summaryrefslogtreecommitdiffstats
path: root/csarvalidation/src/main
diff options
context:
space:
mode:
authorBogumil Zebek <bogumil.zebek@nokia.com>2020-05-15 05:55:27 +0000
committerGerrit Code Review <gerrit@onap.org>2020-05-15 05:55:27 +0000
commitbcaab76906b642de056e4aea97548f0f5bd90e44 (patch)
treed5aaa5d346f61407abd1ea34298b4116280726c5 /csarvalidation/src/main
parentdf3db652192248138f5d4c66cd64e8f51c410f89 (diff)
parent657849e70f70f700cc8470af48351f3ae6b47b6f (diff)
Merge "Fix VNF/PNF package integrity issue with CMS signature not containing certificate"
Diffstat (limited to 'csarvalidation/src/main')
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java45
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java12
2 files changed, 34 insertions, 23 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
index fefe65b..74706c7 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
@@ -148,25 +148,32 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
validateNonManoCohesionWithSources(nonMano, sources);
final File manifestMfFile = csar.getManifestMfFile();
+ final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory);
if (manifestMfFile != null) {
- validateFileSignature(manifestMfFile);
+ validateFileSignature(manifestMfFile, absolutePathToEntryCertificate);
}
}
+ private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) {
+ final String entryCertificateFileName = csar.getToscaMeta().getEntryCertificate();
+ return String.format("%s/%s", csarRootDirectory.toAbsolutePath(), entryCertificateFileName);
+ }
+
+
private void validateNonManoCohesionWithSources(final Map<String, Map<String, List<String>>> nonMano,
final List<SourcesParser.Source> sources) {
final Collection<Map<String, List<String>>> values = nonMano.values();
final List<String> nonManoSourcePaths = values.stream()
- .map(Map::values)
- .flatMap(Collection::stream)
- .flatMap(List::stream)
- .filter(it -> !it.isEmpty())
- .collect(Collectors.toList());
+ .map(Map::values)
+ .flatMap(Collection::stream)
+ .flatMap(List::stream)
+ .filter(it -> !it.isEmpty())
+ .collect(Collectors.toList());
final List<String> sourcePaths = sources.stream()
- .map(SourcesParser.Source::getValue)
- .collect(Collectors.toList());
+ .map(SourcesParser.Source::getValue)
+ .collect(Collectors.toList());
if (!sourcePaths.containsAll(nonManoSourcePaths)) {
this.errors.add(new CSARErrorContentMismatch());
@@ -174,8 +181,8 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
- private void validateFileSignature(File manifestMfFile) {
- final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile);
+ private void validateFileSignature(File manifestMfFile, String absolutePathToEntryCertificate) {
+ final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile, absolutePathToEntryCertificate);
if (!isValid) {
this.errors.add(new CSARErrorInvalidSignature());
}
@@ -205,7 +212,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final List<SourcesParser.Source> sources = manifest.getSources();
for (SourcesParser.Source source : sources) {
if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) {
@@ -215,7 +222,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSource(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final Path sourcePath = csarRootDirectory.resolve(source.getValue());
if (!sourcePath.toFile().exists()) {
this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
@@ -229,7 +236,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
String hashCode = generateHashCode(csarRootDirectory, source);
if (!hashCode.equals(source.getHash())) {
this.errors.add(new CSARErrorWrongHashCode(source.getValue()));
@@ -237,7 +244,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue()));
final String algorithm = source.getAlgorithm();
@@ -262,15 +269,19 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter();
private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator();
- boolean isValid(File manifestFile) {
+ boolean isValid(File manifestFile, String absolutePathToEntryCertificate) {
try {
+ byte[] entryCertificate = Files.readAllBytes(new File(absolutePathToEntryCertificate).toPath());
ManifestFileModel mf = manifestFileSplitter.split(manifestFile);
return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS(), mf.getNewLine()),
- Optional.empty(),
- toBytes(mf.getData(), mf.getNewLine()));
+ Optional.of(entryCertificate),
+ toBytes(mf.getData(), mf.getNewLine()));
} catch (CmsSignatureValidatorException e) {
LOG.error("Unable to verify signed data!", e);
return false;
+ } catch (IOException e) {
+ LOG.error("Unable to read ETSI entry certificate file!", e);
+ return false;
}
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
index b8b3714..47d4bef 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
@@ -57,13 +57,14 @@ public class CmsSignatureValidator {
Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
SignerInformation firstSigner = signers.iterator().next();
- Store certificates = signedData.getCertificates();
+ Store<X509CertificateHolder> certificates = signedData.getCertificates();
+ Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
X509Certificate cert;
- if (!certificate.isPresent()) {
- X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates);
+ if (!firstSignerCertificates.isEmpty()) {
+ X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSignerCertificates);
cert = loadCertificate(firstSignerFirstCertificate.getEncoded());
} else {
- cert = loadCertificate(certificate.get());
+ cert = loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist")));
}
return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert));
@@ -77,8 +78,7 @@ public class CmsSignatureValidator {
}
}
- private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException {
- Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
+ private X509CertificateHolder getX509CertificateHolder(Collection<X509CertificateHolder> firstSignerCertificates) throws CmsSignatureValidatorException {
if(!firstSignerCertificates.iterator().hasNext()){
throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!");
}