diff options
author | andre.schmid <andre.schmid@est.tech> | 2021-01-28 17:53:22 +0000 |
---|---|---|
committer | Vasyl Razinkov <vasyl.razinkov@est.tech> | 2021-02-21 13:07:13 +0000 |
commit | 13b39127c1c91d7c05c67ea2c14220c8f992cba5 (patch) | |
tree | 755c7ad631c0673c73e28f415cca9682889e729b /common-be/src/main/java | |
parent | 8cc03e2c78639be5500ab50f3ebaaf7d64404775 (diff) |
ETSI SOL007 3.3.1 package security option 2
Change-Id: I4e021c517449e6ddf11571c02d0b4bdbc93e7c1e
Issue-ID: SDC-2614
Signed-off-by: andre.schmid <andre.schmid@est.tech>
Diffstat (limited to 'common-be/src/main/java')
15 files changed, 759 insertions, 0 deletions
diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java new file mode 100644 index 0000000000..9ec8ea864e --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/CertificateManagerImpl.java @@ -0,0 +1,167 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security; + +import java.io.File; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.Key; +import java.security.Security; +import java.security.cert.Certificate; +import java.util.Arrays; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Optional; +import java.util.stream.Collectors; +import org.apache.commons.io.FilenameUtils; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.openecomp.sdc.be.csar.security.api.CertificateManager; +import org.openecomp.sdc.be.csar.security.api.CertificateReader; +import org.openecomp.sdc.be.csar.security.api.PrivateKeyReader; +import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo; +import org.openecomp.sdc.be.csar.security.exception.CertificateNotFoundException; +import org.openecomp.sdc.be.csar.security.model.CertificateInfoImpl; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.core.env.Environment; +import org.springframework.stereotype.Component; + +@Component +public class CertificateManagerImpl implements CertificateManager { + + private static final Logger LOGGER = LoggerFactory.getLogger(CertificateManagerImpl.class); + + private final PrivateKeyReader privateKeyReader; + private final CertificateReader certificateReader; + private final Environment environment; + + private Path certificateDirectoryPath; + private File certificateDirectory; + private final Map<String, CertificateInfo> certificateMap = new HashMap<>(); + + public static final String CERT_DIR_ENV_VARIABLE = "SDC_CERT_DIR"; + + public CertificateManagerImpl(final PrivateKeyReader privateKeyReader, + final CertificateReader certificateReader, + final Environment environment) { + this.certificateReader = certificateReader; + this.privateKeyReader = privateKeyReader; + this.environment = environment; + init(); + } + + private void init() { + if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { + Security.addProvider(new BouncyCastleProvider()); + } + + final String certificateDir = environment.getProperty(CERT_DIR_ENV_VARIABLE); + if (certificateDir == null) { + LOGGER.warn("Environment variable '{}' was not provided. Could not load certificates.", CERT_DIR_ENV_VARIABLE); + return; + } + try { + this.certificateDirectoryPath = Paths.get(certificateDir); + } catch (final Exception e) { + LOGGER.error("Invalid path '{}' provided in the environment variable '{}'. Could not load certificates.", + certificateDir, CERT_DIR_ENV_VARIABLE, e); + return; + } + try { + loadCertificateDirectory(); + } catch (final Exception e) { + LOGGER.error("Could not load certificate directory", e); + return; + } + try { + loadCertificates(); + } catch (final Exception e) { + LOGGER.error("Could not load certificates", e); + } + } + + private void loadCertificates() { + final File[] files = certificateDirectory.listFiles(); + if (files == null || files.length == 0) { + LOGGER.warn("Certificate directory is empty. No trusted certificate found."); + return; + } + + final List<File> certFileList = Arrays.stream(files) + .filter(file -> "cert".equals(FilenameUtils.getExtension(file.getName()))) + .collect(Collectors.toList()); + final List<File> keyFileList = Arrays.stream(files) + .filter(file -> "key".equals(FilenameUtils.getExtension(file.getName()))) + .collect(Collectors.toList()); + + if (certFileList.isEmpty()) { + LOGGER.error("Certificate directory is empty. No trusted certificate found."); + return; + } + + certFileList.forEach(certFile -> { + final String baseFileName = FilenameUtils.getBaseName(certFile.getName()); + final Certificate certificate = loadCertificate(certFile); + final Optional<File> keyFileOptional = keyFileList.stream().filter( + keyFile1 -> FilenameUtils.getBaseName(keyFile1.getName()) + .equals(baseFileName)).findFirst(); + keyFileOptional.ifPresentOrElse( + keyFile -> { + final CertificateInfoImpl certificateInfo = + new CertificateInfoImpl(certFile, certificate, keyFile, loadPrivateKey(keyFile)); + if (certificateInfo.isValid()) { + certificateMap.put(baseFileName, certificateInfo); + } + }, + () -> { + final CertificateInfoImpl certificateInfo = new CertificateInfoImpl(certFile, certificate); + if (certificateInfo.isValid()) { + certificateMap.put(baseFileName, new CertificateInfoImpl(certFile, certificate)); + } + } + ); + }); + } + + private void loadCertificateDirectory() { + final File file = certificateDirectoryPath.toFile(); + if (!file.exists() || !file.isDirectory()) { + final String errorMsg = + String.format("Provided certificate path '%s' is not a directory or does not exist", + certificateDirectoryPath); + throw new CertificateNotFoundException(errorMsg); + } + this.certificateDirectory = file; + } + + private Certificate loadCertificate(final File certFile) { + return certificateReader.loadCertificate(certFile); + } + + private Key loadPrivateKey(final File privateKeyFile) { + return privateKeyReader.loadPrivateKey(privateKeyFile); + } + + @Override + public Optional<CertificateInfo> getCertificate(final String certName) { + return Optional.ofNullable(certificateMap.get(certName)); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java new file mode 100644 index 0000000000..a6ee61d680 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/PrivateKeyReaderImpl.java @@ -0,0 +1,53 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security; + +import java.io.File; +import java.io.FileReader; +import java.security.Key; +import org.bouncycastle.asn1.pkcs.PrivateKeyInfo; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter; +import org.openecomp.sdc.be.csar.security.api.PrivateKeyReader; +import org.openecomp.sdc.be.csar.security.exception.LoadPrivateKeyException; +import org.openecomp.sdc.be.csar.security.exception.UnsupportedKeyFormatException; +import org.springframework.stereotype.Component; + +@Component +public class PrivateKeyReaderImpl implements PrivateKeyReader { + + @Override + public Key loadPrivateKey(final File privateKeyFile) { + try (final PEMParser pemParser = new PEMParser(new FileReader(privateKeyFile))) { + final Object pemObject = pemParser.readObject(); + final JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider(BouncyCastleProvider.PROVIDER_NAME); + if (pemObject instanceof PrivateKeyInfo) { + return converter.getPrivateKey((PrivateKeyInfo) pemObject); + } + } catch (final Exception e) { + final String errorMsg = "Could not load the private key from given file '%s'"; + throw new LoadPrivateKeyException(String.format(errorMsg, privateKeyFile), e); + } + final String errorMsg = "Could not load the private key from given file '%s'. Unsupported format."; + throw new UnsupportedKeyFormatException(String.format(errorMsg, privateKeyFile)); + } + +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java new file mode 100644 index 0000000000..7b7273e810 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/Sha256WithRsaCmsContentSigner.java @@ -0,0 +1,98 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security; + +import java.io.IOException; +import java.io.StringWriter; +import java.security.Key; +import java.security.PrivateKey; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import org.bouncycastle.asn1.ASN1Primitive; +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cert.jcajce.JcaCertStore; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.CMSSignedData; +import org.bouncycastle.cms.CMSSignedDataGenerator; +import org.bouncycastle.cms.CMSTypedData; +import org.bouncycastle.cms.jcajce.JcaSignerInfoGeneratorBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.jcajce.JcaPEMWriter; +import org.bouncycastle.operator.ContentSigner; +import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; +import org.bouncycastle.operator.jcajce.JcaDigestCalculatorProviderBuilder; +import org.openecomp.sdc.be.csar.security.api.CmsContentSigner; +import org.openecomp.sdc.be.csar.security.exception.CmsSignatureException; +import org.springframework.stereotype.Component; + +@Component +public class Sha256WithRsaCmsContentSigner implements CmsContentSigner { + + @Override + public byte[] signData(final byte[] data, final Certificate signingCertificate, final Key signingKey) + throws CmsSignatureException { + + final CMSTypedData cmsData = new CMSProcessableByteArray(data); + final JcaCertStore certStore = createCertificateStore(signingCertificate); + try { + final ContentSigner contentSigner + = new JcaContentSignerBuilder("SHA256withRSA") + .setProvider(BouncyCastleProvider.PROVIDER_NAME).build((PrivateKey) signingKey); + + final CMSSignedDataGenerator cmsGenerator = new CMSSignedDataGenerator(); + cmsGenerator.addSignerInfoGenerator( + new JcaSignerInfoGeneratorBuilder( + new JcaDigestCalculatorProviderBuilder().setProvider(BouncyCastleProvider.PROVIDER_NAME).build() + ).build(contentSigner, (X509Certificate) signingCertificate) + ); + cmsGenerator.addCertificates(certStore); + + final CMSSignedData cms = cmsGenerator.generate(cmsData, false); + return cms.getEncoded(); + } catch (final Exception e) { + throw new CmsSignatureException("Could not sign the given data", e); + } + } + + @Override + public String formatToPemSignature(final byte[] signedData) throws CmsSignatureException { + final StringWriter sw = new StringWriter(); + try (final JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(sw)) { + final ContentInfo ci = ContentInfo.getInstance(ASN1Primitive.fromByteArray(signedData)); + jcaPEMWriter.writeObject(ci); + } catch (final IOException e) { + throw new CmsSignatureException("Could not convert signed data to PEM format", e); + } + return sw.toString(); + } + + private JcaCertStore createCertificateStore(final Certificate signingCertificate) throws CmsSignatureException { + try { + return new JcaCertStore(Collections.singletonList(signingCertificate)); + } catch (final CertificateEncodingException e) { + final String errorMsg = String + .format("Could not create certificate store from certificate '%s'", signingCertificate); + throw new CmsSignatureException(errorMsg, e); + } + } + +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java new file mode 100644 index 0000000000..b8e95e7b18 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/X509CertificateReader.java @@ -0,0 +1,57 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security; + +import java.io.File; +import java.io.FileInputStream; +import java.io.InputStream; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import org.openecomp.sdc.be.csar.security.api.CertificateReader; +import org.openecomp.sdc.be.csar.security.exception.LoadCertificateException; +import org.springframework.stereotype.Component; + +@Component +public class X509CertificateReader implements CertificateReader { + + /** + * Reads X.509 certificate file. + * + * @param certFile the certificate file + * @return the read certificate + * @throws LoadCertificateException when an error has occurred while reading the certificate + */ + @Override + public Certificate loadCertificate(final File certFile) { + try (final FileInputStream fi = new FileInputStream(certFile)) { + return buildCertificate(fi); + } catch (final Exception e) { + final String errorMsg = "Could not load the certificate from given file '%s'"; + throw new LoadCertificateException(String.format(errorMsg, certFile), e); + } + } + + private Certificate buildCertificate(final InputStream certificateInputStream) throws CertificateException { + final CertificateFactory factory = CertificateFactory.getInstance("X.509"); + return factory.generateCertificate(certificateInputStream); + } + +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java new file mode 100644 index 0000000000..53437f399f --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateManager.java @@ -0,0 +1,29 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.api; + +import java.util.Optional; +import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo; + +public interface CertificateManager { + + Optional<CertificateInfo> getCertificate(String certName); + +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java new file mode 100644 index 0000000000..4c32fa1cee --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CertificateReader.java @@ -0,0 +1,34 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.api; + +import java.io.File; +import java.security.cert.Certificate; + +public interface CertificateReader { + + /** + * Reads a certificate file. + * + * @param certFile the certificate file + * @return the read certificate + */ + Certificate loadCertificate(File certFile); +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java new file mode 100644 index 0000000000..37bd988e50 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/CmsContentSigner.java @@ -0,0 +1,32 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.api; + +import java.security.Key; +import java.security.cert.Certificate; +import org.openecomp.sdc.be.csar.security.exception.CmsSignatureException; + +public interface CmsContentSigner { + + byte[] signData(byte[] data, Certificate signingCertificate, Key signingKey) + throws CmsSignatureException; + + String formatToPemSignature(byte[] signedData) throws CmsSignatureException; +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java new file mode 100644 index 0000000000..3e8c406b74 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/PrivateKeyReader.java @@ -0,0 +1,38 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.api; + +import java.io.File; +import java.security.Key; +import org.openecomp.sdc.be.csar.security.exception.LoadPrivateKeyException; +import org.openecomp.sdc.be.csar.security.exception.UnsupportedKeyFormatException; + +public interface PrivateKeyReader { + + /** + * Reads a given private file. + * + * @param privateKeyFile the private key file + * @return the read private key + * @throws LoadPrivateKeyException when an error has occurred while reading the private key + * @throws UnsupportedKeyFormatException when the private key is not supported + */ + Key loadPrivateKey(final File privateKeyFile); +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java new file mode 100644 index 0000000000..5b234cc661 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/api/model/CertificateInfo.java @@ -0,0 +1,46 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.api.model; + +import java.io.File; +import java.security.Key; +import java.security.cert.Certificate; + +public interface CertificateInfo { + + String getName(); + + File getCertificateFile(); + + Certificate getCertificate(); + + File getPrivateKeyFile(); + + Key getPrivateKey(); + + /** + * Check if the certificate is valid. + * + * @return {@code true} if the certificate is valid. {@code false} otherwise. + * @throws UnsupportedOperationException when the certificate is not supported + */ + boolean isValid(); + +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java new file mode 100644 index 0000000000..a2175f379c --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CertificateNotFoundException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.exception; + +public class CertificateNotFoundException extends RuntimeException { + + public CertificateNotFoundException(final String message) { + super(message); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java new file mode 100644 index 0000000000..6bc49d6e4d --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/CmsSignatureException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.exception; + +public class CmsSignatureException extends Exception { + + public CmsSignatureException(final String message, final Throwable cause) { + super(message, cause); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java new file mode 100644 index 0000000000..3cd10628f5 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadCertificateException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.exception; + +public class LoadCertificateException extends RuntimeException { + + public LoadCertificateException(final String message, final Throwable cause) { + super(message, cause); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java new file mode 100644 index 0000000000..00681bc842 --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/LoadPrivateKeyException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.exception; + +public class LoadPrivateKeyException extends RuntimeException { + + public LoadPrivateKeyException(final String message, final Throwable cause) { + super(message, cause); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java new file mode 100644 index 0000000000..d30f6f274a --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/exception/UnsupportedKeyFormatException.java @@ -0,0 +1,27 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.exception; + +public class UnsupportedKeyFormatException extends RuntimeException { + + public UnsupportedKeyFormatException(final String message) { + super(message); + } +} diff --git a/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java new file mode 100644 index 0000000000..f7b2fafb3c --- /dev/null +++ b/common-be/src/main/java/org/openecomp/sdc/be/csar/security/model/CertificateInfoImpl.java @@ -0,0 +1,70 @@ +/* + * ============LICENSE_START======================================================= + * Copyright (C) 2021 Nordix Foundation + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * SPDX-License-Identifier: Apache-2.0 + * ============LICENSE_END========================================================= + */ + +package org.openecomp.sdc.be.csar.security.model; + +import java.io.File; +import java.security.Key; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import lombok.Getter; +import org.apache.commons.io.FilenameUtils; +import org.openecomp.sdc.be.csar.security.api.model.CertificateInfo; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +@Getter +public class CertificateInfoImpl implements CertificateInfo { + + private static final Logger LOGGER = LoggerFactory.getLogger(CertificateInfoImpl.class); + + private final String name; + private final File certificateFile; + private final Certificate certificate; + private File privateKeyFile; + private Key privateKey; + + public CertificateInfoImpl(final File certificateFile, final Certificate certificate) { + this.certificateFile = certificateFile; + this.certificate = certificate; + this.name = FilenameUtils.getBaseName(certificateFile.getName()); + } + + public CertificateInfoImpl(final File certificateFile, final Certificate certificate, + final File privateKeyFile, final Key privateKey) { + this(certificateFile, certificate); + this.privateKeyFile = privateKeyFile; + this.privateKey = privateKey; + } + + @Override + public boolean isValid() { + if("X.509".equals(certificate.getType())) { + try { + ((X509Certificate) certificate).checkValidity(); + return true; + } catch (final Exception e) { + LOGGER.warn("Invalid certificate '{}'", certificateFile.getAbsolutePath(), e); + return false; + } + } + throw new UnsupportedOperationException(String.format("Certificate type '%s' not supported", certificate.getType())); + } + +} |