diff options
author | Bogumil Zebek <bogumil.zebek@nokia.com> | 2019-05-31 13:58:12 +0200 |
---|---|---|
committer | Zebek Bogumil <bogumil.zebek@nokia.com> | 2019-05-31 13:58:12 +0200 |
commit | 379eb896b050fbb1f88ca7e736665c573f8c9f74 (patch) | |
tree | 5bdd21ed80f11f8c6807cd6fc0fe40b713d9f81e /csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java | |
parent | 2b293e3d6c9c2ff693ccebf8ee757980cf6e2499 (diff) |
Handle signature in cms
Change-Id: Ied997305efe347859cbd069f2887f792adc775c0
Issue-ID: VNFSDK-414
Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>
Diffstat (limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java')
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java | 90 |
1 files changed, 90 insertions, 0 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java new file mode 100644 index 0000000..316c802 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java @@ -0,0 +1,90 @@ +/* + * Copyright 2019 + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.security; + +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.CMSSignedData; +import org.bouncycastle.cms.CMSSignerDigestMismatchException; +import org.bouncycastle.cms.CMSTypedData; +import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.operator.OperatorCreationException; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.Collection; + +public class CmsSignatureValidator { + + public boolean verifySignedData( + final byte[] signature, + final byte[] certificate, + final byte[] csarFileContent) throws CmsSignatureValidatorException { + + try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(signature)) { + SignerInformation firstSigner = getSignerInformation(csarFileContent, signatureStream); + X509Certificate cert = loadCertificate(certificate); + + return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); + } catch (CMSSignerDigestMismatchException e){ + //message-digest attribute value does not match calculated value + return false; + } + catch (OperatorCreationException | IOException | CMSException e) { + throw new CmsSignatureValidatorException("Unexpected error occurred during signature validation!", e); + } + } + + private SignerInformation getSignerInformation(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { + ContentInfo signature = produceSignature(signatureStream); + CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR); + CMSSignedData signedData = new CMSSignedData(signedContent, signature); + + Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); + return signers.iterator().next(); + } + + private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException { + Object parsedObject = new PEMParser(new InputStreamReader(signatureStream)).readObject(); + if (!(parsedObject instanceof ContentInfo)) { + throw new CmsSignatureValidatorException("Signature is not recognized!"); + } + return ContentInfo.getInstance(parsedObject); + } + + + private X509Certificate loadCertificate(byte[] certFile) throws CmsSignatureValidatorException { + try (InputStream in = new ByteArrayInputStream(certFile)) { + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + return (X509Certificate) factory.generateCertificate(in); + } catch (CertificateException | IOException e) { + throw new CmsSignatureValidatorException("Error during loading Certificate from bytes!", e); + } + } + + +} + |