summaryrefslogtreecommitdiffstats
path: root/csarvalidation/src/main/java
diff options
context:
space:
mode:
authorWeitao Gao <victor.gao@huawei.com>2019-09-04 08:24:35 +0000
committerGerrit Code Review <gerrit@onap.org>2019-09-04 08:24:35 +0000
commitfc685ddff28f6be4fd29ffbca85f66f56979dafb (patch)
tree075104f9276913d3baf91b7cafe9ab4faf6607ed /csarvalidation/src/main/java
parent26514e7bb8b174ba5bbbcf903b697160eb397e03 (diff)
parent0562debfc5cdd31e61c016aea40272c6c02ad3cb (diff)
Merge "CMS signature validation"
Diffstat (limited to 'csarvalidation/src/main/java')
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java6
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java5
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java (renamed from csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java)117
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java26
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java39
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java62
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java45
7 files changed, 242 insertions, 58 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java
index 180dadd..beb556d 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java
@@ -1093,7 +1093,7 @@ public class CSARArchive implements AutoCloseable {
this.toscaMeta.getEntryLicense(),
lineNo));
}
- } else if(key.equalsIgnoreCase(TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE)) {
+ } else if(key.equalsIgnoreCase(getEntryCertificateParamName())) {
this.toscaMeta.setEntryCertificate(value);
this.certificatesFile= this.tempDir.resolve(this.toscaMeta.getEntryCertificate()).toFile();
if (!this.certificatesFile.exists()) {
@@ -1247,6 +1247,10 @@ public class CSARArchive implements AutoCloseable {
}
}
+ public String getEntryCertificateParamName() {
+ return TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE;
+ }
+
String getEntryManifestParamName(){
return TOSCA_METADATA_TOSCA_META_ENTRY_MANIFEST;
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java
index a6e2745..f3ce960 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java
@@ -66,4 +66,9 @@ public class PnfCSARArchive extends CSARArchive {
String getEntryChangeLogParamName() {
return "ETSI-Entry-Change-Log";
}
+
+ @Override
+ public String getEntryCertificateParamName() {
+ return "ETSI-Entry-Certificate";
+ }
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
index 7a14709..2d85e35 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
@@ -23,33 +23,40 @@ import org.onap.cli.fw.schema.OnapCommandSchema;
import org.onap.cvc.csar.CSARArchive;
import org.onap.cvc.csar.FileArchive;
import org.onap.cvc.csar.cc.VTPValidateCSARBase;
+import org.onap.cvc.csar.parser.ManifestFileModel;
+import org.onap.cvc.csar.parser.ManifestFileSplitter;
import org.onap.cvc.csar.parser.SourcesParser;
+import org.onap.cvc.csar.security.CmsSignatureValidator;
+import org.onap.cvc.csar.security.CmsSignatureValidatorException;
import org.onap.cvc.csar.security.ShaHashCodeGenerator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.IOException;
+import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.Optional;
+import java.util.stream.Collectors;
-@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml")
-public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
+@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml")
+public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
- private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class);
+ private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class);
private static final String SHA_256 = "SHA-256";
private static final String SHA_512 = "SHA-512";
private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator();
+ private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator();
public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError {
- CSARErrorUnableToFindCertificate() {
+ CSARErrorUnableToFindCertificate(String paramName) {
super("0x4001");
- this.message = "Unable to find cert file defined by Entry-Certificate!";
+ this.message = String.format("Unable to find cert file defined by %s!", paramName);
}
}
@@ -84,7 +91,14 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError {
CSARErrorUnableToFindSource(String path) {
super("0x4006");
- this.message = String.format("Source '%s' does not exist!", path);
+ this.message = String.format("Unable to calculate digest - file missing: %s", path);
+ }
+ }
+
+ public static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
+ CSARErrorInvalidSignature() {
+ super("0x4007");
+ this.message = "File has invalid CMS signature!";
}
}
@@ -94,38 +108,54 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
try {
FileArchive.Workspace workspace = csar.getWorkspace();
final Optional<Path> pathToCsarFolder = workspace.getPathToCsarFolder();
- if(pathToCsarFolder.isPresent()) {
+ if (pathToCsarFolder.isPresent()) {
validate(csar, pathToCsarFolder.get());
} else {
this.errors.add(new CSARErrorUnableToFindCsarContent());
}
} catch (Exception e) {
- LOG.error("Internal VTPValidateCSARR787966 command error", e);
+ LOG.error("Internal VTPValidateCSARR130206 command error", e);
throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs.");
}
}
- private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException {
-
+ private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException {
final CSARArchive.Manifest manifest = csar.getManifest();
- final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta();
- validateSecurityStructure(toscaMeta, csarRootDirectory, manifest);
+
+ validateSecurityStructure(csar, csarRootDirectory);
validateSources(csarRootDirectory, manifest);
+
+ final File manifestMfFile = csar.getManifestMfFile();
+ if (manifestMfFile != null) {
+ validateFileSignature(manifestMfFile);
+ }
}
- private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) {
+ private void validateFileSignature(File manifestMfFile) {
+ final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile);
+ if (!isValid) {
+ this.errors.add(new CSARErrorInvalidSignature());
+ }
+ }
+
+ private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) {
+ final CSARArchive.Manifest manifest = csar.getManifest();
+ final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta();
+ final String entryCertificateParamName = csar.getEntryCertificateParamName();
final Optional<File> entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory);
- if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) {
- this.errors.add(new CSARErrorUnableToFindCertificate());
- } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) {
+ if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) {
+ this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName));
+ }
+
+ if (manifest.getCms() == null || manifest.getCms().isEmpty()) {
this.errors.add(new CSARErrorUnableToFindCmsSection());
}
}
private Optional<File> resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) {
final String certificatePath = toscaMeta.getEntryCertificate();
- if(certificatePath == null){
+ if (certificatePath == null) {
return Optional.empty();
} else {
return Optional.of(csarRootDirectory.resolve(certificatePath).toFile());
@@ -134,16 +164,22 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException {
final List<SourcesParser.Source> sources = manifest.getSources();
- for (SourcesParser.Source source: sources){
- final Path sourcePath = csarRootDirectory.resolve(source.getValue());
- if(!Files.exists(sourcePath)){
- this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
- } else {
- if (!source.getAlgorithm().isEmpty()) {
- validateSourceHashCode(csarRootDirectory, source);
- } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) {
- this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue()));
- }
+ for (SourcesParser.Source source : sources) {
+ if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) {
+ validateSource(csarRootDirectory, source);
+ }
+ }
+ }
+
+ private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException {
+ final Path sourcePath = csarRootDirectory.resolve(source.getValue());
+ if (!sourcePath.toFile().exists()) {
+ this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
+ } else {
+ if (!source.getAlgorithm().isEmpty()) {
+ validateSourceHashCode(csarRootDirectory, source);
+ } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) {
+ this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue()));
}
}
}
@@ -159,9 +195,9 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue()));
final String algorithm = source.getAlgorithm();
- if(algorithm.equalsIgnoreCase(SHA_256)) {
+ if (algorithm.equalsIgnoreCase(SHA_256)) {
return this.shaHashCodeGenerator.generateSha256(sourceData);
- } else if(algorithm.equalsIgnoreCase(SHA_512)){
+ } else if (algorithm.equalsIgnoreCase(SHA_512)) {
return this.shaHashCodeGenerator.generateSha512(sourceData);
}
@@ -170,8 +206,29 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase {
@Override
protected String getVnfReqsNo() {
- return "R787966";
+ return "R130206";
}
}
+
+class ManifestFileSignatureValidator {
+ private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class);
+ private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter();
+ private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator();
+
+ boolean isValid(File manifestFile) {
+ try {
+ ManifestFileModel mf = manifestFileSplitter.split(manifestFile);
+ return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData()));
+ } catch (CmsSignatureValidatorException e) {
+ LOG.error("Unable to verify signed data!", e);
+ return false;
+ }
+ }
+
+ private byte[] toBytes(List<String> data) {
+ final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining());
+ return updatedData.getBytes(Charset.defaultCharset());
+ }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
index a3ab865..034d35e 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
@@ -37,6 +37,7 @@ import java.util.Optional;
public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class);
+ private final CmsSignatureValidator securityManager = new CmsSignatureValidator();
static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
CSARErrorInvalidSignature() {
@@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
}
}
- static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError {
- SignatureWithCertificationOnlyWarning() {
- super("0x3003");
- this.message = "Warning. Zip package probably is valid. " +
- "It contains only signature with certification cms and csar package. " +
- "Unable to verify csar signature.";
- }
- }
-
-
static class BrokenZipPackageError extends CSARArchive.CSARError {
BrokenZipPackageError() {
super("0x3004");
@@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get());
} else if (pathToCmsFile.isPresent()) {
- this.errors.add(new SignatureWithCertificationOnlyWarning());
+ verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get());
} else {
this.errors.add(new BrokenZipPackageError());
}
@@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
}
private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException {
- final CmsSignatureValidator securityManager = new CmsSignatureValidator();
-
byte[] csarContent = Files.readAllBytes(pathToCsarFile);
byte[] signature = Files.readAllBytes(pathToCmsFile);
byte[] publicCertification = Files.readAllBytes(pathToCertFile);
- if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
+ if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) {
+ this.errors.add(new CSARErrorInvalidSignature());
+ }
+ }
+
+ private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException {
+ byte[] csarContent = Files.readAllBytes(pathToCsarFile);
+ byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile);
+
+ if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){
this.errors.add(new CSARErrorInvalidSignature());
}
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java
new file mode 100644
index 0000000..f6b42fd
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright 2019 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.parser;
+
+import java.util.Collections;
+import java.util.List;
+
+public class ManifestFileModel {
+ private final List<String> data;
+ private final List<String> cms;
+
+ public ManifestFileModel(List<String> data, List<String> cms) {
+ this.data = data;
+ this.cms = cms;
+ }
+
+ public List<String> getData() {
+ return Collections.unmodifiableList(data);
+ }
+
+ public List<String> getCMS() {
+ return Collections.unmodifiableList(cms);
+ }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java
new file mode 100644
index 0000000..03a628c
--- /dev/null
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java
@@ -0,0 +1,62 @@
+/*
+ * Copyright 2019 Nokia
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.onap.cvc.csar.parser;
+
+
+import java.io.File;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+public class ManifestFileSplitter {
+
+ public ManifestFileModel split(File manifestFile) {
+ String fileName = manifestFile.getAbsolutePath();
+ List<String> data = new ArrayList<>();
+ List<String> cms = new ArrayList<>();
+
+ try (Stream<String> stream = Files.lines(Paths.get(fileName))) {
+ List<String> lines = stream.collect(Collectors.toList());
+ return createManifestFileModel(data, cms, lines);
+
+ } catch (IOException e) {
+ throw new IllegalArgumentException(String.format("Unable to process manifest file! Wrong file path: '%s'", fileName));
+ }
+ }
+
+ private ManifestFileModel createManifestFileModel(List<String> data, List<String> cms, List<String> lines) {
+ boolean isCmsSection = false;
+
+ for (String line : lines) {
+ if (line.contains("BEGIN CMS")) {
+ isCmsSection = true;
+ }
+
+ if (isCmsSection) {
+ cms.add(line);
+ } else {
+ data.add(line);
+ }
+ }
+ return new ManifestFileModel(data, cms);
+ }
+}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
index a168541..b8b3714 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
@@ -18,6 +18,7 @@
package org.onap.cvc.csar.security;
import org.bouncycastle.asn1.cms.ContentInfo;
+import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cms.CMSException;
import org.bouncycastle.cms.CMSProcessableByteArray;
import org.bouncycastle.cms.CMSSignedData;
@@ -27,6 +28,7 @@ import org.bouncycastle.cms.SignerInformation;
import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.util.Store;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -34,23 +36,35 @@ import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
+import java.nio.charset.Charset;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
+import java.util.Optional;
public class CmsSignatureValidator {
private static final Logger LOG = LoggerFactory.getLogger(CmsSignatureValidator.class);
public boolean verifySignedData(
- final byte[] signature,
- final byte[] certificate,
- final byte[] csarFileContent) throws CmsSignatureValidatorException {
-
- try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(signature)) {
- SignerInformation firstSigner = getSignerInformation(csarFileContent, signatureStream);
- X509Certificate cert = loadCertificate(certificate);
+ final byte[] cmsSignature,
+ final Optional<byte[]> certificate,
+ final byte[] fileContent) throws CmsSignatureValidatorException {
+
+ try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) {
+ CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream);
+ Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
+ SignerInformation firstSigner = signers.iterator().next();
+
+ Store certificates = signedData.getCertificates();
+ X509Certificate cert;
+ if (!certificate.isPresent()) {
+ X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates);
+ cert = loadCertificate(firstSignerFirstCertificate.getEncoded());
+ } else {
+ cert = loadCertificate(certificate.get());
+ }
return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert));
} catch (CMSSignerDigestMismatchException e){
@@ -63,17 +77,22 @@ public class CmsSignatureValidator {
}
}
- private SignerInformation getSignerInformation(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException {
+ private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException {
+ Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
+ if(!firstSignerCertificates.iterator().hasNext()){
+ throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!");
+ }
+ return firstSignerCertificates.iterator().next();
+ }
+
+ private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException {
ContentInfo signature = produceSignature(signatureStream);
CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR);
- CMSSignedData signedData = new CMSSignedData(signedContent, signature);
-
- Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
- return signers.iterator().next();
+ return new CMSSignedData(signedContent, signature);
}
private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException {
- Object parsedObject = new PEMParser(new InputStreamReader(signatureStream)).readObject();
+ Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject();
if (!(parsedObject instanceof ContentInfo)) {
throw new CmsSignatureValidatorException("Signature is not recognized!");
}