSecretCredentialContext.getIterationCount()",
+ encryptionCredentials::getIterationCount)));
}
}
diff --git a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java
index af797847..c9d8d229 100644
--- a/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java
+++ b/src/main/java/com/siemens/pki/cmpracomponent/cryptoservices/TrustCredentialAdapter.java
@@ -18,6 +18,7 @@
package com.siemens.pki.cmpracomponent.cryptoservices;
import com.siemens.pki.cmpracomponent.configuration.VerificationContext;
+import com.siemens.pki.cmpracomponent.util.ConfigLogger;
import java.net.URI;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
@@ -62,12 +63,23 @@ public class TrustCredentialAdapter {
private final VerificationContext config;
+ private final String interfaceName;
+
/**
* ctor
* @param config specific configuration
+ * @param interfaceName CMP interface name for logging
*/
- public TrustCredentialAdapter(final VerificationContext config) {
+ public TrustCredentialAdapter(final VerificationContext config, String interfaceName) {
this.config = config;
+ this.interfaceName = interfaceName;
+ }
+
+ public boolean isIntermediateCertAcceptable(X509Certificate cert) {
+ return ConfigLogger.log(
+ interfaceName,
+ "VerificationContext.isIntermediateCertAcceptable(X509Certificate)",
+ () -> config.isIntermediateCertAcceptable(cert));
}
/**
@@ -87,7 +99,8 @@ public TrustCredentialAdapter(final VerificationContext config) {
public synchronized List extends X509Certificate> validateCertAgainstTrust(
final X509Certificate cert, final List additionalIntermediateCerts)
throws NoSuchProviderException {
- final Collection trustedCertificates = config.getTrustedCertificates();
+ final Collection trustedCertificates = ConfigLogger.logOptional(
+ interfaceName, "VerificationContext.getTrustedCertificates()", config::getTrustedCertificates);
if (trustedCertificates == null) {
return null;
}
@@ -107,7 +120,10 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
try {
final boolean[] leafKeyUsage = cert.getKeyUsage();
if (leafKeyUsage != null && !leafKeyUsage[0] // digitalSignature
- || !config.isLeafCertAcceptable(cert)) {
+ || !ConfigLogger.log(
+ interfaceName,
+ "VerificationContext.isLeafCertAcceptable(X509Certificate)",
+ () -> config.isLeafCertAcceptable(cert))) {
return null;
}
// initial state
@@ -123,7 +139,7 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
final PKIXBuilderParameters params = new PKIXBuilderParameters(trust, targetConstraints);
- if (config.isAIAsEnabled()) {
+ if (ConfigLogger.log(interfaceName, "VerificationContext.isAIAsEnabled()", config::isAIAsEnabled)) {
revocationEnabled = true;
java.security.Security.setProperty(OCSP_ENABLE_PROP, "true");
System.setProperty("com.sun.security.enableAIAcaIssuers", "true");
@@ -131,7 +147,7 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
System.setProperty("com.sun.security.enableAIAcaIssuers", FALSE_STRING);
}
- if (config.isCDPsEnabled()) {
+ if (ConfigLogger.log(interfaceName, "VerificationContext.isCDPsEnabled()", config::isCDPsEnabled)) {
revocationEnabled = true;
System.setProperty("com.sun.security.enableCRLDP", "true");
} else {
@@ -142,12 +158,13 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
if (additionalIntermediateCerts != null) {
additionalIntermediateCerts.stream()
- .filter(config::isIntermediateCertAcceptable)
+ .filter(this::isIntermediateCertAcceptable)
.filter(CertUtility::isIntermediateCertificate)
.forEach(lstCertCrlStores::add);
}
- final Collection additionalCertsFromConfig = config.getAdditionalCerts();
+ final Collection additionalCertsFromConfig = ConfigLogger.logOptional(
+ interfaceName, "VerificationContext.getAdditionalCerts()", config::getAdditionalCerts);
if (additionalCertsFromConfig != null) {
lstCertCrlStores.addAll(additionalCertsFromConfig);
}
@@ -156,7 +173,8 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
CertStore.getInstance("Collection", new CollectionCertStoreParameters(lstCertCrlStores), PROVIDER);
params.addCertStore(certStore);
- final Collection crlsFromConfig = config.getCRLs();
+ final Collection crlsFromConfig =
+ ConfigLogger.logOptional(interfaceName, "VerificationContext.getCRLs()", config::getCRLs);
if (crlsFromConfig != null) {
if (!crlsFromConfig.isEmpty()) {
revocationEnabled = true;
@@ -170,12 +188,16 @@ public synchronized List extends X509Certificate> validateCertAgainstTrust(
final PKIXRevocationChecker revChecker = (PKIXRevocationChecker) cpb.getRevocationChecker();
- final EnumSet