diff options
Diffstat (limited to 'openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java')
-rw-r--r-- | openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java | 91 |
1 files changed, 33 insertions, 58 deletions
diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java index 006af058bb..d60b54b5e1 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/main/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManager.java @@ -20,8 +20,13 @@ package org.openecomp.sdc.vendorsoftwareproduct.security; import com.google.common.collect.ImmutableSet; - -import java.io.*; +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; import java.security.GeneralSecurityException; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; @@ -41,12 +46,11 @@ import java.security.cert.X509CertSelector; import java.security.cert.X509Certificate; import java.util.Collection; import java.util.HashSet; -import java.util.function.Predicate; import java.util.Optional; +import java.util.Set; +import java.util.function.Predicate; import java.util.stream.Collectors; import java.util.stream.Stream; -import java.util.Set; - import org.bouncycastle.asn1.cms.ContentInfo; import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSException; @@ -62,16 +66,14 @@ import org.openecomp.sdc.logging.api.Logger; import org.openecomp.sdc.logging.api.LoggerFactory; /** - * This is temporary solution. When AAF provides functionality for verifying trustedCertificates, this class should be - * reviewed Class is responsible for providing root trustedCertificates from configured location in onboarding - * container. + * This is temporary solution. When AAF provides functionality for verifying trustedCertificates, this class should be reviewed Class is responsible + * for providing root trustedCertificates from configured location in onboarding container. */ public class SecurityManager { private static final String CERTIFICATE_DEFAULT_LOCATION = "cert"; public static final Set<String> ALLOWED_SIGNATURE_EXTENSIONS = ImmutableSet.of("cms"); public static final Set<String> ALLOWED_CERTIFICATE_EXTENSIONS = ImmutableSet.of("cert", "crt"); - private Logger logger = LoggerFactory.getLogger(SecurityManager.class); private Set<X509Certificate> trustedCertificates = new HashSet<>(); private Set<X509Certificate> trustedCertificatesFromPackage = new HashSet<>(); @@ -87,7 +89,6 @@ public class SecurityManager { certificateDirectory = this.getcertDirectory(System.getenv("SDC_CERT_DIR")); } - // Package level constructor use in tests to avoid power mock SecurityManager(String sdcCertDir) { certificateDirectory = this.getcertDirectory(sdcCertDir); @@ -123,8 +124,7 @@ public class SecurityManager { processCertificateDir(); } if (!trustedCertificatesFromPackage.isEmpty()) { - return Stream.concat(trustedCertificatesFromPackage.stream(), trustedCertificates.stream()) - .collect(Collectors.toUnmodifiableSet()); + return Stream.concat(trustedCertificatesFromPackage.stream(), trustedCertificates.stream()).collect(Collectors.toUnmodifiableSet()); } return ImmutableSet.copyOf(trustedCertificates); } @@ -145,10 +145,10 @@ public class SecurityManager { * @return true if signature verified * @throws SecurityManagerException */ - public boolean verifySignedData(final byte[] messageSyntaxSignature, final byte[] packageCert, - final byte[] innerPackageFile) throws SecurityManagerException { - try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(messageSyntaxSignature); - final PEMParser pemParser = new PEMParser(new InputStreamReader(signatureStream))) { + public boolean verifySignedData(final byte[] messageSyntaxSignature, final byte[] packageCert, final byte[] innerPackageFile) + throws SecurityManagerException { + try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(messageSyntaxSignature); final PEMParser pemParser = new PEMParser( + new InputStreamReader(signatureStream))) { final Object parsedObject = pemParser.readObject(); if (!(parsedObject instanceof ContentInfo)) { throw new SecurityManagerException("Signature is not recognized"); @@ -156,26 +156,23 @@ public class SecurityManager { final ContentInfo signature = ContentInfo.getInstance(parsedObject); final CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFile); final CMSSignedData signedData = new CMSSignedData(signedContent, signature); - final Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); final SignerInformation firstSigner = signers.iterator().next(); final X509Certificate cert; Collection<X509CertificateHolder> certs; if (packageCert == null) { certs = signedData.getCertificates().getMatches(null); - cert = readSignCert(certs, firstSigner).orElseThrow(() -> new SecurityManagerException( - "No certificate found in cms signature that should contain one!")); + cert = readSignCert(certs, firstSigner) + .orElseThrow(() -> new SecurityManagerException("No certificate found in cms signature that should contain one!")); } else { certs = parseCertsFromPem(packageCert); - cert = readSignCert(certs, firstSigner).orElseThrow(() -> new SecurityManagerException( - "No matching certificate found in certificate file that should contain one!")); + cert = readSignCert(certs, firstSigner) + .orElseThrow(() -> new SecurityManagerException("No matching certificate found in certificate file that should contain one!")); } trustedCertificatesFromPackage = readTrustedCerts(certs, firstSigner); - if (verifyCertificate(cert, getTrustedCertificates()) == null) { return false; } - return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); } catch (OperatorCreationException | IOException | CMSException e) { logger.error(e.getMessage(), e); @@ -186,18 +183,12 @@ public class SecurityManager { } private Optional<X509Certificate> readSignCert(final Collection<X509CertificateHolder> certs, final SignerInformation firstSigner) { - return certs.stream() - .filter(crt -> firstSigner.getSID().match(crt)) - .findAny() - .map(this::loadCertificate); + return certs.stream().filter(crt -> firstSigner.getSID().match(crt)).findAny().map(this::loadCertificate); } private Set<X509Certificate> readTrustedCerts(final Collection<X509CertificateHolder> certs, final SignerInformation firstSigner) { - return certs.stream() - .filter(crt -> !firstSigner.getSID().match(crt)) - .map(this::loadCertificate) - .filter(Predicate.not(this::isSelfSigned)) - .collect(Collectors.toSet()); + return certs.stream().filter(crt -> !firstSigner.getSID().match(crt)).map(this::loadCertificate).filter(Predicate.not(this::isSelfSigned)) + .collect(Collectors.toSet()); } private Set<X509CertificateHolder> parseCertsFromPem(final byte[] packageCert) throws IOException { @@ -219,7 +210,6 @@ public class SecurityManager { logger.error("Issue with certificate directory, check if exists!"); return; } - File[] files = certificateDirectory.listFiles(); if (files == null) { logger.error("Certificate directory is empty!"); @@ -238,10 +228,10 @@ public class SecurityManager { return new File(certDirLocation); } - private X509Certificate loadCertificate(File certFile) throws SecurityManagerException { + private X509Certificate loadCertificate(File certFile) throws SecurityManagerException { try (FileInputStream fi = new FileInputStream(certFile)) { return loadCertificateFactory(fi); - } catch(IOException e) { + } catch (IOException e) { throw new SecurityManagerException("Error during loading Certificate from file!", e); } } @@ -263,21 +253,17 @@ public class SecurityManager { } } - private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, - Set<X509Certificate> additionalCerts) - throws GeneralSecurityException, SecurityManagerException { + private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<X509Certificate> additionalCerts) + throws GeneralSecurityException, SecurityManagerException { if (null == cert) { throw new SecurityManagerException("The certificate is empty!"); } - if (isExpired(cert)) { throw new SecurityManagerException("The certificate expired on: " + cert.getNotAfter()); } - if (isSelfSigned(cert)) { throw new SecurityManagerException("The certificate is self-signed."); } - Set<X509Certificate> trustedRootCerts = new HashSet<>(); Set<X509Certificate> intermediateCerts = new HashSet<>(); for (X509Certificate additionalCert : additionalCerts) { @@ -287,25 +273,19 @@ public class SecurityManager { intermediateCerts.add(additionalCert); } } - return verifyCertificate(cert, trustedRootCerts, intermediateCerts); } - private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, - Set<X509Certificate> allTrustedRootCerts, - Set<X509Certificate> allIntermediateCerts) - throws GeneralSecurityException { - + private PKIXCertPathBuilderResult verifyCertificate(X509Certificate cert, Set<X509Certificate> allTrustedRootCerts, + Set<X509Certificate> allIntermediateCerts) throws GeneralSecurityException { // Create the selector that specifies the starting certificate X509CertSelector selector = new X509CertSelector(); selector.setCertificate(cert); - // Create the trust anchors (set of root CA certificates) Set<TrustAnchor> trustAnchors = new HashSet<>(); for (X509Certificate trustedRootCert : allTrustedRootCerts) { trustAnchors.add(new TrustAnchor(trustedRootCert, null)); } - // Configure the PKIX certificate builder algorithm parameters PKIXBuilderParameters pkixParams; try { @@ -313,25 +293,20 @@ public class SecurityManager { } catch (InvalidAlgorithmParameterException ex) { throw new InvalidAlgorithmParameterException("No root CA has been found for this certificate", ex); } - // Not supporting CRL checks for now pkixParams.setRevocationEnabled(false); - Set<X509Certificate> certSet = new HashSet<>(); certSet.add(cert); pkixParams.addCertStore(createCertStore(certSet)); pkixParams.addCertStore(createCertStore(allIntermediateCerts)); pkixParams.addCertStore(createCertStore(allTrustedRootCerts)); - - CertPathBuilder builder = CertPathBuilder - .getInstance(CertPathBuilder.getDefaultType(), BouncyCastleProvider.PROVIDER_NAME); + CertPathBuilder builder = CertPathBuilder.getInstance(CertPathBuilder.getDefaultType(), BouncyCastleProvider.PROVIDER_NAME); return (PKIXCertPathBuilderResult) builder.build(pkixParams); } - private CertStore createCertStore(Set<X509Certificate> certificateSet) throws InvalidAlgorithmParameterException, - NoSuchAlgorithmException, NoSuchProviderException { - return CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificateSet), - BouncyCastleProvider.PROVIDER_NAME); + private CertStore createCertStore(Set<X509Certificate> certificateSet) + throws InvalidAlgorithmParameterException, NoSuchAlgorithmException, NoSuchProviderException { + return CertStore.getInstance("Collection", new CollectionCertStoreParameters(certificateSet), BouncyCastleProvider.PROVIDER_NAME); } private boolean isExpired(X509Certificate cert) { |