Fixing R130206 certificate searching mechanism

Issue-ID: VNFSDK-595 Signed-off-by: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com> Change-Id: I8dacd924b16812378356b05291229f2097dfcbe1
author: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com> 2020-09-17 14:46:47 +0200
committer: Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com> 2020-09-24 14:07:06 +0200
commit: 6767596c5b15b75a3f1ae43e169aa88e0de56c3a (patch)
tree: 2b64ad7df6a076fb8315208ef3f32e355ace4536 /csarvalidation/src/main/java/org/onap/cvc/csar/security
parent: e88eed4a3e6d7b9bf299d95fe2534d9f3bdbafb4 (diff)
6 files changed, 235 insertions, 63 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java
new file mode 100644
index 0000000..2be5be2
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java
@@ -0,0 +1,25 @@
+/*
+ * Copyright 2020 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.security;
+
+public class CertificateLoadingException extends RuntimeException {
+
+    public CertificateLoadingException(String s, Throwable t) {
+        super(s, t);
+    }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java
new file mode 100644
index 0000000..456f365
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright 2020 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.security;
+
+import org.bouncycastle.cms.SignerInformation;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Optional;
+
+public class CmsSignatureData {
+
+    private X509Certificate certificate;
+    private final SignerInformation signerInformation;
+
+    public CmsSignatureData(X509Certificate certificate, SignerInformation signerInformation) {
+        this.certificate = certificate;
+        this.signerInformation = signerInformation;
+    }
+
+    public CmsSignatureData(SignerInformation signerInformation) {
+        this.signerInformation = signerInformation;
+    }
+
+    public Optional<X509Certificate> getCertificate() {
+        return Optional.ofNullable(certificate);
+    }
+
+    public SignerInformation getSignerInformation() {
+        return signerInformation;
+    }
+
+    public void loadCertificate(Path pathToCertificate) throws CertificateLoadingException {
+        try {
+            loadCertificate(Files.readAllBytes(pathToCertificate));
+        } catch (IOException e) {
+            final String errorMessage = String.format(
+                "Error during loading Certificate from given path: %s !"
+                ,pathToCertificate
+            );
+            throw new CertificateLoadingException(errorMessage, e);
+        }
+    }
+
+    public void loadCertificate(final byte[] certificate) throws CertificateLoadingException {
+        try (InputStream in = new ByteArrayInputStream(certificate)) {
+            CertificateFactory factory = CertificateFactory.getInstance("X.509");
+            this.certificate =  (X509Certificate) factory.generateCertificate(in);
+        } catch (IOException | CertificateException e) {
+            throw new CertificateLoadingException("Error during loading Certificate from bytes!", e);
+        }
+    }
+
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java
new file mode 100644
index 0000000..2744bc6
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java
@@ -0,0 +1,91 @@
+/*
+ * Copyright 2020 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.security;
+
+import org.bouncycastle.asn1.cms.ContentInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cms.CMSException;
+import org.bouncycastle.cms.CMSProcessableByteArray;
+import org.bouncycastle.cms.CMSSignedData;
+import org.bouncycastle.cms.CMSTypedData;
+import org.bouncycastle.cms.SignerInformation;
+import org.bouncycastle.openssl.PEMParser;
+import org.bouncycastle.util.Store;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.Charset;
+import java.util.Collection;
+import java.util.Optional;
+
+public class CmsSignatureDataFactory {
+
+    public CmsSignatureData createForFirstSigner(final byte[] cmsSignature, final byte[] fileContent)
+    throws CmsSignatureLoadingException{
+
+        try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) {
+            CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream);
+            Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
+            Store<X509CertificateHolder> certificates = signedData.getCertificates();
+            SignerInformation firstSigner = getFirstSigner(signers);
+            CmsSignatureData signatureData = new CmsSignatureData(firstSigner);
+            getFirstSignerCertificate(certificates, firstSigner).ifPresent(
+                signatureData::loadCertificate
+            );
+            return signatureData;
+        } catch (CertificateLoadingException | IOException | CMSException e) {
+            throw new CmsSignatureLoadingException("Unexpected error occurred during signature validation!", e);
+        }
+    }
+
+    private SignerInformation getFirstSigner(Collection<SignerInformation> signers) {
+        return signers.iterator().next();
+    }
+
+    private Optional<byte[]> getFirstSignerCertificate(
+        Store<X509CertificateHolder> certificates,
+        SignerInformation firstSigner)
+        throws IOException {
+        Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
+        Optional<byte[]> cert;
+        if (!firstSignerCertificates.isEmpty()) {
+            X509CertificateHolder firstSignerFirstCertificate = firstSignerCertificates.iterator().next();
+            cert = Optional.of(firstSignerFirstCertificate.getEncoded());
+        } else {
+            cert = Optional.empty();
+        }
+        return cert;
+    }
+
+
+    private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureLoadingException, CMSException {
+        ContentInfo signature = produceSignature(signatureStream);
+        CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR);
+        return new CMSSignedData(signedContent, signature);
+    }
+
+    private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureLoadingException {
+        Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject();
+        if (!(parsedObject instanceof ContentInfo)) {
+            throw new CmsSignatureLoadingException("Signature is not recognized!");
+        }
+        return ContentInfo.getInstance(parsedObject);
+    }
+
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java
new file mode 100644
index 0000000..0e203b2
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java
@@ -0,0 +1,29 @@
+/*
+ * Copyright 2020 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.security;
+
+public class CmsSignatureLoadingException extends Exception {
+
+    public CmsSignatureLoadingException(String s) {
+        super(s);
+    }
+
+    public CmsSignatureLoadingException(String s, Throwable t) {
+        super(s, t);
+    }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
index 47d4bef..5d7b879 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
@@ -17,30 +17,14 @@
 
 package org.onap.cvc.csar.security;
 
-import org.bouncycastle.asn1.cms.ContentInfo;
-import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.cms.CMSException;
-import org.bouncycastle.cms.CMSProcessableByteArray;
-import org.bouncycastle.cms.CMSSignedData;
 import org.bouncycastle.cms.CMSSignerDigestMismatchException;
-import org.bouncycastle.cms.CMSTypedData;
-import org.bouncycastle.cms.SignerInformation;
 import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
-import org.bouncycastle.openssl.PEMParser;
 import org.bouncycastle.operator.OperatorCreationException;
-import org.bouncycastle.util.Store;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.nio.charset.Charset;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
-import java.util.Collection;
 import java.util.Optional;
 
 public class CmsSignatureValidator {
@@ -52,63 +36,30 @@ public class CmsSignatureValidator {
             final Optional<byte[]> certificate,
             final byte[] fileContent) throws CmsSignatureValidatorException {
 
-        try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) {
-            CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream);
-            Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
-            SignerInformation firstSigner = signers.iterator().next();
-
-            Store<X509CertificateHolder> certificates = signedData.getCertificates();
-            Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
-            X509Certificate cert;
-            if (!firstSignerCertificates.isEmpty()) {
-                X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSignerCertificates);
-                cert = loadCertificate(firstSignerFirstCertificate.getEncoded());
-            } else {
-                cert = loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist")));
+        try {
+            CmsSignatureData signatureData = new CmsSignatureDataFactory().createForFirstSigner(cmsSignature, fileContent);
+            if( signatureData.getCertificate().isEmpty() ) {
+                signatureData.loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist")));
             }
+            return verifySignedData(signatureData);
+        } catch ( CmsSignatureLoadingException e) {
+            throw new CmsSignatureValidatorException("Unexpected error occurred during signature validation!", e);
+        }
+    }
 
-            return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert));
+    public boolean verifySignedData(final CmsSignatureData signatureData) throws CmsSignatureValidatorException {
+        try {
+            X509Certificate certificate = signatureData.getCertificate().orElseThrow(() -> new CMSException("No certificate found in signature data!"));
+            return signatureData.getSignerInformation().verify(new JcaSimpleSignerInfoVerifierBuilder().build(certificate));
         } catch (CMSSignerDigestMismatchException e){
             //message-digest attribute value does not match calculated value
             LOG.warn("CMS signer digest mismatch.", e);
             return false;
         }
-        catch (OperatorCreationException | IOException | CMSException e) {
+        catch (OperatorCreationException | CMSException e) {
             throw new CmsSignatureValidatorException("Unexpected error occurred during signature validation!", e);
         }
     }
 
-    private X509CertificateHolder getX509CertificateHolder(Collection<X509CertificateHolder> firstSignerCertificates) throws CmsSignatureValidatorException {
-        if(!firstSignerCertificates.iterator().hasNext()){
-            throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!");
-        }
-        return firstSignerCertificates.iterator().next();
-    }
-
-    private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException {
-        ContentInfo signature = produceSignature(signatureStream);
-        CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR);
-        return new CMSSignedData(signedContent, signature);
-    }
-
-    private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException {
-        Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject();
-        if (!(parsedObject instanceof ContentInfo)) {
-            throw new CmsSignatureValidatorException("Signature is not recognized!");
-        }
-        return ContentInfo.getInstance(parsedObject);
-    }
-
-
-    private X509Certificate loadCertificate(byte[] certFile) throws CmsSignatureValidatorException {
-        try (InputStream in = new ByteArrayInputStream(certFile)) {
-            CertificateFactory factory = CertificateFactory.getInstance("X.509");
-            return (X509Certificate) factory.generateCertificate(in);
-        } catch (CertificateException | IOException e) {
-            throw new CmsSignatureValidatorException("Error during loading Certificate from bytes!", e);
-        }
-    }
-
-
 }
 
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java
index 75cd8de..1f708fd 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java
@@ -25,4 +25,5 @@ public class CmsSignatureValidatorException extends Exception {
     public CmsSignatureValidatorException(String s, Throwable t) {
         super(s, t);
     }
+
 }
author	Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com>	2020-09-17 14:46:47 +0200
committer	Bartosz Gardziejewski <bartosz.gardziejewski@nokia.com>	2020-09-24 14:07:06 +0200
commit	6767596c5b15b75a3f1ae43e169aa88e0de56c3a (patch)
tree	2b64ad7df6a076fb8315208ef3f32e355ace4536 /csarvalidation/src/main/java/org/onap/cvc/csar/security
parent	e88eed4a3e6d7b9bf299d95fe2534d9f3bdbafb4 (diff)