diff options
author | Bogumil Zebek <bogumil.zebek@nokia.com> | 2019-05-09 13:28:17 +0200 |
---|---|---|
committer | Zebek Bogumil <bogumil.zebek@nokia.com> | 2019-06-11 11:58:13 +0200 |
commit | bd711684187e95a1dd3cd53622714aae22bb417c (patch) | |
tree | 43aaca63aceb64c7e3d62a212b41f8571b4b26bd /csarvalidation/src/main/java | |
parent | 900dd46df0976d545ec66a4822fc1fc846f262b4 (diff) |
Security verification
Change-Id: I759e3698a25dd4f84dc345c3fd4c0d201b75d233
Issue-ID: VNFSDK-395
Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>
Diffstat (limited to 'csarvalidation/src/main/java')
3 files changed, 58 insertions, 79 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java deleted file mode 100644 index 801d8cf..0000000 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2019 Nokia - * <p> - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * <p> - * http://www.apache.org/licenses/LICENSE-2.0 - * <p> - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.onap.cvc.csar; - -import java.util.ArrayList; -import java.util.List; - -public class ZipFileContentValidator { - - public static class CSARErrorCertMissing extends CSARArchive.CSARError { - CSARErrorCertMissing() { - super("0x1008"); - this.message = "Missing. Cert file is not available!"; - } - } - - public static class CSARErrorCMSMissing extends CSARArchive.CSARError { - CSARErrorCMSMissing() { - super("0x1009"); - this.message = "Missing. CMS file is not available!"; - } - } - - public List<CSARArchive.CSARError> validate(FileArchive.Workspace workspace){ - final ArrayList<CSARArchive.CSARError> retValue = new ArrayList<>(); - - if(!workspace.getPathToCertFile().isPresent()){ - retValue.add(new CSARErrorCertMissing()); - } - - if(!workspace.getPathToCmsFile().isPresent()){ - retValue.add(new CSARErrorCMSMissing()); - } - - return retValue; - } -} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java index eafdbde..6e67df9 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java @@ -22,9 +22,7 @@ import org.onap.cli.fw.error.OnapCommandExecutionFailed; import org.onap.cli.fw.input.OnapCommandParameter; import org.onap.cvc.csar.CSARArchive; import org.onap.cvc.csar.CSARArchive.CSARError; -import org.onap.cvc.csar.FileArchive; import org.onap.cvc.csar.PnfCSARArchive; -import org.onap.cvc.csar.ZipFileContentValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,8 +32,6 @@ import java.util.List; public abstract class VTPValidateCSARBase extends OnapCommand { protected static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARBase.class); - private final ZipFileContentValidator zipFileContentValidator = new ZipFileContentValidator(); - protected abstract void validateCSAR(CSARArchive csar) throws Exception; protected abstract String getVnfReqsNo(); @@ -52,12 +48,6 @@ public abstract class VTPValidateCSARBase extends OnapCommand { try (CSARArchive csar = isPnf ? new PnfCSARArchive(): new CSARArchive()){ csar.init(path); - - FileArchive.Workspace workspace = csar.getWorkspace(); - if(workspace.isZip()) { - errors.addAll(zipFileContentValidator.validate(workspace)); - } - csar.parse(); errors.addAll(csar.getErrors()); diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index 621ede0..97efd11 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -36,34 +36,46 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); - public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { super("0x3001"); this.message = "Invalid CSAR signature!"; } } - @Override - protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + static class CsarFileNotAvailableError extends CSARArchive.CSARError { + CsarFileNotAvailableError() { + super("0x3002"); + this.message = "Missing. Csar file is not available!"; + } + } - try { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); + static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { + SignatureWithCertificationOnlyWarning() { + super("0x3003"); + this.message = "Warning. Zip package probably is valid. " + + "It contains only signature with certification cms and csar package. " + + "Unable to verify csar signature."; + } + } - FileArchive.Workspace workspace = csar.getWorkspace(); - final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile(); - final Optional<Path> pathToCertFile = workspace.getPathToCertFile(); - final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile(); - if (workspace.isZip() && pathToCsarFile.isPresent() && pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { - byte[] csarContent = Files.readAllBytes(pathToCsarFile.get()); - byte[] signature = Files.readAllBytes(pathToCmsFile.get()); - byte[] publicCertification = Files.readAllBytes(pathToCertFile.get()); + static class BrokenZipPackageError extends CSARArchive.CSARError { + BrokenZipPackageError() { + super("0x3004"); + this.message = "Missing. Unable to find certification files."; + } + } - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { - this.errors.add(new CSARErrorInvalidSignature()); - } - } + @Override + protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + + try { + FileArchive.Workspace workspace = csar.getWorkspace(); + if (workspace.isZip()) { + verifyZipStructure(workspace); + } } catch (Exception e) { LOG.error("Internal VTPValidateCSARR787965 command error", e); throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787965 command error. See logs."); @@ -71,6 +83,35 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } + private void verifyZipStructure(FileArchive.Workspace workspace) throws Exception { + final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile(); + final Optional<Path> pathToCertFile = workspace.getPathToCertFile(); + final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile(); + if(!pathToCsarFile.isPresent()) { + this.errors.add(new CsarFileNotAvailableError()); + } else { + if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { + verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); + } else if (pathToCmsFile.isPresent()) { + this.errors.add(new SignatureWithCertificationOnlyWarning()); + } else { + this.errors.add(new BrokenZipPackageError()); + } + } + } + + private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws Exception { + final CmsSignatureValidator securityManager = new CmsSignatureValidator(); + + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToCmsFile); + byte[] publicCertification = Files.readAllBytes(pathToCertFile); + + if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + @Override protected String getVnfReqsNo() { return "R787965"; |