diff options
| author |   kooper <sergey.sachkov@est.tech> | 2019-04-02 09:22:01 +0000 |
|---|---|---|
| committer | kooper <sergey.sachkov@est.tech> | 2019-04-02 09:22:01 +0000 |
| commit | b2f9dc5d3bc02564b4d952caa0bf2ccd20dfc6af (patch) | |
| tree | 9d26cfd0a4771c38bc1f662d697bce77190d5e4c /openecomp-be/backend | |
| parent | ddaa4ab7cbefb3c765b6d5732bef568a447f134a (diff) | |
Verify signature
Change-Id: I8fc5d50d74d3dd8031c96ee16708489dc7c789b8
Issue-ID: SDC-2163
Signed-off-by: kooper <sergey.sachkov@est.tech>
Diffstat (limited to 'openecomp-be/backend')
12 files changed, 483 insertions, 53 deletions
diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/pom.xml b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/pom.xml index 66f04f1ba7..74a691b373 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/pom.xml +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/pom.xml @@ -204,6 +204,11 @@ <version>${project.version}</version> </dependency> <dependency> + <groupId>org.bouncycastle</groupId> + <artifactId>bcpkix-jdk15on</artifactId> + <version>${bouncycastle.version}</version> + </dependency> + <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <scope>test</scope> diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java index d2da7ef20f..7b1890dcaa 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java @@ -20,83 +20,292 @@ package org.openecomp.sdc.vendorsoftwareproduct.security; import com.google.common.collect.ImmutableSet; +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.CMSSignedData; +import org.bouncycastle.cms.CMSTypedData; +import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; +import org.bouncycastle.jce.provider.BouncyCastleProvider; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Store; import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; +import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; +import java.io.InputStreamReader; +import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; +import java.security.NoSuchProviderException; +import java.security.PublicKey; +import java.security.Security; +import java.security.SignatureException; +import java.security.cert.CertPathBuilder; +import java.security.cert.CertStore; import java.security.cert.Certificate; import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; import java.security.cert.CertificateFactory; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.CollectionCertStoreParameters; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathBuilderResult; +import java.security.cert.TrustAnchor; +import java.security.cert.X509CertSelector; +import java.security.cert.X509Certificate; +import java.util.Collection; import java.util.HashSet; import java.util.Set; /** - * This is temporary solution. When AAF provides functionality for verifying certificates, this class should be reviewed - * Class is responsible for providing root certificates from configured location in onboarding container. + * This is temporary solution. When AAF provides functionality for verifying trustedCertificates, this class should be reviewed + * Class is responsible for providing root trustedCertificates from configured location in onboarding container. */ public class SecurityManager { - private static final String CERTIFICATE_DEFAULT_LOCATION = "/root/cert"; + private static final String CERTIFICATE_DEFAULT_LOCATION = "cert"; + private static final SecurityManager INSTANCE = new SecurityManager(); private Logger logger = LoggerFactory.getLogger(SecurityManager.class); - private Set<Certificate> certificates = new HashSet<>(); + private Set<X509Certificate> trustedCertificates = new HashSet<>(); private File certificateDirectory; + static { + if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) { + Security.addProvider(new BouncyCastleProvider()); + } + } - public SecurityManager(){ + private SecurityManager() { certificateDirectory = this.getcertDirectory(); } - private void processCertificateDir() { - if(!certificateDirectory.exists() || !certificateDirectory.isDirectory()){ + public static SecurityManager getInstance(){ + return INSTANCE; + } + + /** + * + * Checks the configured location for available trustedCertificates + * + * @return set of trustedCertificates + * @throws SecurityManagerException + */ + public Set<X509Certificate> getTrustedCertificates() throws SecurityManagerException { + //if file number in certificate directory changed reload certs + String[] certFiles = certificateDirectory.list(); + if (certFiles == null) { + logger.error("Certificate directory is empty!"); + return ImmutableSet.copyOf(new HashSet<>()); + } + if (trustedCertificates.size() != certFiles.length) { + trustedCertificates = new HashSet<>(); + processCertificateDir(); + } + return ImmutableSet.copyOf(trustedCertificates); + } + + /** + * Cleans certificate collection + */ + public void cleanTrustedCertificates(){ + trustedCertificates.clear(); + } + + /** + * + * Verifies if packaged signed with trusted certificate + * + * @param messageSyntaxSignature - signature data in cms format + * @param packageCert - package certificate if not part of cms signature, can be null + * @param innerPackageFile data package signed with cms signature + * @return true if signature verified + * @throws SecurityManagerException + */ + public boolean verifySignedData(final byte[] messageSyntaxSignature, final byte[] packageCert, + final byte[] innerPackageFile) throws SecurityManagerException{ + try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(messageSyntaxSignature)) { + Object parsedObject = new PEMParser(new InputStreamReader(signatureStream)).readObject(); + if (!(parsedObject instanceof ContentInfo)) { + throw new SecurityManagerException("Signature is not recognized"); + } + ContentInfo signature = ContentInfo.getInstance(parsedObject); + CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFile); + CMSSignedData signedData = new CMSSignedData(signedContent, signature); + + Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); + SignerInformation firstSigner = signers.iterator().next(); + Store certificates = signedData.getCertificates(); + X509Certificate cert; + if (packageCert == null) { + Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); + if(!firstSignerCertificates.iterator().hasNext()){ + throw new SecurityManagerException("No certificate found in cms signature that should contain one!"); + } + X509CertificateHolder firstSignerFirstCertificate = firstSignerCertificates.iterator().next(); + cert = loadCertificate(firstSignerFirstCertificate.getEncoded()); + } else { + cert = loadCertificate(packageCert); + } + + PKIXCertPathBuilderResult result = verifyCertificate(cert, getTrustedCertificates()); + + if (result == null) { + return false; + } + + return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); + } catch (OperatorCreationException | IOException | CMSException e) { + logger.error(e.getMessage(), e); + throw new SecurityManagerException("Unexpected error occurred during signature validation!", e); + } catch (GeneralSecurityException e){ + throw new SecurityManagerException("Could not verify signature!", e); + } + } + + private void processCertificateDir() throws SecurityManagerException { + if (!certificateDirectory.exists() || !certificateDirectory.isDirectory()) { logger.error("Issue with certificate directory, check if exists!"); return; } - File [] files = certificateDirectory.listFiles(); - if(files == null){ + File[] files = certificateDirectory.listFiles(); + if (files == null) { logger.error("Certificate directory is empty!"); return; } - for(File f : files) { - certificates.add(loadCertificate(f)); + for (File f : files) { + trustedCertificates.add(loadCertificate(f)); } } private File getcertDirectory() { String certDirLocation = System.getenv("SDC_CERT_DIR"); - if(certDirLocation == null){ + if (certDirLocation == null) { certDirLocation = CERTIFICATE_DEFAULT_LOCATION; } return new File(certDirLocation); } - private Certificate loadCertificate(File certFile){ - try (InputStream fileInputStream = new FileInputStream(certFile)){ + private X509Certificate loadCertificate(File certFile) throws SecurityManagerException { + try (InputStream fileInputStream = new FileInputStream(certFile)) { CertificateFactory factory = CertificateFactory.getInstance("X.509"); - return factory.generateCertificate(fileInputStream); - } catch (CertificateException|IOException e) { + return (X509Certificate) factory.generateCertificate(fileInputStream); + } catch (CertificateException | IOException e) { throw new SecurityManagerException("Error during loading Certificate file!", e); } } - /** - * Checks the configured location for available certificates - * @return set of certificates - */ - public Set<Certificate> getCertificates() { - //if file number in certificate directory changed reload certs - String[] certFiles = certificateDirectory.list(); - if(certFiles == null){ - logger.error("Certificate directory is empty!"); - return ImmutableSet.copyOf(new HashSet<>()); + private X509Certificate loadCertificate(byte[] certFile) throws SecurityManagerException { + try (InputStream in = new ByteArrayInputStream(certFile)) { + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + return (X509Certificate) factory.generateCertificate(in); + } catch (CertificateException | IOException e) { + throw new SecurityManagerException("Error during loading Certificate from bytes!", e); } - if(certificates.size() != certFiles.length){ - certificates = new HashSet<>(); - processCertificateDir(); + } + + private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, + Set<X509Certificate> additionalCerts) throws GeneralSecurityException, SecurityManagerException { + if (null == cert) { + throw new SecurityManagerException("The certificate is empty!"); + } + + if (isExpired(cert)) { + throw new SecurityManagerException("The certificate expired on: " + cert.getNotAfter()); + } + + if (isSelfSigned(cert)) { + throw new SecurityManagerException("The certificate is self-signed."); + } + + Set<X509Certificate> trustedRootCerts = new HashSet<>(); + Set<X509Certificate> intermediateCerts = new HashSet<>(); + for (X509Certificate additionalCert : additionalCerts) { + if (isSelfSigned(additionalCert)) { + trustedRootCerts.add(additionalCert); + } else { + intermediateCerts.add(additionalCert); + } + } + + return verifyCertificate(cert, trustedRootCerts, intermediateCerts); + } + + private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, + Set<X509Certificate> allTrustedRootCerts, + Set<X509Certificate> allIntermediateCerts) + throws GeneralSecurityException { + + // Create the selector that specifies the starting certificate + X509CertSelector selector = new X509CertSelector(); + selector.setCertificate(cert); + + // Create the trust anchors (set of root CA certificates) + Set<TrustAnchor> trustAnchors = new HashSet<>(); + for (X509Certificate trustedRootCert : allTrustedRootCerts) { + trustAnchors.add(new TrustAnchor(trustedRootCert, null)); + } + + // Configure the PKIX certificate builder algorithm parameters + PKIXBuilderParameters pkixParams; + try { + pkixParams = new PKIXBuilderParameters(trustAnchors, selector); + } catch (InvalidAlgorithmParameterException ex) { + throw new InvalidAlgorithmParameterException("No root CA has been found for this certificate", ex); + } + + // Not supporting CRL checks for now + pkixParams.setRevocationEnabled(false); + + Set<X509Certificate> certSet = new HashSet<>(); + certSet.add(cert); + pkixParams.addCertStore(createCertStore(certSet)); + pkixParams.addCertStore(createCertStore(allIntermediateCerts)); + pkixParams.addCertStore(createCertStore(allTrustedRootCerts)); + + CertPathBuilder builder = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType(), BouncyCastleProvider.PROVIDER_NAME); + return (PKIXCertPathBuilderResult) builder.build(pkixParams); + } + + private CertStore createCertStore(Set<X509Certificate> certificateSet) throws InvalidAlgorithmParameterException, + NoSuchAlgorithmException, NoSuchProviderException { + return CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificateSet), BouncyCastleProvider.PROVIDER_NAME); + } + + private boolean isExpired(X509Certificate cert) { + try { + cert.checkValidity(); + } catch (CertificateExpiredException e) { + logger.error(e.getMessage(), e); + return true; + } catch (CertificateNotYetValidException e) { + logger.error(e.getMessage(), e); + return false; + } + return false; + } + + private boolean isSelfSigned(Certificate cert) + throws CertificateException, NoSuchAlgorithmException, + NoSuchProviderException { + try { + // Try to verify certificate signature with its own public key + PublicKey key = cert.getPublicKey(); + cert.verify(key); + return true; + } catch (SignatureException | InvalidKeyException e) { + logger.error(e.getMessage(), e); + //not self-signed + return false; } - return ImmutableSet.copyOf(certificates); } } diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerException.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerException.java index 5c5a23a5f8..cdba2f8f0b 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerException.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerException.java @@ -1,8 +1,31 @@ +/*- + * ============LICENSE_START======================================================= + * SDC + * ================================================================================ + * Copyright (C) 2019, Nordix Foundation. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ package org.openecomp.sdc.vendorsoftwareproduct.security; -public class SecurityManagerException extends RuntimeException { +public class SecurityManagerException extends Exception { - public SecurityManagerException(String s, Throwable t) { + public SecurityManagerException(String s) { super(s); } + + public SecurityManagerException(String s, Throwable t) { + super(s, t); + } } diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java index c693015791..eea8a3a186 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java @@ -6,11 +6,15 @@ import org.junit.Before; import org.junit.Test; import org.junit.runner.RunWith; import org.powermock.api.mockito.PowerMockito; +import org.powermock.core.classloader.annotations.PowerMockIgnore; import org.powermock.core.classloader.annotations.PrepareForTest; import org.powermock.modules.junit4.PowerMockRunner; import java.io.File; import java.io.IOException; +import java.net.URISyntaxException; +import java.nio.file.Files; +import java.nio.file.Paths; import static junit.framework.TestCase.assertEquals; import static junit.framework.TestCase.assertTrue; @@ -18,67 +22,129 @@ import static org.mockito.ArgumentMatchers.eq; @RunWith(PowerMockRunner.class) @PrepareForTest(SecurityManager.class) +@PowerMockIgnore("javax.security.auth.x500.X500Principal") public class SecurityManagerTest { - File certDir; + private File certDir; + private SecurityManager securityManager; @Before - public void setUp(){ + public void setUp() throws IOException { certDir = new File("/tmp/cert"); + if(certDir.exists()){ + tearDown(); + } certDir.mkdirs(); PowerMockito.mockStatic(System.class); PowerMockito.when(System.getenv(eq("SDC_CERT_DIR"))).thenReturn(certDir.getPath()); + securityManager = SecurityManager.getInstance(); } @After - public void tearDown(){ - certDir.delete(); + public void tearDown() throws IOException { + if(certDir.exists()) { + FileUtils.deleteDirectory(certDir); + } + securityManager.cleanTrustedCertificates(); } @Test - public void testGetCertificates() throws IOException { + public void testGetCertificates() throws IOException, SecurityManagerException { File origFile = new File("src/test/resources/cert/root-certificate.pem"); File newFile = new File("/tmp/cert/root-certificate.pem"); newFile.createNewFile(); FileUtils.copyFile(origFile, newFile); - SecurityManager securityManager = new SecurityManager(); - assertEquals(1, securityManager.getCertificates().size()); + assertEquals(1, securityManager.getTrustedCertificates().size()); newFile.delete(); - assertEquals(0, securityManager.getCertificates().size()); + assertEquals(0, securityManager.getTrustedCertificates().size()); } @Test - public void testGetCertificatesNoDirectory() throws IOException { + public void testGetCertificatesNoDirectory() throws IOException, SecurityManagerException { certDir.delete(); - SecurityManager securityManager = new SecurityManager(); - assertEquals(0, securityManager.getCertificates().size()); + assertEquals(0, securityManager.getTrustedCertificates().size()); } @Test(expected = SecurityManagerException.class) - public void testGetCertificatesException() throws IOException { + public void testGetCertificatesException() throws IOException, SecurityManagerException { File newFile = new File("/tmp/cert/root-certificate.pem"); newFile.createNewFile(); - SecurityManager securityManager = new SecurityManager(); - assertEquals(1, securityManager.getCertificates().size()); + assertEquals(1, securityManager.getTrustedCertificates().size()); newFile.delete(); - assertEquals(0, securityManager.getCertificates().size()); + assertEquals(0, securityManager.getTrustedCertificates().size()); } @Test - public void testGetCertificatesUpdated() throws IOException { + public void testGetCertificatesUpdated() throws IOException, SecurityManagerException { File origFile = new File("src/test/resources/cert/root-certificate.pem"); File newFile = new File("/tmp/cert/root-certificate.pem"); newFile.createNewFile(); FileUtils.copyFile(origFile, newFile); - SecurityManager securityManager = new SecurityManager(); - assertTrue(securityManager.getCertificates().size() == 1); + assertTrue(securityManager.getTrustedCertificates().size() == 1); File otherOrigFile = new File("src/test/resources/cert/package-certificate.pem"); File otherNewFile = new File("/tmp/cert/package-certificate.pem"); newFile.createNewFile(); FileUtils.copyFile(otherOrigFile, otherNewFile); - assertEquals(2, securityManager.getCertificates().size()); + assertEquals(2, securityManager.getTrustedCertificates().size()); otherNewFile.delete(); - assertEquals(1, securityManager.getCertificates().size()); + assertEquals(1, securityManager.getTrustedCertificates().size()); newFile.delete(); - assertEquals(0, securityManager.getCertificates().size()); + assertEquals(0, securityManager.getTrustedCertificates().size()); + } + + @Test + public void verifySignedDataTestCertIncludedIntoSignature() throws IOException, URISyntaxException, SecurityManagerException { + File origFile = new File("src/test/resources/cert/root.cert"); + File newFile = new File("/tmp/cert/root.cert"); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv3.cms").toURI())); + byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv3.csar").toURI())); + assertTrue(securityManager.verifySignedData(signature, null, archive)); + } + + @Test(expected = SecurityManagerException.class) + public void verifySignedDataTestCertNotIncludedIntoSignatureButExpected() throws IOException, URISyntaxException, SecurityManagerException { + File origFile = new File("src/test/resources/cert/root.cert"); + File newFile = new File("/tmp/cert/root.cert"); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.cms").toURI())); + byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv3.csar").toURI())); + securityManager.verifySignedData(signature, null, archive); + } + + @Test + public void verifySignedDataTestCertNotIncludedIntoSignature() throws IOException, URISyntaxException, SecurityManagerException { + File origFile = new File("src/test/resources/cert/root.cert"); + File newFile = new File("/tmp/cert/root.cert"); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.cms").toURI())); + byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.csar").toURI())); + byte[] cert = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.cert").toURI())); + assertTrue(securityManager.verifySignedData(signature, cert, archive)); + } + + @Test(expected = SecurityManagerException.class) + public void verifySignedDataTestWrongCertificate() throws IOException, URISyntaxException, SecurityManagerException { + File origFile = new File("src/test/resources/cert/root-certificate.pem"); + File newFile = new File("/tmp/cert/root-certificate.cert"); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.cms").toURI())); + byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.csar").toURI())); + byte[] cert = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv3.cert").toURI())); + securityManager.verifySignedData(signature, cert, archive); + } + + @Test(expected = SecurityManagerException.class) + public void verifySignedDataTestChangedArchive() throws IOException, URISyntaxException, SecurityManagerException { + File origFile = new File("src/test/resources/cert/root.cert"); + File newFile = new File("/tmp/cert/root.cert"); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/tampered-signed-package/dummyPnfv3.cms").toURI())); + byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/tampered-signed-package/dummyPnfv3.csar").toURI())); + securityManager.verifySignedData(signature, null, archive); } } diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.cms b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.cms new file mode 100644 index 0000000000..fca5faca8e --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.cms @@ -0,0 +1,34 @@ +-----BEGIN CMS----- +MIIF9AYJKoZIhvcNAQcCoIIF5TCCBeECAQExDTALBglghkgBZQMEAgEwCwYJKoZI +hvcNAQcBoIIDPjCCAzowggIiAgkAmTZc6pj8rWYwDQYJKoZIhvcNAQELBQAwXzEL +MAkGA1UEBhMCSUUxEjAQBgNVBAgMCVdlc3RtZWF0aDEQMA4GA1UEBwwHQXRobG9u +ZTEMMAoGA1UECgwDRVNZMQ8wDQYDVQQLDAZUZWNobm8xCzAJBgNVBAMMAlNTMB4X +DTE5MDMyODEzMDQ0NloXDTE5MDQyNzEzMDQ0NlowXzELMAkGA1UEBhMCSUUxEjAQ +BgNVBAgMCVdlc3RtZWF0aDEQMA4GA1UEBwwHQXRobG9uZTEMMAoGA1UECgwDRVNZ +MQ8wDQYDVQQLDAZUZWNobm8xCzAJBgNVBAMMAlNTMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAqzpc/mRJZe5fxh9yo2ZmFCrNCynrbtLujp2GJwW40Nh0 +89jUBb49zFRwHrUUTlmIZRMrW8XDopX1LDajE+pzNxv+skdpZaPHhEjYcqbFIL1I +KiWxo1PTBi/9KgSFlzc5eewolrwV+NX76p2+xkLDwt6rnZy8UiubVH7U4mUnPtxy +Wx/W7uVGaZDKo0g2PNcFayRcL5skbm0Una2TjjAunwGP3FkxKigw+LukLE+w2fvE +C7b8ndIk10WER9rCIeMCf1571Ub8WJzR/80PfhJxbxoroRaiGESFh3kNNfqanLcS +Q4I9KHWeijOhSW0pHkqL2KPAee35FtfEUpL5aN0OcwIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBlm8RMspc6cwcktqJXDLZLZiHSoapQqcq3TI3dkhU2uEFTstnxnXa3 +r4eTVF8tre2BjvxJtgmM7qMnoDTFo+uUjkvuBBalLARbQM+gF6PAeRLYRHMLSkN/ +yOfnyQ3ypYAQMpEHVG0Er6B5+KbQwFr2G0XBW0zE8au9oGzqBUNg7e0O22AyXqQk +uhHzXXVhz6sWxJVv51gjPoWtr/1YbsGmJPimFIuz9GvrZD1MKGQ4sotZvRkfofHz +ePg0y8taAcdXHJwfmAeiJdc0S9SsYxKLAz1OB+n4oQTsk+31cnKflp+wVfeNyaRP +sdFf4KLicluzbwIRJ/x0h2r/lTorGGUcMYICfDCCAngCAQEwbDBfMQswCQYDVQQG +EwJJRTESMBAGA1UECAwJV2VzdG1lYXRoMRAwDgYDVQQHDAdBdGhsb25lMQwwCgYD +VQQKDANFU1kxDzANBgNVBAsMBlRlY2hubzELMAkGA1UEAwwCU1MCCQCZNlzqmPyt +ZjALBglghkgBZQMEAgGggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq +hkiG9w0BCQUxDxcNMTkwMzI4MTMwODUwWjAvBgkqhkiG9w0BCQQxIgQg9ya6QcX9 +J6hp+zfK1gceoLlpApp92mfxGoX3eZ1dMUwweQYJKoZIhvcNAQkPMWwwajALBglg +hkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO +BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN +AwICASgwDQYJKoZIhvcNAQEBBQAEggEAAmmSdu8W5zr8DVrkASlujCCSLwKq1XE+ +knlrR84UkkpRz8SacfxtoQL2/T6H0LyOnlJTOGQj3M8w2CaYKKWamnp/2jLZFvUn +aaPbCdKeKvwPiL99iBIqXWcHXJKk5Ch3fIfcWyAfl48HAB7MFE3TlKk0qUQVXlZP +7/c4PGaqtbfB7pDuJx6k+Bd2dqG4Xe8RDdvKDEK33HzkAZ72ZPuEL3Zw77eeWZS6 +vyAQTxEkFKERiC1AkmGUdAfTolzYGn1LlTcqb1P59nzs/AZ16JKx6ZITumhaSG6Q +JvkvodxD99bhOh3pHaLkTkkcLxEEE9OscYEtWvIdIGyfjrpGIFP31g== +-----END CMS----- diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.csar b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.csar Binary files differnew file mode 100644 index 0000000000..2c626ed90b --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/2-file-signed-package/dummyPnfv3.csar diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cert b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cert new file mode 100644 index 0000000000..d7da41db94 --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cert @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOjCCAiICCQCZNlzqmPytZjANBgkqhkiG9w0BAQsFADBfMQswCQYDVQQGEwJJ +RTESMBAGA1UECAwJV2VzdG1lYXRoMRAwDgYDVQQHDAdBdGhsb25lMQwwCgYDVQQK +DANFU1kxDzANBgNVBAsMBlRlY2hubzELMAkGA1UEAwwCU1MwHhcNMTkwMzI4MTMw +NDQ2WhcNMTkwNDI3MTMwNDQ2WjBfMQswCQYDVQQGEwJJRTESMBAGA1UECAwJV2Vz +dG1lYXRoMRAwDgYDVQQHDAdBdGhsb25lMQwwCgYDVQQKDANFU1kxDzANBgNVBAsM +BlRlY2hubzELMAkGA1UEAwwCU1MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCrOlz+ZEll7l/GH3KjZmYUKs0LKetu0u6OnYYnBbjQ2HTz2NQFvj3MVHAe +tRROWYhlEytbxcOilfUsNqMT6nM3G/6yR2llo8eESNhypsUgvUgqJbGjU9MGL/0q +BIWXNzl57CiWvBX41fvqnb7GQsPC3qudnLxSK5tUftTiZSc+3HJbH9bu5UZpkMqj +SDY81wVrJFwvmyRubRSdrZOOMC6fAY/cWTEqKDD4u6QsT7DZ+8QLtvyd0iTXRYRH +2sIh4wJ/XnvVRvxYnNH/zQ9+EnFvGiuhFqIYRIWHeQ01+pqctxJDgj0odZ6KM6FJ +bSkeSovYo8B57fkW18RSkvlo3Q5zAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGWb +xEyylzpzByS2olcMtktmIdKhqlCpyrdMjd2SFTa4QVOy2fGddrevh5NUXy2t7YGO +/Em2CYzuoyegNMWj65SOS+4EFqUsBFtAz6AXo8B5EthEcwtKQ3/I5+fJDfKlgBAy +kQdUbQSvoHn4ptDAWvYbRcFbTMTxq72gbOoFQ2Dt7Q7bYDJepCS6EfNddWHPqxbE +lW/nWCM+ha2v/VhuwaYk+KYUi7P0a+tkPUwoZDiyi1m9GR+h8fN4+DTLy1oBx1cc +nB+YB6Il1zRL1KxjEosDPU4H6fihBOyT7fVycp+Wn7BV943JpE+x0V/gouJyW7Nv +AhEn/HSHav+VOisYZRw= +-----END CERTIFICATE----- diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cms b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cms new file mode 100644 index 0000000000..eeee6a977b --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.cms @@ -0,0 +1,17 @@ +-----BEGIN CMS----- +MIICsgYJKoZIhvcNAQcCoIICozCCAp8CAQExDTALBglghkgBZQMEAgEwCwYJKoZI +hvcNAQcBMYICfDCCAngCAQEwbDBfMQswCQYDVQQGEwJJRTESMBAGA1UECAwJV2Vz +dG1lYXRoMRAwDgYDVQQHDAdBdGhsb25lMQwwCgYDVQQKDANFU1kxDzANBgNVBAsM +BlRlY2hubzELMAkGA1UEAwwCU1MCCQCZNlzqmPytZjALBglghkgBZQMEAgGggeQw +GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTkwMzI4 +MTMxMDI2WjAvBgkqhkiG9w0BCQQxIgQg9ya6QcX9J6hp+zfK1gceoLlpApp92mfx +GoX3eZ1dMUwweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUD +BAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYI +KoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEB +BQAEggEAGGYZ4DsMUDzjMVpJU9zwLzTtxO1wCnouTVw8FJT2utGnUds+OexbKQoj +pCCfuAL1k9UaP3uyNXOjuMx8tzlQY0gZJzaKpYJ7vh0q6P9IZs0hjcvEXPhRTI/y +vI8mHP3WIXwuh36ehRmqALnGbBcOj46k578gAf/p1hHD3/ceQfB1MSkSVMwvf+yP +3YwJyvKHYYlGaaAbSjnIK+7g2tuRIvFdXGk30CU2mnldvb3JltfxB5MkZgEM6hPz +ZhjgNDtmFDZzoblEOCvFJnpXg2IF7bAPjObNaPd20ZRvRSRhQODktT5EHARRT53Y +p+03N4IUz89hw/roOnq0nlbetQSKvg== +-----END CMS----- diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.csar b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.csar Binary files differnew file mode 100644 index 0000000000..2c626ed90b --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/3-file-signed-package/dummyPnfv3.csar diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/root.cert b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/root.cert new file mode 100644 index 0000000000..767804ede4 --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/root.cert @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDlDCCAnygAwIBAgIJANxs5zQCT2zPMA0GCSqGSIb3DQEBCwUAMF8xCzAJBgNV +BAYTAklFMRIwEAYDVQQIDAlXZXN0bWVhdGgxEDAOBgNVBAcMB0F0aGxvbmUxDDAK +BgNVBAoMA0VTWTEPMA0GA1UECwwGVGVjaG5vMQswCQYDVQQDDAJTUzAeFw0xOTAz +MjgxMzAyMDVaFw0xOTA0MjcxMzAyMDVaMF8xCzAJBgNVBAYTAklFMRIwEAYDVQQI +DAlXZXN0bWVhdGgxEDAOBgNVBAcMB0F0aGxvbmUxDDAKBgNVBAoMA0VTWTEPMA0G +A1UECwwGVGVjaG5vMQswCQYDVQQDDAJTUzCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALwd8mRaVTPIiyJEGuscMulTg7EyQGUcVgRUJDrcEsubK9vgDEqh +0BTps1xO01LX7RaXSe4KWTcsJG41QsdX9lo94VoYZFfR0tVKCkPjWoaynl0cZEAZ +r6vADWwQkWWi1Czwr9fTX9NBu68IexLATuS387gafonlzvpa4TLVwi69ogNlVa91 +pKkeZCBWbhgDgYDz5pEbKPJ6TRab/sFxZOx/HBIM9i7INvwNhdnZF77eZVgNUX2z +XKFcXOklmY9gEr9HQtsFIyTxlOdL2DF7JspgN0Yfb6hqAKE/sfOgQ6h3A+n4AuA1 +gtgC6k0OVps2ZM3jlmpYatKorz22zp3nhzECAwEAAaNTMFEwHQYDVR0OBBYEFGci +Qjw5QhCSvwl86i6weBl++bQvMB8GA1UdIwQYMBaAFGciQjw5QhCSvwl86i6weBl+ ++bQvMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHtMPlNaUJPy +IXBOjROu0LlRXWJ/u7TVLaLaLnok5Sy/9QAz/FBKzOvMP1cmavsZiZC/9ISEaWFv +KlTOeZrhUl7WGk8pJPkkfATxt7HtRxO/c0RNrJin1AWWjQnUxjCB+nuqKS2h/itG +fHyHzzB3kjzxaK73kVuh8fzdxRDkg6QgLyW83BJ8T/U/VOuM3HRNIF86cazgae7E +7c9SrnXZ67IS7w3gxm/L/k5Rpd4XuuumaDuDz3NhGj1HFh323x11jheMmfl559SK +qU5NIC2qwKYGhzDojgLUJeL9g52DeS4eZ3DmINFRK2g0UMrHrypKq5aQ2v1kac6X +Io5o3F3L2DE= +-----END CERTIFICATE----- diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.cms b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.cms new file mode 100644 index 0000000000..fca5faca8e --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.cms @@ -0,0 +1,34 @@ +-----BEGIN CMS----- +MIIF9AYJKoZIhvcNAQcCoIIF5TCCBeECAQExDTALBglghkgBZQMEAgEwCwYJKoZI +hvcNAQcBoIIDPjCCAzowggIiAgkAmTZc6pj8rWYwDQYJKoZIhvcNAQELBQAwXzEL +MAkGA1UEBhMCSUUxEjAQBgNVBAgMCVdlc3RtZWF0aDEQMA4GA1UEBwwHQXRobG9u +ZTEMMAoGA1UECgwDRVNZMQ8wDQYDVQQLDAZUZWNobm8xCzAJBgNVBAMMAlNTMB4X +DTE5MDMyODEzMDQ0NloXDTE5MDQyNzEzMDQ0NlowXzELMAkGA1UEBhMCSUUxEjAQ +BgNVBAgMCVdlc3RtZWF0aDEQMA4GA1UEBwwHQXRobG9uZTEMMAoGA1UECgwDRVNZ +MQ8wDQYDVQQLDAZUZWNobm8xCzAJBgNVBAMMAlNTMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEAqzpc/mRJZe5fxh9yo2ZmFCrNCynrbtLujp2GJwW40Nh0 +89jUBb49zFRwHrUUTlmIZRMrW8XDopX1LDajE+pzNxv+skdpZaPHhEjYcqbFIL1I +KiWxo1PTBi/9KgSFlzc5eewolrwV+NX76p2+xkLDwt6rnZy8UiubVH7U4mUnPtxy +Wx/W7uVGaZDKo0g2PNcFayRcL5skbm0Una2TjjAunwGP3FkxKigw+LukLE+w2fvE +C7b8ndIk10WER9rCIeMCf1571Ub8WJzR/80PfhJxbxoroRaiGESFh3kNNfqanLcS +Q4I9KHWeijOhSW0pHkqL2KPAee35FtfEUpL5aN0OcwIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBlm8RMspc6cwcktqJXDLZLZiHSoapQqcq3TI3dkhU2uEFTstnxnXa3 +r4eTVF8tre2BjvxJtgmM7qMnoDTFo+uUjkvuBBalLARbQM+gF6PAeRLYRHMLSkN/ +yOfnyQ3ypYAQMpEHVG0Er6B5+KbQwFr2G0XBW0zE8au9oGzqBUNg7e0O22AyXqQk +uhHzXXVhz6sWxJVv51gjPoWtr/1YbsGmJPimFIuz9GvrZD1MKGQ4sotZvRkfofHz +ePg0y8taAcdXHJwfmAeiJdc0S9SsYxKLAz1OB+n4oQTsk+31cnKflp+wVfeNyaRP +sdFf4KLicluzbwIRJ/x0h2r/lTorGGUcMYICfDCCAngCAQEwbDBfMQswCQYDVQQG +EwJJRTESMBAGA1UECAwJV2VzdG1lYXRoMRAwDgYDVQQHDAdBdGhsb25lMQwwCgYD +VQQKDANFU1kxDzANBgNVBAsMBlRlY2hubzELMAkGA1UEAwwCU1MCCQCZNlzqmPyt +ZjALBglghkgBZQMEAgGggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq +hkiG9w0BCQUxDxcNMTkwMzI4MTMwODUwWjAvBgkqhkiG9w0BCQQxIgQg9ya6QcX9 +J6hp+zfK1gceoLlpApp92mfxGoX3eZ1dMUwweQYJKoZIhvcNAQkPMWwwajALBglg +hkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAO +BggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN +AwICASgwDQYJKoZIhvcNAQEBBQAEggEAAmmSdu8W5zr8DVrkASlujCCSLwKq1XE+ +knlrR84UkkpRz8SacfxtoQL2/T6H0LyOnlJTOGQj3M8w2CaYKKWamnp/2jLZFvUn +aaPbCdKeKvwPiL99iBIqXWcHXJKk5Ch3fIfcWyAfl48HAB7MFE3TlKk0qUQVXlZP +7/c4PGaqtbfB7pDuJx6k+Bd2dqG4Xe8RDdvKDEK33HzkAZ72ZPuEL3Zw77eeWZS6 +vyAQTxEkFKERiC1AkmGUdAfTolzYGn1LlTcqb1P59nzs/AZ16JKx6ZITumhaSG6Q +JvkvodxD99bhOh3pHaLkTkkcLxEEE9OscYEtWvIdIGyfjrpGIFP31g== +-----END CMS----- diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.csar b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.csar Binary files differnew file mode 100644 index 0000000000..81cb1f72d2 --- /dev/null +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/resources/cert/tampered-signed-package/dummyPnfv3.csar |