diff options
Diffstat (limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/cc')
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java (renamed from csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java) | 117 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 26 |
2 files changed, 99 insertions, 44 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index 7a14709..2d85e35 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -23,33 +23,40 @@ import org.onap.cli.fw.schema.OnapCommandSchema; import org.onap.cvc.csar.CSARArchive; import org.onap.cvc.csar.FileArchive; import org.onap.cvc.csar.cc.VTPValidateCSARBase; +import org.onap.cvc.csar.parser.ManifestFileModel; +import org.onap.cvc.csar.parser.ManifestFileSplitter; import org.onap.cvc.csar.parser.SourcesParser; +import org.onap.cvc.csar.security.CmsSignatureValidator; +import org.onap.cvc.csar.security.CmsSignatureValidatorException; import org.onap.cvc.csar.security.ShaHashCodeGenerator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; +import java.nio.charset.Charset; import java.nio.file.Files; import java.nio.file.Path; import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Optional; +import java.util.stream.Collectors; -@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml") -public class VTPValidateCSARR787966 extends VTPValidateCSARBase { +@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml") +public class VTPValidateCSARR130206 extends VTPValidateCSARBase { - private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class); + private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class); private static final String SHA_256 = "SHA-256"; private static final String SHA_512 = "SHA-512"; private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); + private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator(); public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { - CSARErrorUnableToFindCertificate() { + CSARErrorUnableToFindCertificate(String paramName) { super("0x4001"); - this.message = "Unable to find cert file defined by Entry-Certificate!"; + this.message = String.format("Unable to find cert file defined by %s!", paramName); } } @@ -84,7 +91,14 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { CSARErrorUnableToFindSource(String path) { super("0x4006"); - this.message = String.format("Source '%s' does not exist!", path); + this.message = String.format("Unable to calculate digest - file missing: %s", path); + } + } + + public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + CSARErrorInvalidSignature() { + super("0x4007"); + this.message = "File has invalid CMS signature!"; } } @@ -94,38 +108,54 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { try { FileArchive.Workspace workspace = csar.getWorkspace(); final Optional<Path> pathToCsarFolder = workspace.getPathToCsarFolder(); - if(pathToCsarFolder.isPresent()) { + if (pathToCsarFolder.isPresent()) { validate(csar, pathToCsarFolder.get()); } else { this.errors.add(new CSARErrorUnableToFindCsarContent()); } } catch (Exception e) { - LOG.error("Internal VTPValidateCSARR787966 command error", e); + LOG.error("Internal VTPValidateCSARR130206 command error", e); throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); } } - private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException { - + private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException { final CSARArchive.Manifest manifest = csar.getManifest(); - final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); - validateSecurityStructure(toscaMeta, csarRootDirectory, manifest); + + validateSecurityStructure(csar, csarRootDirectory); validateSources(csarRootDirectory, manifest); + + final File manifestMfFile = csar.getManifestMfFile(); + if (manifestMfFile != null) { + validateFileSignature(manifestMfFile); + } } - private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) { + private void validateFileSignature(File manifestMfFile) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + if (!isValid) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) { + final CSARArchive.Manifest manifest = csar.getManifest(); + final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); + final String entryCertificateParamName = csar.getEntryCertificateParamName(); final Optional<File> entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); - if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCertificate()); - } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) { + if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) { + this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName)); + } + + if (manifest.getCms() == null || manifest.getCms().isEmpty()) { this.errors.add(new CSARErrorUnableToFindCmsSection()); } } private Optional<File> resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { final String certificatePath = toscaMeta.getEntryCertificate(); - if(certificatePath == null){ + if (certificatePath == null) { return Optional.empty(); } else { return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); @@ -134,16 +164,22 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { final List<SourcesParser.Source> sources = manifest.getSources(); - for (SourcesParser.Source source: sources){ - final Path sourcePath = csarRootDirectory.resolve(source.getValue()); - if(!Files.exists(sourcePath)){ - this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); - } else { - if (!source.getAlgorithm().isEmpty()) { - validateSourceHashCode(csarRootDirectory, source); - } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); - } + for (SourcesParser.Source source : sources) { + if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { + validateSource(csarRootDirectory, source); + } + } + } + + private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final Path sourcePath = csarRootDirectory.resolve(source.getValue()); + if (!sourcePath.toFile().exists()) { + this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); + } else { + if (!source.getAlgorithm().isEmpty()) { + validateSourceHashCode(csarRootDirectory, source); + } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); } } } @@ -159,9 +195,9 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); final String algorithm = source.getAlgorithm(); - if(algorithm.equalsIgnoreCase(SHA_256)) { + if (algorithm.equalsIgnoreCase(SHA_256)) { return this.shaHashCodeGenerator.generateSha256(sourceData); - } else if(algorithm.equalsIgnoreCase(SHA_512)){ + } else if (algorithm.equalsIgnoreCase(SHA_512)) { return this.shaHashCodeGenerator.generateSha512(sourceData); } @@ -170,8 +206,29 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { @Override protected String getVnfReqsNo() { - return "R787966"; + return "R130206"; } } + +class ManifestFileSignatureValidator { + private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class); + private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); + private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); + + boolean isValid(File manifestFile) { + try { + ManifestFileModel mf = manifestFileSplitter.split(manifestFile); + return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData())); + } catch (CmsSignatureValidatorException e) { + LOG.error("Unable to verify signed data!", e); + return false; + } + } + + private byte[] toBytes(List<String> data) { + final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining()); + return updatedData.getBytes(Charset.defaultCharset()); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index a3ab865..034d35e 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -37,6 +37,7 @@ import java.util.Optional; public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); + private final CmsSignatureValidator securityManager = new CmsSignatureValidator(); static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { @@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } } - static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { - SignatureWithCertificationOnlyWarning() { - super("0x3003"); - this.message = "Warning. Zip package probably is valid. " + - "It contains only signature with certification cms and csar package. " + - "Unable to verify csar signature."; - } - } - - static class BrokenZipPackageError extends CSARArchive.CSARError { BrokenZipPackageError() { super("0x3004"); @@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); } else if (pathToCmsFile.isPresent()) { - this.errors.add(new SignatureWithCertificationOnlyWarning()); + verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get()); } else { this.errors.add(new BrokenZipPackageError()); } @@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); - byte[] csarContent = Files.readAllBytes(pathToCsarFile); byte[] signature = Files.readAllBytes(pathToCmsFile); byte[] publicCertification = Files.readAllBytes(pathToCertFile); - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException { + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile); + + if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){ this.errors.add(new CSARErrorInvalidSignature()); } } |