summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java45
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082.java31
-rw-r--r--csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java12
-rw-r--r--csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java37
-rw-r--r--csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082IntegrationTest.java21
-rw-r--r--csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csarbin0 -> 116773 bytes
-rw-r--r--csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csarbin0 -> 116706 bytes
-rw-r--r--csarvalidation/src/test/resources/pnf/r972082/missingOnapPnfSwInformationArtifactSetEntry.csarbin0 -> 116517 bytes
8 files changed, 92 insertions, 54 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
index fefe65b..74706c7 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java
@@ -148,25 +148,32 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
validateNonManoCohesionWithSources(nonMano, sources);
final File manifestMfFile = csar.getManifestMfFile();
+ final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory);
if (manifestMfFile != null) {
- validateFileSignature(manifestMfFile);
+ validateFileSignature(manifestMfFile, absolutePathToEntryCertificate);
}
}
+ private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) {
+ final String entryCertificateFileName = csar.getToscaMeta().getEntryCertificate();
+ return String.format("%s/%s", csarRootDirectory.toAbsolutePath(), entryCertificateFileName);
+ }
+
+
private void validateNonManoCohesionWithSources(final Map<String, Map<String, List<String>>> nonMano,
final List<SourcesParser.Source> sources) {
final Collection<Map<String, List<String>>> values = nonMano.values();
final List<String> nonManoSourcePaths = values.stream()
- .map(Map::values)
- .flatMap(Collection::stream)
- .flatMap(List::stream)
- .filter(it -> !it.isEmpty())
- .collect(Collectors.toList());
+ .map(Map::values)
+ .flatMap(Collection::stream)
+ .flatMap(List::stream)
+ .filter(it -> !it.isEmpty())
+ .collect(Collectors.toList());
final List<String> sourcePaths = sources.stream()
- .map(SourcesParser.Source::getValue)
- .collect(Collectors.toList());
+ .map(SourcesParser.Source::getValue)
+ .collect(Collectors.toList());
if (!sourcePaths.containsAll(nonManoSourcePaths)) {
this.errors.add(new CSARErrorContentMismatch());
@@ -174,8 +181,8 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
- private void validateFileSignature(File manifestMfFile) {
- final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile);
+ private void validateFileSignature(File manifestMfFile, String absolutePathToEntryCertificate) {
+ final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile, absolutePathToEntryCertificate);
if (!isValid) {
this.errors.add(new CSARErrorInvalidSignature());
}
@@ -205,7 +212,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final List<SourcesParser.Source> sources = manifest.getSources();
for (SourcesParser.Source source : sources) {
if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) {
@@ -215,7 +222,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSource(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final Path sourcePath = csarRootDirectory.resolve(source.getValue());
if (!sourcePath.toFile().exists()) {
this.errors.add(new CSARErrorUnableToFindSource(source.getValue()));
@@ -229,7 +236,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
String hashCode = generateHashCode(csarRootDirectory, source);
if (!hashCode.equals(source.getHash())) {
this.errors.add(new CSARErrorWrongHashCode(source.getValue()));
@@ -237,7 +244,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
}
private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source)
- throws NoSuchAlgorithmException, IOException {
+ throws NoSuchAlgorithmException, IOException {
final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue()));
final String algorithm = source.getAlgorithm();
@@ -262,15 +269,19 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase {
private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter();
private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator();
- boolean isValid(File manifestFile) {
+ boolean isValid(File manifestFile, String absolutePathToEntryCertificate) {
try {
+ byte[] entryCertificate = Files.readAllBytes(new File(absolutePathToEntryCertificate).toPath());
ManifestFileModel mf = manifestFileSplitter.split(manifestFile);
return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS(), mf.getNewLine()),
- Optional.empty(),
- toBytes(mf.getData(), mf.getNewLine()));
+ Optional.of(entryCertificate),
+ toBytes(mf.getData(), mf.getNewLine()));
} catch (CmsSignatureValidatorException e) {
LOG.error("Unable to verify signed data!", e);
return false;
+ } catch (IOException e) {
+ LOG.error("Unable to read ETSI entry certificate file!", e);
+ return false;
}
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082.java
index 1061480..60bdd47 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082.java
@@ -23,13 +23,15 @@ import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
import lombok.AccessLevel;
import lombok.AllArgsConstructor;
import lombok.EqualsAndHashCode;
@@ -115,13 +117,12 @@ public class VTPValidateCSARR972082 extends VTPValidateCSARBase {
private static class ValidateNonManoSection {
+ private static final String ATTRIBUTE_NAME = "onap_pnf_sw_information";
+
private final CSARArchive csar;
private final String fileName;
private final Map<String, Map<String, List<String>>> nonMano;
private final List<CSARError> errors = new ArrayList<>();
- private final List<String> attributeNames = Arrays.asList(
- "onap_pnf_sw_information"
- );
private ValidateNonManoSection(final CSARArchive csar, final String fileName,
final Map<String, Map<String, List<String>>> nonMano) {
@@ -141,28 +142,20 @@ public class VTPValidateCSARR972082 extends VTPValidateCSARBase {
}
private List<CSARError> validate() {
- if (nonMano.keySet().stream().filter(Objects::nonNull).count() > 0) {
- nonMano.keySet().stream().filter(Objects::nonNull).forEach(this::validateAttribute);
+ List<String> attributesNotNull = nonMano.keySet().stream()
+ .filter(Objects::nonNull)
+ .collect(Collectors.toList());
+ if (!attributesNotNull.isEmpty()) {
+ attributesNotNull.forEach(this::validateAttribute);
} else {
- errors.add(new PnfCSARErrorEntryMissing(
- attributeNames.toString(),
- fileName,
- UNKNOWN_LINE_NUMBER)
- );
+ errors.add(new PnfCSARErrorEntryMissing(ATTRIBUTE_NAME, fileName, UNKNOWN_LINE_NUMBER));
}
return errors;
}
private void validateAttribute(final String nonManoAttributes) {
-
- if (!attributeNames.contains(nonManoAttributes)) {
- errors.add(new PnfCSARErrorEntryMissing(
- nonManoAttributes,
- fileName,
- UNKNOWN_LINE_NUMBER)
- );
- } else {
+ if (ATTRIBUTE_NAME.equals(nonManoAttributes)) {
validateSourceElementsUnderAttribute(nonManoAttributes);
}
}
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
index b8b3714..47d4bef 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java
@@ -57,13 +57,14 @@ public class CmsSignatureValidator {
Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners();
SignerInformation firstSigner = signers.iterator().next();
- Store certificates = signedData.getCertificates();
+ Store<X509CertificateHolder> certificates = signedData.getCertificates();
+ Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
X509Certificate cert;
- if (!certificate.isPresent()) {
- X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates);
+ if (!firstSignerCertificates.isEmpty()) {
+ X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSignerCertificates);
cert = loadCertificate(firstSignerFirstCertificate.getEncoded());
} else {
- cert = loadCertificate(certificate.get());
+ cert = loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist")));
}
return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert));
@@ -77,8 +78,7 @@ public class CmsSignatureValidator {
}
}
- private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException {
- Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID());
+ private X509CertificateHolder getX509CertificateHolder(Collection<X509CertificateHolder> firstSignerCertificates) throws CmsSignatureValidatorException {
if(!firstSignerCertificates.iterator().hasNext()){
throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!");
}
diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
index 036e169..feabe7f 100644
--- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
+++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java
@@ -63,6 +63,25 @@ public class VTPValidateCSARR130206IntegrationTest {
}
@Test
+ @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." +
+ "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " +
+ "Use instructions for option 1. Test was created for manual verification."
+ )
+ public void manual_shouldValidateCsarWithCertificateInEtsiAndMissingInCMS() throws Exception {
+
+ // given
+ configureTestCase(testCase, "pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar", "vtp-validate-csar-r130206.yaml", IS_PNF);
+
+ // when
+ testCase.execute();
+
+ // then
+ List<CSARArchive.CSARError> errors = testCase.getErrors();
+ assertThat(errors.size()).isEqualTo(0);
+ }
+
+
+ @Test
public void shouldReportThatOnlySignatureIsInvalid() throws Exception {
// given
@@ -122,5 +141,23 @@ public class VTPValidateCSARR130206IntegrationTest {
}
+ @Test
+ public void shouldReportThanInVnfPackageETSIFileIsMissingAndNoCertificateInCMS() throws Exception {
+
+ // given
+ configureTestCase(testCase, "pnf/r130206/csar-with-no-certificate.csar", "vtp-validate-csar-r130206.yaml", IS_PNF);
+
+ // when
+ testCase.execute();
+
+ // then
+ List<CSARArchive.CSARError> errors = testCase.getErrors();
+ assertThat(convertToMessagesList(errors)).contains(
+ "Unable to find cert file defined by ETSI-Entry-Certificate!",
+ "Unable to find CMS section in manifest!"
+
+ );
+ }
+
}
diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082IntegrationTest.java
index 48b2d6e..66937d4 100644
--- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082IntegrationTest.java
+++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR972082IntegrationTest.java
@@ -61,28 +61,25 @@ public class VTPValidateCSARR972082IntegrationTest {
}
@Test
- public void shouldReportThatEntryHasInvalidPathWhenYamlFileIsNotPresent() throws Exception {
+ public void shouldReturnNoErrorWhenOptionalNonManoArtifactSetEntryIsNotPresent() throws Exception {
// given
- configureTestCase(testCase, PNF_R_972082 + "missingYamlFileReferedInSourceSessionOfManifest.csar",
- VTP_VALIDATE_CSAR_R_972082_YAML,
- IS_PNF);
+ configureTestCase(testCase, PNF_R_972082 + "missingOnapPnfSwInformationArtifactSetEntry.csar",
+ VTP_VALIDATE_CSAR_R_972082_YAML, IS_PNF);
// when
testCase.execute();
// then
final List<CSARError> errors = testCase.getErrors();
- assertThat(errors.size()).isEqualTo(1);
- assertThat(convertToMessagesList(errors)).contains(
- "Invalid. Entry [Source under onap_pnf_sw_information has invalid 'Files/pnf-sw-information/pnf-sw-information.yaml' path]"
- );
+ assertThat(errors.size()).isEqualTo(0);
}
@Test
- public void shouldReportThatMandatoryNonManoArtifactSetEntryHasNotAllFields_() throws Exception {
+ public void shouldReportThatEntryHasInvalidPathWhenYamlFileIsNotPresent() throws Exception {
// given
- configureTestCase(testCase, PNF_R_972082 + "missingFieldsInNonManoArtifactManifest.csar",
- VTP_VALIDATE_CSAR_R_972082_YAML, IS_PNF);
+ configureTestCase(testCase, PNF_R_972082 + "missingYamlFileReferedInSourceSessionOfManifest.csar",
+ VTP_VALIDATE_CSAR_R_972082_YAML,
+ IS_PNF);
// when
testCase.execute();
@@ -91,7 +88,7 @@ public class VTPValidateCSARR972082IntegrationTest {
final List<CSARError> errors = testCase.getErrors();
assertThat(errors.size()).isEqualTo(1);
assertThat(convertToMessagesList(errors)).contains(
- "Missing. Entry [[onap_pnf_sw_information]]"
+ "Invalid. Entry [Source under onap_pnf_sw_information has invalid 'Files/pnf-sw-information/pnf-sw-information.yaml' path]"
);
}
diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar
new file mode 100644
index 0000000..d359994
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r130206/csar-with-etsi-cert-without-cert-in-cms.csar
Binary files differ
diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar
new file mode 100644
index 0000000..624f8fe
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r130206/csar-with-no-certificate.csar
Binary files differ
diff --git a/csarvalidation/src/test/resources/pnf/r972082/missingOnapPnfSwInformationArtifactSetEntry.csar b/csarvalidation/src/test/resources/pnf/r972082/missingOnapPnfSwInformationArtifactSetEntry.csar
new file mode 100644
index 0000000..518aaa8
--- /dev/null
+++ b/csarvalidation/src/test/resources/pnf/r972082/missingOnapPnfSwInformationArtifactSetEntry.csar
Binary files differ