From 5b9a4251a7bce56895ca80b867ee7537e7382320 Mon Sep 17 00:00:00 2001 From: Tomasz Pietruszkiewicz Date: Thu, 14 Jan 2021 17:03:31 +0100 Subject: Fix signature validation in SDC (PNF package onboarding) Change-Id: Ief8bf62e48a23a091e9084333c2523d8490fdcd2 Issue-ID: SDC-3386 Signed-off-by: Tomasz Pietruszkiewicz --- .../security/SecurityManagerTest.java | 179 +++++++++++++-------- 1 file changed, 111 insertions(+), 68 deletions(-) (limited to 'openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp') diff --git a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java index 7c5cb662c7..0ed871d47c 100644 --- a/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java +++ b/openecomp-be/backend/openecomp-sdc-vendor-software-product-manager/src/test/java/org/openecomp/sdc/vendorsoftwareproduct/security/SecurityManagerTest.java @@ -7,9 +7,9 @@ * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -21,9 +21,10 @@ package org.openecomp.sdc.vendorsoftwareproduct.security; import org.apache.commons.io.FileUtils; -import org.junit.After; -import org.junit.Before; -import org.junit.Test; +import org.junit.jupiter.api.AfterEach; +import org.junit.jupiter.api.Assertions; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; import java.io.File; import java.io.IOException; @@ -36,32 +37,42 @@ import static junit.framework.TestCase.assertTrue; public class SecurityManagerTest { private File certDir; + private String cerDirPath = "/tmp/cert/"; private SecurityManager securityManager; - @Before + private File PrepareCertFiles(String origFilePath, String newFilePath) throws IOException, URISyntaxException { + File origFile = new File(getClass().getResource(origFilePath).toURI()); + File newFile = new File(newFilePath); + newFile.createNewFile(); + FileUtils.copyFile(origFile, newFile); + return newFile; + } + + private byte[] readAllBytes(String path) throws URISyntaxException, IOException { + return Files.readAllBytes(Paths.get(getClass().getResource(path).toURI())); + } + + @BeforeEach public void setUp() throws IOException { - certDir = new File("/tmp/cert"); - if(certDir.exists()){ + certDir = new File(cerDirPath); + if (certDir.exists()) { tearDown(); } certDir.mkdirs(); securityManager = new SecurityManager(certDir.getPath()); } - @After + @AfterEach public void tearDown() throws IOException { - if(certDir.exists()) { + if (certDir.exists()) { FileUtils.deleteDirectory(certDir); } securityManager.cleanTrustedCertificates(); } @Test - public void testGetCertificates() throws IOException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root-certificate.pem"); - File newFile = new File("/tmp/cert/root-certificate.pem"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); + public void testGetCertificates() throws IOException, SecurityManagerException, URISyntaxException { + File newFile = PrepareCertFiles("/cert/root-certificate.pem", cerDirPath + "/root-certificate.pem"); assertEquals(1, securityManager.getTrustedCertificates().size()); newFile.delete(); assertEquals(0, securityManager.getTrustedCertificates().size()); @@ -73,26 +84,22 @@ public class SecurityManagerTest { assertEquals(0, securityManager.getTrustedCertificates().size()); } - @Test(expected = SecurityManagerException.class) + @Test public void testGetCertificatesException() throws IOException, SecurityManagerException { - File newFile = new File("/tmp/cert/root-certificate.pem"); - newFile.createNewFile(); - assertEquals(1, securityManager.getTrustedCertificates().size()); - newFile.delete(); - assertEquals(0, securityManager.getTrustedCertificates().size()); + Assertions.assertThrows(SecurityManagerException.class, () -> { + File newFile = new File(cerDirPath + "root-certificate.pem"); + newFile.createNewFile(); + assertEquals(1, securityManager.getTrustedCertificates().size()); + newFile.delete(); + assertEquals(0, securityManager.getTrustedCertificates().size()); + }); } @Test - public void testGetCertificatesUpdated() throws IOException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root-certificate.pem"); - File newFile = new File("/tmp/cert/root-certificate.pem"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); + public void testGetCertificatesUpdated() throws IOException, SecurityManagerException, URISyntaxException { + File newFile = PrepareCertFiles("/cert/root-certificate.pem", cerDirPath + "root-certificate.pem"); assertTrue(securityManager.getTrustedCertificates().size() == 1); - File otherOrigFile = new File("src/test/resources/cert/package-certificate.pem"); - File otherNewFile = new File("/tmp/cert/package-certificate.pem"); - newFile.createNewFile(); - FileUtils.copyFile(otherOrigFile, otherNewFile); + File otherNewFile = PrepareCertFiles("/cert/package-certificate.pem", cerDirPath + "package-certificate.pem"); assertEquals(2, securityManager.getTrustedCertificates().size()); otherNewFile.delete(); assertEquals(1, securityManager.getTrustedCertificates().size()); @@ -102,58 +109,94 @@ public class SecurityManagerTest { @Test public void verifySignedDataTestCertIncludedIntoSignature() throws IOException, URISyntaxException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root.cert"); - File newFile = new File("/tmp/cert/root.cert"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); - byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv4.cms").toURI())); - byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv4.csar").toURI())); + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + byte[] signature = readAllBytes("/cert/2-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/2-file-signed-package/dummyPnfv4.csar"); assertTrue(securityManager.verifySignedData(signature, null, archive)); } - @Test(expected = SecurityManagerException.class) + @Test public void verifySignedDataTestCertNotIncludedIntoSignatureButExpected() throws IOException, URISyntaxException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root.cert"); - File newFile = new File("/tmp/cert/root.cert"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); - byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.cms").toURI())); - byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/2-file-signed-package/dummyPnfv4.csar").toURI())); - securityManager.verifySignedData(signature, null, archive); + Assertions.assertThrows(SecurityManagerException.class, () -> { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + securityManager.verifySignedData(signature, null, archive); + }); + } @Test public void verifySignedDataTestCertNotIncludedIntoSignature() throws IOException, URISyntaxException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root.cert"); - File newFile = new File("/tmp/cert/root.cert"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); - byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.cms").toURI())); - byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.csar").toURI())); - byte[] cert = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.cert").toURI())); + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + byte[] cert = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cert"); assertTrue(securityManager.verifySignedData(signature, cert, archive)); } - @Test(expected = SecurityManagerException.class) + @Test + public void verifySignedDataTestCertIntermediateNotIncludedIntoSignature() throws IOException, URISyntaxException, SecurityManagerException { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + PrepareCertFiles("/cert/signing-ca2.crt", cerDirPath + "signing-ca2.crt"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + byte[] cert = readAllBytes("/cert/3-file-signed-package/dummyPnfv4-no-intermediate.cert"); + assertTrue(securityManager.verifySignedData(signature, cert, archive)); + } + + @Test + public void verifySignedDataTestCertWrongIntermediate() throws IOException, URISyntaxException, SecurityManagerException { + Assertions.assertThrows(SecurityManagerException.class, () -> { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + PrepareCertFiles("/cert/signing-ca1.crt", cerDirPath + "signing-ca1.crt"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + byte[] cert = readAllBytes("/cert/3-file-signed-package/dummyPnfv4-no-intermediate.cert"); + securityManager.verifySignedData(signature, cert, archive); + }); + + } + + @Test + public void verifySignedDataTestCertIncludedIntoSignatureWithWrongIntermediateInDirectory() throws IOException, URISyntaxException, SecurityManagerException { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + PrepareCertFiles("/cert/signing-ca1.crt", cerDirPath + "signing-ca1.crt"); + byte[] signature = readAllBytes("/cert/2-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/2-file-signed-package/dummyPnfv4.csar"); + assertTrue(securityManager.verifySignedData(signature, null, archive)); + } + + @Test + public void verifySignedDataTestCertWrongIntermediateInDirectory() throws IOException, URISyntaxException, SecurityManagerException { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + PrepareCertFiles("/cert/signing-ca1.crt", cerDirPath + "signing-ca1.crt"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + byte[] cert = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cert"); + assertTrue(securityManager.verifySignedData(signature, cert, archive)); + } + + @Test public void verifySignedDataTestWrongCertificate() throws IOException, URISyntaxException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root-certificate.pem"); - File newFile = new File("/tmp/cert/root-certificate.cert"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); - byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.cms").toURI())); - byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.csar").toURI())); - byte[] cert = Files.readAllBytes(Paths.get(getClass().getResource("/cert/3-file-signed-package/dummyPnfv4.cert").toURI())); - securityManager.verifySignedData(signature, cert, archive); + Assertions.assertThrows(SecurityManagerException.class, () -> { + PrepareCertFiles("/cert/root-certificate.pem", cerDirPath + "root-certificate.cert"); + byte[] signature = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.csar"); + byte[] cert = readAllBytes("/cert/3-file-signed-package/dummyPnfv4.cert"); + securityManager.verifySignedData(signature, cert, archive); + }); + } - @Test(expected = SecurityManagerException.class) + @Test public void verifySignedDataTestChangedArchive() throws IOException, URISyntaxException, SecurityManagerException { - File origFile = new File("src/test/resources/cert/root.cert"); - File newFile = new File("/tmp/cert/root.cert"); - newFile.createNewFile(); - FileUtils.copyFile(origFile, newFile); - byte[] signature = Files.readAllBytes(Paths.get(getClass().getResource("/cert/tampered-signed-package/dummyPnfv4.cms").toURI())); - byte[] archive = Files.readAllBytes(Paths.get(getClass().getResource("/cert/tampered-signed-package/dummyPnfv4.csar").toURI())); - securityManager.verifySignedData(signature, null, archive); + Assertions.assertThrows(SecurityManagerException.class, () -> { + PrepareCertFiles("/cert/root.cert", cerDirPath + "root.cert"); + byte[] signature = readAllBytes("/cert/tampered-signed-package/dummyPnfv4.cms"); + byte[] archive = readAllBytes("/cert/tampered-signed-package/dummyPnfv4.csar"); + securityManager.verifySignedData(signature, null, archive); + }); + } } -- cgit 1.2.3-korg