diff options
author | Bogumil Zebek <bogumil.zebek@nokia.com> | 2020-05-15 05:55:27 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2020-05-15 05:55:27 +0000 |
commit | bcaab76906b642de056e4aea97548f0f5bd90e44 (patch) | |
tree | d5aaa5d346f61407abd1ea34298b4116280726c5 /csarvalidation/src/main/java | |
parent | df3db652192248138f5d4c66cd64e8f51c410f89 (diff) | |
parent | 657849e70f70f700cc8470af48351f3ae6b47b6f (diff) |
Merge "Fix VNF/PNF package integrity issue with CMS signature not containing certificate"
Diffstat (limited to 'csarvalidation/src/main/java')
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 45 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java | 12 |
2 files changed, 34 insertions, 23 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index fefe65b..74706c7 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -148,25 +148,32 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { validateNonManoCohesionWithSources(nonMano, sources); final File manifestMfFile = csar.getManifestMfFile(); + final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory); if (manifestMfFile != null) { - validateFileSignature(manifestMfFile); + validateFileSignature(manifestMfFile, absolutePathToEntryCertificate); } } + private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) { + final String entryCertificateFileName = csar.getToscaMeta().getEntryCertificate(); + return String.format("%s/%s", csarRootDirectory.toAbsolutePath(), entryCertificateFileName); + } + + private void validateNonManoCohesionWithSources(final Map<String, Map<String, List<String>>> nonMano, final List<SourcesParser.Source> sources) { final Collection<Map<String, List<String>>> values = nonMano.values(); final List<String> nonManoSourcePaths = values.stream() - .map(Map::values) - .flatMap(Collection::stream) - .flatMap(List::stream) - .filter(it -> !it.isEmpty()) - .collect(Collectors.toList()); + .map(Map::values) + .flatMap(Collection::stream) + .flatMap(List::stream) + .filter(it -> !it.isEmpty()) + .collect(Collectors.toList()); final List<String> sourcePaths = sources.stream() - .map(SourcesParser.Source::getValue) - .collect(Collectors.toList()); + .map(SourcesParser.Source::getValue) + .collect(Collectors.toList()); if (!sourcePaths.containsAll(nonManoSourcePaths)) { this.errors.add(new CSARErrorContentMismatch()); @@ -174,8 +181,8 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } - private void validateFileSignature(File manifestMfFile) { - final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + private void validateFileSignature(File manifestMfFile, String absolutePathToEntryCertificate) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile, absolutePathToEntryCertificate); if (!isValid) { this.errors.add(new CSARErrorInvalidSignature()); } @@ -205,7 +212,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final List<SourcesParser.Source> sources = manifest.getSources(); for (SourcesParser.Source source : sources) { if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { @@ -215,7 +222,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSource(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final Path sourcePath = csarRootDirectory.resolve(source.getValue()); if (!sourcePath.toFile().exists()) { this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); @@ -229,7 +236,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { String hashCode = generateHashCode(csarRootDirectory, source); if (!hashCode.equals(source.getHash())) { this.errors.add(new CSARErrorWrongHashCode(source.getValue())); @@ -237,7 +244,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); final String algorithm = source.getAlgorithm(); @@ -262,15 +269,19 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); - boolean isValid(File manifestFile) { + boolean isValid(File manifestFile, String absolutePathToEntryCertificate) { try { + byte[] entryCertificate = Files.readAllBytes(new File(absolutePathToEntryCertificate).toPath()); ManifestFileModel mf = manifestFileSplitter.split(manifestFile); return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS(), mf.getNewLine()), - Optional.empty(), - toBytes(mf.getData(), mf.getNewLine())); + Optional.of(entryCertificate), + toBytes(mf.getData(), mf.getNewLine())); } catch (CmsSignatureValidatorException e) { LOG.error("Unable to verify signed data!", e); return false; + } catch (IOException e) { + LOG.error("Unable to read ETSI entry certificate file!", e); + return false; } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java index b8b3714..47d4bef 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java @@ -57,13 +57,14 @@ public class CmsSignatureValidator { Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); SignerInformation firstSigner = signers.iterator().next(); - Store certificates = signedData.getCertificates(); + Store<X509CertificateHolder> certificates = signedData.getCertificates(); + Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); X509Certificate cert; - if (!certificate.isPresent()) { - X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates); + if (!firstSignerCertificates.isEmpty()) { + X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSignerCertificates); cert = loadCertificate(firstSignerFirstCertificate.getEncoded()); } else { - cert = loadCertificate(certificate.get()); + cert = loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist"))); } return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); @@ -77,8 +78,7 @@ public class CmsSignatureValidator { } } - private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException { - Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); + private X509CertificateHolder getX509CertificateHolder(Collection<X509CertificateHolder> firstSignerCertificates) throws CmsSignatureValidatorException { if(!firstSignerCertificates.iterator().hasNext()){ throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!"); } |