summaryrefslogtreecommitdiffstats
path: root/common-be/src/main/java/org/openecomp
diff options
context:
space:
mode:
authorandre.schmid <andre.schmid@est.tech>2021-01-28 17:53:22 +0000
committerVasyl Razinkov <vasyl.razinkov@est.tech>2021-02-21 13:07:13 +0000
commit13b39127c1c91d7c05c67ea2c14220c8f992cba5 (patch)
tree755c7ad631c0673c73e28f415cca9682889e729b /common-be/src/main/java/org/openecomp
parent8cc03e2c78639be5500ab50f3ebaaf7d64404775 (diff)
ETSI SOL007 3.3.1 package security option 2
Change-Id: I4e021c517449e6ddf11571c02d0b4bdbc93e7c1e Issue-ID: SDC-2614 Signed-off-by: andre.schmid <andre.schmid@est.tech>
Diffstat (limited to 'common-be/src/main/java/org/openecomp')
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java167
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java53
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java98
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java57
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java29
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java34
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java32
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java38
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java46
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java27
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java27
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java27
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java27
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java27
-rw-r--r--common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java70
15 files changed, 759 insertions, 0 deletions
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java
new file mode 100644
index 0000000000..9ec8ea864e
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java
@@ -0,0 +1,167 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security;
+
+import java.io.File;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.Key;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Collectors;
+import org.apache.commons.io.FilenameUtils;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.openecomp.sdc.be.csar.security.api.CertificateManager;
+import org.openecomp.sdc.be.csar.security.api.CertificateReader;
+import org.openecomp.sdc.be.csar.security.api.PrivateKeyReader;
+import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo;
+import org.openecomp.sdc.be.csar.security.exception.CertificateNotFoundException;
+import org.openecomp.sdc.be.csar.security.model.CertificateInfoImpl;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.core.env.Environment;
+import org.springframework.stereotype.Component;
+
+@Component
+public class CertificateManagerImpl implements CertificateManager {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(CertificateManagerImpl.class);
+
+ private final PrivateKeyReader privateKeyReader;
+ private final CertificateReader certificateReader;
+ private final Environment environment;
+
+ private Path certificateDirectoryPath;
+ private File certificateDirectory;
+ private final Map<String, CertificateInfo> certificateMap = new HashMap<>();
+
+ public static final String CERT_DIR_ENV_VARIABLE = "SDC_CERT_DIR";
+
+ public CertificateManagerImpl(final PrivateKeyReader privateKeyReader,
+ final CertificateReader certificateReader,
+ final Environment environment) {
+ this.certificateReader = certificateReader;
+ this.privateKeyReader = privateKeyReader;
+ this.environment = environment;
+ init();
+ }
+
+ private void init() {
+ if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
+ Security.addProvider(new BouncyCastleProvider());
+ }
+
+ final String certificateDir = environment.getProperty(CERT_DIR_ENV_VARIABLE);
+ if (certificateDir == null) {
+ LOGGER.warn("Environment variable '{}' was not provided. Could not load certificates.", CERT_DIR_ENV_VARIABLE);
+ return;
+ }
+ try {
+ this.certificateDirectoryPath = Paths.get(certificateDir);
+ } catch (final Exception e) {
+ LOGGER.error("Invalid path '{}' provided in the environment variable '{}'. Could not load certificates.",
+ certificateDir, CERT_DIR_ENV_VARIABLE, e);
+ return;
+ }
+ try {
+ loadCertificateDirectory();
+ } catch (final Exception e) {
+ LOGGER.error("Could not load certificate directory", e);
+ return;
+ }
+ try {
+ loadCertificates();
+ } catch (final Exception e) {
+ LOGGER.error("Could not load certificates", e);
+ }
+ }
+
+ private void loadCertificates() {
+ final File[] files = certificateDirectory.listFiles();
+ if (files == null || files.length == 0) {
+ LOGGER.warn("Certificate directory is empty. No trusted certificate found.");
+ return;
+ }
+
+ final List<File> certFileList = Arrays.stream(files)
+ .filter(file -> "cert".equals(FilenameUtils.getExtension(file.getName())))
+ .collect(Collectors.toList());
+ final List<File> keyFileList = Arrays.stream(files)
+ .filter(file -> "key".equals(FilenameUtils.getExtension(file.getName())))
+ .collect(Collectors.toList());
+
+ if (certFileList.isEmpty()) {
+ LOGGER.error("Certificate directory is empty. No trusted certificate found.");
+ return;
+ }
+
+ certFileList.forEach(certFile -> {
+ final String baseFileName = FilenameUtils.getBaseName(certFile.getName());
+ final Certificate certificate = loadCertificate(certFile);
+ final Optional<File> keyFileOptional = keyFileList.stream().filter(
+ keyFile1 -> FilenameUtils.getBaseName(keyFile1.getName())
+ .equals(baseFileName)).findFirst();
+ keyFileOptional.ifPresentOrElse(
+ keyFile -> {
+ final CertificateInfoImpl certificateInfo =
+ new CertificateInfoImpl(certFile, certificate, keyFile, loadPrivateKey(keyFile));
+ if (certificateInfo.isValid()) {
+ certificateMap.put(baseFileName, certificateInfo);
+ }
+ },
+ () -> {
+ final CertificateInfoImpl certificateInfo = new CertificateInfoImpl(certFile, certificate);
+ if (certificateInfo.isValid()) {
+ certificateMap.put(baseFileName, new CertificateInfoImpl(certFile, certificate));
+ }
+ }
+ );
+ });
+ }
+
+ private void loadCertificateDirectory() {
+ final File file = certificateDirectoryPath.toFile();
+ if (!file.exists() || !file.isDirectory()) {
+ final String errorMsg =
+ String.format("Provided certificate path '%s' is not a directory or does not exist",
+ certificateDirectoryPath);
+ throw new CertificateNotFoundException(errorMsg);
+ }
+ this.certificateDirectory = file;
+ }
+
+ private Certificate loadCertificate(final File certFile) {
+ return certificateReader.loadCertificate(certFile);
+ }
+
+ private Key loadPrivateKey(final File privateKeyFile) {
+ return privateKeyReader.loadPrivateKey(privateKeyFile);
+ }
+
+ @Override
+ public Optional<CertificateInfo> getCertificate(final String certName) {
+ return Optional.ofNullable(certificateMap.get(certName));
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java
new file mode 100644
index 0000000000..a6ee61d680
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java
@@ -0,0 +1,53 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security;
+
+import java.io.File;
+import java.io.FileReader;
+import java.security.Key;
+import org.bouncycastle.asn1.pkcs.PrivateKeyInfo;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
+import org.openecomp.sdc.be.csar.security.api.PrivateKeyReader;
+import org.openecomp.sdc.be.csar.security.exception.LoadPrivateKeyException;
+import org.openecomp.sdc.be.csar.security.exception.UnsupportedKeyFormatException;
+import org.springframework.stereotype.Component;
+
+@Component
+public class PrivateKeyReaderImpl implements PrivateKeyReader {
+
+ @Override
+ public Key loadPrivateKey(final File privateKeyFile) {
+ try (final PEMParser pemParser = new PEMParser(new FileReader(privateKeyFile))) {
+ final Object pemObject = pemParser.readObject();
+ final JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME);
+ if (pemObject instanceof PrivateKeyInfo) {
+ return converter.getPrivateKey((PrivateKeyInfo) pemObject);
+ }
+ } catch (final Exception e) {
+ final String errorMsg = "Could not load the private key from given file '%s'";
+ throw new LoadPrivateKeyException(String.format(errorMsg, privateKeyFile), e);
+ }
+ final String errorMsg = "Could not load the private key from given file '%s'. Unsupported format.";
+ throw new UnsupportedKeyFormatException(String.format(errorMsg, privateKeyFile));
+ }
+
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java
new file mode 100644
index 0000000000..7b7273e810
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java
@@ -0,0 +1,98 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+import org.bouncycastle.asn1.ASN1Primitive;
+import org.bouncycastle.asn1.cms.ContentInfo;
+import org.bouncycastle.cert.jcajce.JcaCertStore;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.CMSSignedData;
+import org.bouncycastle.cms.CMSSignedDataGenerator;
+import org.bouncycastle.cms.CMSTypedData;
+import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder;
+import org.openecomp.sdc.be.csar.security.api.CmsContentSigner;
+import org.openecomp.sdc.be.csar.security.exception.CmsSignatureException;
+import org.springframework.stereotype.Component;
+
+@Component
+public class Sha256WithRsaCmsContentSigner implements CmsContentSigner {
+
+ @Override
+ public byte[] signData(final byte[] data, final Certificate signingCertificate, final Key signingKey)
+ throws CmsSignatureException {
+
+ final CMSTypedData cmsData = new CMSProcessableByteArray(data);
+ final JcaCertStore certStore = createCertificateStore(signingCertificate);
+ try {
+ final ContentSigner contentSigner
+ = new JcaContentSignerBuilder("SHA256withRSA")
+ .setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) signingKey);
+
+ final CMSSignedDataGenerator cmsGenerator = new CMSSignedDataGenerator();
+ cmsGenerator.addSignerInfoGenerator(
+ new JcaSignerInfoGeneratorBuilder(
+ new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build()
+ ).build(contentSigner, (X509Certificate) signingCertificate)
+ );
+ cmsGenerator.addCertificates(certStore);
+
+ final CMSSignedData cms = cmsGenerator.generate(cmsData, false);
+ return cms.getEncoded();
+ } catch (final Exception e) {
+ throw new CmsSignatureException("Could not sign the given data", e);
+ }
+ }
+
+ @Override
+ public String formatToPemSignature(final byte[] signedData) throws CmsSignatureException {
+ final StringWriter sw = new StringWriter();
+ try (final JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(sw)) {
+ final ContentInfo ci = ContentInfo.getInstance(ASN1Primitive.fromByteArray(signedData));
+ jcaPEMWriter.writeObject(ci);
+ } catch (final IOException e) {
+ throw new CmsSignatureException("Could not convert signed data to PEM format", e);
+ }
+ return sw.toString();
+ }
+
+ private JcaCertStore createCertificateStore(final Certificate signingCertificate) throws CmsSignatureException {
+ try {
+ return new JcaCertStore(Collections.singletonList(signingCertificate));
+ } catch (final CertificateEncodingException e) {
+ final String errorMsg = String
+ .format("Could not create certificate store from certificate '%s'", signingCertificate);
+ throw new CmsSignatureException(errorMsg, e);
+ }
+ }
+
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java
new file mode 100644
index 0000000000..b8e95e7b18
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java
@@ -0,0 +1,57 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.InputStream;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import org.openecomp.sdc.be.csar.security.api.CertificateReader;
+import org.openecomp.sdc.be.csar.security.exception.LoadCertificateException;
+import org.springframework.stereotype.Component;
+
+@Component
+public class X509CertificateReader implements CertificateReader {
+
+ /**
+ * Reads X.509 certificate file.
+ *
+ * @param certFile the certificate file
+ * @return the read certificate
+ * @throws LoadCertificateException when an error has occurred while reading the certificate
+ */
+ @Override
+ public Certificate loadCertificate(final File certFile) {
+ try (final FileInputStream fi = new FileInputStream(certFile)) {
+ return buildCertificate(fi);
+ } catch (final Exception e) {
+ final String errorMsg = "Could not load the certificate from given file '%s'";
+ throw new LoadCertificateException(String.format(errorMsg, certFile), e);
+ }
+ }
+
+ private Certificate buildCertificate(final InputStream certificateInputStream) throws CertificateException {
+ final CertificateFactory factory = CertificateFactory.getInstance("X.509");
+ return factory.generateCertificate(certificateInputStream);
+ }
+
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java
new file mode 100644
index 0000000000..53437f399f
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java
@@ -0,0 +1,29 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.api;
+
+import java.util.Optional;
+import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo;
+
+public interface CertificateManager {
+
+ Optional<CertificateInfo> getCertificate(String certName);
+
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java
new file mode 100644
index 0000000000..4c32fa1cee
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java
@@ -0,0 +1,34 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.api;
+
+import java.io.File;
+import java.security.cert.Certificate;
+
+public interface CertificateReader {
+
+ /**
+ * Reads a certificate file.
+ *
+ * @param certFile the certificate file
+ * @return the read certificate
+ */
+ Certificate loadCertificate(File certFile);
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java
new file mode 100644
index 0000000000..37bd988e50
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java
@@ -0,0 +1,32 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.api;
+
+import java.security.Key;
+import java.security.cert.Certificate;
+import org.openecomp.sdc.be.csar.security.exception.CmsSignatureException;
+
+public interface CmsContentSigner {
+
+ byte[] signData(byte[] data, Certificate signingCertificate, Key signingKey)
+ throws CmsSignatureException;
+
+ String formatToPemSignature(byte[] signedData) throws CmsSignatureException;
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java
new file mode 100644
index 0000000000..3e8c406b74
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java
@@ -0,0 +1,38 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.api;
+
+import java.io.File;
+import java.security.Key;
+import org.openecomp.sdc.be.csar.security.exception.LoadPrivateKeyException;
+import org.openecomp.sdc.be.csar.security.exception.UnsupportedKeyFormatException;
+
+public interface PrivateKeyReader {
+
+ /**
+ * Reads a given private file.
+ *
+ * @param privateKeyFile the private key file
+ * @return the read private key
+ * @throws LoadPrivateKeyException when an error has occurred while reading the private key
+ * @throws UnsupportedKeyFormatException when the private key is not supported
+ */
+ Key loadPrivateKey(final File privateKeyFile);
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java
new file mode 100644
index 0000000000..5b234cc661
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java
@@ -0,0 +1,46 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.api.model;
+
+import java.io.File;
+import java.security.Key;
+import java.security.cert.Certificate;
+
+public interface CertificateInfo {
+
+ String getName();
+
+ File getCertificateFile();
+
+ Certificate getCertificate();
+
+ File getPrivateKeyFile();
+
+ Key getPrivateKey();
+
+ /**
+ * Check if the certificate is valid.
+ *
+ * @return {@code true} if the certificate is valid. {@code false} otherwise.
+ * @throws UnsupportedOperationException when the certificate is not supported
+ */
+ boolean isValid();
+
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java
new file mode 100644
index 0000000000..a2175f379c
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java
@@ -0,0 +1,27 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.exception;
+
+public class CertificateNotFoundException extends RuntimeException {
+
+ public CertificateNotFoundException(final String message) {
+ super(message);
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java
new file mode 100644
index 0000000000..6bc49d6e4d
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java
@@ -0,0 +1,27 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.exception;
+
+public class CmsSignatureException extends Exception {
+
+ public CmsSignatureException(final String message, final Throwable cause) {
+ super(message, cause);
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java
new file mode 100644
index 0000000000..3cd10628f5
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java
@@ -0,0 +1,27 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.exception;
+
+public class LoadCertificateException extends RuntimeException {
+
+ public LoadCertificateException(final String message, final Throwable cause) {
+ super(message, cause);
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java
new file mode 100644
index 0000000000..00681bc842
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java
@@ -0,0 +1,27 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.exception;
+
+public class LoadPrivateKeyException extends RuntimeException {
+
+ public LoadPrivateKeyException(final String message, final Throwable cause) {
+ super(message, cause);
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java
new file mode 100644
index 0000000000..d30f6f274a
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java
@@ -0,0 +1,27 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.exception;
+
+public class UnsupportedKeyFormatException extends RuntimeException {
+
+ public UnsupportedKeyFormatException(final String message) {
+ super(message);
+ }
+}
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java
new file mode 100644
index 0000000000..f7b2fafb3c
--- /dev/null
+++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java
@@ -0,0 +1,70 @@
+/*
+ * ============LICENSE_START=======================================================
+ * Copyright (C) 2021 Nordix Foundation
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+
+package org.openecomp.sdc.be.csar.security.model;
+
+import java.io.File;
+import java.security.Key;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import lombok.Getter;
+import org.apache.commons.io.FilenameUtils;
+import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Getter
+public class CertificateInfoImpl implements CertificateInfo {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(CertificateInfoImpl.class);
+
+ private final String name;
+ private final File certificateFile;
+ private final Certificate certificate;
+ private File privateKeyFile;
+ private Key privateKey;
+
+ public CertificateInfoImpl(final File certificateFile, final Certificate certificate) {
+ this.certificateFile = certificateFile;
+ this.certificate = certificate;
+ this.name = FilenameUtils.getBaseName(certificateFile.getName());
+ }
+
+ public CertificateInfoImpl(final File certificateFile, final Certificate certificate,
+ final File privateKeyFile, final Key privateKey) {
+ this(certificateFile, certificate);
+ this.privateKeyFile = privateKeyFile;
+ this.privateKey = privateKey;
+ }
+
+ @Override
+ public boolean isValid() {
+ if("X.509".equals(certificate.getType())) {
+ try {
+ ((X509Certificate) certificate).checkValidity();
+ return true;
+ } catch (final Exception e) {
+ LOGGER.warn("Invalid certificate '{}'", certificateFile.getAbsolutePath(), e);
+ return false;
+ }
+ }
+ throw new UnsupportedOperationException(String.format("Certificate type '%s' not supported", certificate.getType()));
+ }
+
+}