aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Geissler <andreas-geissler@telekom.de>2022-09-12 13:27:04 +0200
committerAndreas Geissler <andreas-geissler@telekom.de>2022-09-20 10:08:05 +0200
commit0587da741a0edad6e5eefedbc1d200f0e2c81f2b (patch)
tree2db6f1849ce6c01e2ee945ae8a50e3459bae054e
parent187d1435142c50e627890ddd5049a9f43ebbe1a2 (diff)
[OOM-CERT-SERVICE] Fix vulnerabilities for Kohn
- update gson to 2.9.0 - update commons-io to 2.11.0 - update httpclient to 4.5.13 - update bcprov-jdk15on to 1.70 - left version of sonar-go-pluging at 1.1.1.2000 - fix the implementation in respect to the update - include py3.8 fix (https://gerrit.onap.org/r/c/oom/platform/cert-service/+/130574) Issue-ID: OOM-2985 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de> Change-Id: I0d6b775c3f09b283900981c49db4abaf80d33b11
-rw-r--r--certService/pom.xml4
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java5
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java5
-rw-r--r--certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java3
-rw-r--r--certServiceClient/pom.xml4
-rw-r--r--certServiceK8sExternalProvider/pom.xml2
-rw-r--r--certServicePostProcessor/pom.xml4
-rw-r--r--certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java17
-rw-r--r--docs/conf.py3
-rw-r--r--docs/tox.ini8
-rw-r--r--pom.xml10
-rw-r--r--version.properties2
12 files changed, 41 insertions, 26 deletions
diff --git a/certService/pom.xml b/certService/pom.xml
index 13fed005..973da643 100644
--- a/certService/pom.xml
+++ b/certService/pom.xml
@@ -18,10 +18,10 @@
<parent>
<groupId>org.onap.oom.platform.cert-service</groupId>
<artifactId>oom-certservice</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
</parent>
<artifactId>oom-certservice-api</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
<name>oom-certservice-api</name>
<description>OOM Certification Service Api</description>
<packaging>jar</packaging>
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 463451bd..3fac6656 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -31,10 +31,11 @@ import java.security.Signature;
import java.security.SignatureException;
import java.util.Date;
+import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DEROutputStream;
+import org.bouncycastle.asn1.ASN1OutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.crmf.CertRequest;
@@ -127,7 +128,7 @@ public final class CmpMessageHelper {
final CertRequest certRequest, final KeyPair keypair) throws CmpClientException {
ProofOfPossession proofOfPossession;
try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
- final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream);
+ final ASN1OutputStream derOutputStream = ASN1OutputStream.create(byteArrayOutputStream,ASN1Encoding.DER);
derOutputStream.writeObject(certRequest);
byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray();
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
index 0d0d7f34..fac4150a 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
@@ -22,11 +22,12 @@
package org.onap.oom.certservice.cmpv2client.impl;
import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Encoding;
import org.bouncycastle.asn1.ASN1EncodableVector;
import org.bouncycastle.asn1.ASN1GeneralizedTime;
import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1OutputStream;
import org.bouncycastle.asn1.DEROctetString;
-import org.bouncycastle.asn1.DEROutputStream;
import org.bouncycastle.asn1.DERSequence;
import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
@@ -116,7 +117,7 @@ public final class CmpUtil {
vector.add(body);
ASN1Encodable protectedPart = new DERSequence(vector);
try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
- DEROutputStream out = new DEROutputStream(baos);
+ ASN1OutputStream out = ASN1OutputStream.create(baos,ASN1Encoding.DER);
out.writeObject(protectedPart);
res = baos.toByteArray();
} catch (IOException ioe) {
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
index 90044b66..f3da0f32 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
@@ -36,6 +36,7 @@ import javax.crypto.spec.SecretKeySpec;
import org.bouncycastle.asn1.ASN1ObjectIdentifier;
import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.ASN1BitString;
import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
import org.bouncycastle.asn1.cmp.PBMParameter;
@@ -66,7 +67,7 @@ public final class CmpResponseValidationHelper {
static void verifySignature(PKIMessage respPkiMessage, PublicKey pk)
throws CmpClientException {
final byte[] protBytes = getProtectedBytes(respPkiMessage);
- final DERBitString derBitString = respPkiMessage.getProtection();
+ final DERBitString derBitString = (DERBitString) respPkiMessage.getProtection();
try {
final Signature signature =
Signature.getInstance(
diff --git a/certServiceClient/pom.xml b/certServiceClient/pom.xml
index d330d82e..cd1be6a4 100644
--- a/certServiceClient/pom.xml
+++ b/certServiceClient/pom.xml
@@ -18,12 +18,12 @@
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.3.3-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>oom-certservice-client</artifactId>
- <version>2.3.3-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
<name>oom-certservice-client</name>
<description>OOM Certification Service Api Client</description>
<packaging>jar</packaging>
diff --git a/certServiceK8sExternalProvider/pom.xml b/certServiceK8sExternalProvider/pom.xml
index 30b419ef..832a0e01 100644
--- a/certServiceK8sExternalProvider/pom.xml
+++ b/certServiceK8sExternalProvider/pom.xml
@@ -5,7 +5,7 @@
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
diff --git a/certServicePostProcessor/pom.xml b/certServicePostProcessor/pom.xml
index 5ea30809..5137ef93 100644
--- a/certServicePostProcessor/pom.xml
+++ b/certServicePostProcessor/pom.xml
@@ -5,12 +5,12 @@
<parent>
<artifactId>oom-certservice</artifactId>
<groupId>org.onap.oom.platform.cert-service</groupId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
</parent>
<modelVersion>4.0.0</modelVersion>
<artifactId>oom-certservice-post-processor</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
<name>oom-certservice-post-processor</name>
<description>An application which conducts certificate post-processing like: merging truststores, copying keystores.</description>
<packaging>jar</packaging>
diff --git a/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java b/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
index 642721cc..8e360523 100644
--- a/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
+++ b/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
@@ -29,6 +29,7 @@ import java.io.IOException;
import java.io.StringWriter;
import java.security.Security;
import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.List;
@@ -89,8 +90,13 @@ public class PemTruststore extends Truststore {
}
boolean isFileWithoutPemCertificate() throws TruststoreDataOperationException {
- List<Certificate> certificateList = extractCertificatesFromFile();
- return certificateList.isEmpty();
+ try {
+ List<Certificate> certificateList = extractCertificatesFromFile();
+ return certificateList.isEmpty();
+ } catch (TruststoreDataOperationException e) {
+ LOGGER.error("Cannot extract certificates from file: {}", storeFile.getPath());
+ }
+ return true;
}
String transformToStringInPemFormat(List<Certificate> certificates) throws TruststoreDataOperationException {
@@ -112,7 +118,12 @@ public class PemTruststore extends Truststore {
Security.addProvider(new BouncyCastleProvider());
CertificateFactory certFactory = CertificateFactory.getInstance(X_509_CERTIFICATE, BOUNCY_CASTLE_PROVIDER);
return new ArrayList<>(certFactory.generateCertificates(inputStream));
- } catch (Exception e) {
+ }
+ catch (CertificateException e) {
+ LOGGER.error("Cannot read certificates from file: {}", storeFile.getPath());
+ throw new TruststoreDataOperationException(e);
+ }
+ catch (Exception e) {
LOGGER.error("Cannot read certificates from file: {}", storeFile.getPath());
throw new TruststoreDataOperationException(e);
}
diff --git a/docs/conf.py b/docs/conf.py
index 351d0ccd..f6aebe82 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -6,7 +6,8 @@ master_doc = 'index'
linkcheck_ignore = [
'http://localhost',
'http://ejbca',
- 'https://localhost'
+ 'https://localhost',
+ 'https://download.primekey.com'
]
exclude_patterns = [
diff --git a/docs/tox.ini b/docs/tox.ini
index 509ac7d2..abbe5d27 100644
--- a/docs/tox.ini
+++ b/docs/tox.ini
@@ -4,10 +4,10 @@ envlist = docs,docs-linkcheck
skipsdist = true
[testenv:docs]
-basepython = python3
+basepython = python3.8
deps =
-r{toxinidir}/requirements-docs.txt
- -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt
+ -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
-chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt
commands =
sphinx-build -W -b html -n -d {envtmpdir}/doctrees ./ {toxinidir}/_build/html
@@ -18,10 +18,10 @@ whitelist_externals =
sh
[testenv:docs-linkcheck]
-basepython = python3
+basepython = python3.8
deps =
-r{toxinidir}/requirements-docs.txt
- -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt?h=master
+ -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
-chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master
commands =
sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees ./ {toxinidir}/_build/linkcheck
diff --git a/pom.xml b/pom.xml
index 75c90ff0..ec7ec115 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
</parent>
<groupId>org.onap.oom.platform.cert-service</groupId>
<artifactId>oom-certservice</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.6.0-SNAPSHOT</version>
<name>oom-certservice</name>
<description>OOM Certification Service</description>
<packaging>pom</packaging>
@@ -49,14 +49,14 @@
<spring.cloud-version>2020.0.3</spring.cloud-version>
<springdoc-openapi-ui.version>1.2.30</springdoc-openapi-ui.version>
- <bouncycastle.version>1.60</bouncycastle.version>
+ <bouncycastle.version>1.70</bouncycastle.version>
<docker-maven-plugin.version>0.33.0</docker-maven-plugin.version>
<springdoc-openapi-maven-plugin.version>0.2</springdoc-openapi-maven-plugin.version>
- <gson.version>2.8.6</gson.version>
- <httpcomponents.version>4.5.6</httpcomponents.version>
+ <gson.version>2.9.0</gson.version>
+ <httpcomponents.version>4.5.13</httpcomponents.version>
<commons-lang3.version>3.9</commons-lang3.version>
<commons-validator.version>1.7</commons-validator.version>
- <commons-io.version>2.6</commons-io.version>
+ <commons-io.version>2.11.0</commons-io.version>
<junit.version>5.5.2</junit.version>
<mockito-junit-jupiter.version>2.17.0</mockito-junit-jupiter.version>
<log4j2.version>2.17.1</log4j2.version>
diff --git a/version.properties b/version.properties
index 6c697332..8201005b 100644
--- a/version.properties
+++ b/version.properties
@@ -1,5 +1,5 @@
major=2
-minor=5
+minor=6
patch=0
base_version=${major}.${minor}.${patch}
release_version=${base_version}