CMS signature validation

Change-Id: Ie5d1c835d0e6a760f1b7de651a3833cb87b727e0 Issue-ID: VNFSDK-396 Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>
author: Bogumil Zebek <bogumil.zebek@nokia.com> 2019-08-14 10:52:37 +0200
committer: Zebek Bogumil <bogumil.zebek@nokia.com> 2019-08-22 12:10:38 +0200
commit: 0562debfc5cdd31e61c016aea40272c6c02ad3cb (patch)
tree: 79e011e5247c1179d784723bb57c6bede0b3fb14 /csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004
parent: 870a89675528664aa5c0aca57f50c584b76a8b8f (diff)
2 files changed, 99 insertions, 44 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
index 7a14709..2d85e35 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
@@ -23,33 +23,40 @@ import org.onap.cli.fw.schema.OnapCommandSchema;
 import org.onap.cvc.csar.CSARArchive;
 import org.onap.cvc.csar.FileArchive;
 import org.onap.cvc.csar.cc.VTPValidateCSARBase;
+import org.onap.cvc.csar.parser.ManifestFileModel;
+import org.onap.cvc.csar.parser.ManifestFileSplitter;
 import org.onap.cvc.csar.parser.SourcesParser;
+import org.onap.cvc.csar.security.CmsSignatureValidator;
+import org.onap.cvc.csar.security.CmsSignatureValidatorException;
 import org.onap.cvc.csar.security.ShaHashCodeGenerator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.IOException;
+import java.nio.charset.Charset;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.security.NoSuchAlgorithmException;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
-@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml")
-public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
+@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml")
+public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
 
-    private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class);
+    private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class);
     private static final String SHA_256 = "SHA-256";
     private static final String SHA_512 = "SHA-512";
 
     private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator();
+    private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator();
 
 
     public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError {
-        CSARErrorUnableToFindCertificate() {
+        CSARErrorUnableToFindCertificate(String paramName) {
             super("0x4001");
-            this.message = "Unable to find cert file defined by Entry-Certificate!";
+            this.message = String.format("Unable to find cert file defined by %s!", paramName);
         }
     }
 
@@ -84,7 +91,14 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
     public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError {
         CSARErrorUnableToFindSource(String path) {
             super("0x4006");
-            this.message = String.format("Source '%s' does not exist!", path);
+            this.message = String.format("Unable to calculate digest - file missing: %s", path);
+        }
+    }
+
+    public static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
+        CSARErrorInvalidSignature() {
+            super("0x4007");
+            this.message = "File has invalid CMS signature!";
         }
     }
 
@@ -94,38 +108,54 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
         try {
             FileArchive.Workspace workspace = csar.getWorkspace();
             final Optional<Path> pathToCsarFolder = workspace.getPathToCsarFolder();
-            if(pathToCsarFolder.isPresent()) {
+            if (pathToCsarFolder.isPresent()) {
                 validate(csar, pathToCsarFolder.get());
             } else {
                 this.errors.add(new CSARErrorUnableToFindCsarContent());
             }
         } catch (Exception e) {
-            LOG.error("Internal VTPValidateCSARR787966 command error", e);
+            LOG.error("Internal VTPValidateCSARR130206 command error", e);
             throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs.");
         }
 
     }
 
-    private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException {
-
+    private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException {
         final CSARArchive.Manifest manifest = csar.getManifest();
-        final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta();
-        validateSecurityStructure(toscaMeta, csarRootDirectory, manifest);
+
+        validateSecurityStructure(csar, csarRootDirectory);
         validateSources(csarRootDirectory, manifest);
+
+        final File manifestMfFile = csar.getManifestMfFile();
+        if (manifestMfFile != null) {
+            validateFileSignature(manifestMfFile);
+        }
     }
 
-    private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) {
+    private void validateFileSignature(File manifestMfFile) {
+        final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile);
+        if (!isValid) {
+            this.errors.add(new CSARErrorInvalidSignature());
+        }
+    }
+
+    private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) {
+        final CSARArchive.Manifest manifest = csar.getManifest();
+        final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta();
+        final String entryCertificateParamName = csar.getEntryCertificateParamName();
         final Optional<File> entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory);
-        if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) {
-            this.errors.add(new CSARErrorUnableToFindCertificate());
-        } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) {
+        if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) {
+            this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName));
+        }
+
+        if (manifest.getCms() == null || manifest.getCms().isEmpty()) {
             this.errors.add(new CSARErrorUnableToFindCmsSection());
         }
     }
 
     private Optional<File> resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) {
         final String certificatePath = toscaMeta.getEntryCertificate();
-        if(certificatePath == null){
+        if (certificatePath == null) {
             return Optional.empty();
         } else {
             return Optional.of(csarRootDirectory.resolve(certificatePath).toFile());
@@ -134,16 +164,22 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
 
     private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException {
         final List<SourcesParser.Source> sources = manifest.getSources();
-        for (SourcesParser.Source source: sources){
-            final Path sourcePath = csarRootDirectory.resolve(source.getValue());
-            if(!Files.exists(sourcePath)){
-                this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
-            } else {
-                if (!source.getAlgorithm().isEmpty()) {
-                    validateSourceHashCode(csarRootDirectory, source);
-                } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) {
-                    this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue()));
-                }
+        for (SourcesParser.Source source : sources) {
+            if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) {
+                validateSource(csarRootDirectory, source);
+            }
+        }
+    }
+
+    private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException {
+        final Path sourcePath = csarRootDirectory.resolve(source.getValue());
+        if (!sourcePath.toFile().exists()) {
+            this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
+        } else {
+            if (!source.getAlgorithm().isEmpty()) {
+                validateSourceHashCode(csarRootDirectory, source);
+            } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) {
+                this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue()));
             }
         }
     }
@@ -159,9 +195,9 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
         final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue()));
         final String algorithm = source.getAlgorithm();
 
-        if(algorithm.equalsIgnoreCase(SHA_256)) {
+        if (algorithm.equalsIgnoreCase(SHA_256)) {
             return this.shaHashCodeGenerator.generateSha256(sourceData);
-        } else if(algorithm.equalsIgnoreCase(SHA_512)){
+        } else if (algorithm.equalsIgnoreCase(SHA_512)) {
             return this.shaHashCodeGenerator.generateSha512(sourceData);
         }
 
@@ -170,8 +206,29 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
 
     @Override
     protected String getVnfReqsNo() {
-        return "R787966";
+        return "R130206";
     }
 
 
 }
+
+class ManifestFileSignatureValidator {
+    private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class);
+    private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter();
+    private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator();
+
+    boolean isValid(File manifestFile) {
+        try {
+            ManifestFileModel mf = manifestFileSplitter.split(manifestFile);
+            return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData()));
+        } catch (CmsSignatureValidatorException e) {
+            LOG.error("Unable to verify signed data!", e);
+            return false;
+        }
+    }
+
+    private byte[] toBytes(List<String> data) {
+        final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining());
+        return updatedData.getBytes(Charset.defaultCharset());
+    }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
index a3ab865..034d35e 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
@@ -37,6 +37,7 @@ import java.util.Optional;
 public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
 
     private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class);
+    private final CmsSignatureValidator securityManager = new CmsSignatureValidator();
 
     static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
         CSARErrorInvalidSignature() {
@@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
         }
     }
 
-    static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError {
-        SignatureWithCertificationOnlyWarning() {
-            super("0x3003");
-            this.message = "Warning. Zip package probably is valid. " +
-                    "It contains only signature with certification cms and csar package. " +
-                    "Unable to verify csar signature.";
-        }
-    }
-
-
     static class BrokenZipPackageError extends CSARArchive.CSARError {
         BrokenZipPackageError() {
             super("0x3004");
@@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
             if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
                 verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get());
             } else if (pathToCmsFile.isPresent()) {
-                this.errors.add(new SignatureWithCertificationOnlyWarning());
+                verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get());
             } else {
                 this.errors.add(new BrokenZipPackageError());
             }
@@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
     }
 
     private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException {
-        final CmsSignatureValidator securityManager = new CmsSignatureValidator();
-
         byte[] csarContent = Files.readAllBytes(pathToCsarFile);
         byte[] signature = Files.readAllBytes(pathToCmsFile);
         byte[] publicCertification = Files.readAllBytes(pathToCertFile);
 
-        if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
+        if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) {
+            this.errors.add(new CSARErrorInvalidSignature());
+        }
+    }
+
+    private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException {
+        byte[] csarContent = Files.readAllBytes(pathToCsarFile);
+        byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile);
+
+        if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){
             this.errors.add(new CSARErrorInvalidSignature());
         }
     }
author	Bogumil Zebek <bogumil.zebek@nokia.com>	2019-08-14 10:52:37 +0200
committer	Zebek Bogumil <bogumil.zebek@nokia.com>	2019-08-22 12:10:38 +0200
commit	0562debfc5cdd31e61c016aea40272c6c02ad3cb (patch)
tree	79e011e5247c1179d784723bb57c6bede0b3fb14 /csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004
parent	870a89675528664aa5c0aca57f50c584b76a8b8f (diff)