diff options
Diffstat (limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/security')
6 files changed, 235 insertions, 63 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java new file mode 100644 index 0000000..2be5be2 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CertificateLoadingException.java @@ -0,0 +1,25 @@ +/* + * Copyright 2020 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.security; + +public class CertificateLoadingException extends RuntimeException { + + public CertificateLoadingException(String s, Throwable t) { + super(s, t); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java new file mode 100644 index 0000000..456f365 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureData.java @@ -0,0 +1,75 @@ +/* + * Copyright 2020 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.security; + +import org.bouncycastle.cms.SignerInformation; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.X509Certificate; +import java.util.Optional; + +public class CmsSignatureData { + + private X509Certificate certificate; + private final SignerInformation signerInformation; + + public CmsSignatureData(X509Certificate certificate, SignerInformation signerInformation) { + this.certificate = certificate; + this.signerInformation = signerInformation; + } + + public CmsSignatureData(SignerInformation signerInformation) { + this.signerInformation = signerInformation; + } + + public Optional<X509Certificate> getCertificate() { + return Optional.ofNullable(certificate); + } + + public SignerInformation getSignerInformation() { + return signerInformation; + } + + public void loadCertificate(Path pathToCertificate) throws CertificateLoadingException { + try { + loadCertificate(Files.readAllBytes(pathToCertificate)); + } catch (IOException e) { + final String errorMessage = String.format( + "Error during loading Certificate from given path: %s !" + ,pathToCertificate + ); + throw new CertificateLoadingException(errorMessage, e); + } + } + + public void loadCertificate(final byte[] certificate) throws CertificateLoadingException { + try (InputStream in = new ByteArrayInputStream(certificate)) { + CertificateFactory factory = CertificateFactory.getInstance("X.509"); + this.certificate = (X509Certificate) factory.generateCertificate(in); + } catch (IOException | CertificateException e) { + throw new CertificateLoadingException("Error during loading Certificate from bytes!", e); + } + } + +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java new file mode 100644 index 0000000..2744bc6 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureDataFactory.java @@ -0,0 +1,91 @@ +/* + * Copyright 2020 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.security; + +import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cert.X509CertificateHolder; +import org.bouncycastle.cms.CMSException; +import org.bouncycastle.cms.CMSProcessableByteArray; +import org.bouncycastle.cms.CMSSignedData; +import org.bouncycastle.cms.CMSTypedData; +import org.bouncycastle.cms.SignerInformation; +import org.bouncycastle.openssl.PEMParser; +import org.bouncycastle.util.Store; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStreamReader; +import java.nio.charset.Charset; +import java.util.Collection; +import java.util.Optional; + +public class CmsSignatureDataFactory { + + public CmsSignatureData createForFirstSigner(final byte[] cmsSignature, final byte[] fileContent) + throws CmsSignatureLoadingException{ + + try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) { + CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream); + Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); + Store<X509CertificateHolder> certificates = signedData.getCertificates(); + SignerInformation firstSigner = getFirstSigner(signers); + CmsSignatureData signatureData = new CmsSignatureData(firstSigner); + getFirstSignerCertificate(certificates, firstSigner).ifPresent( + signatureData::loadCertificate + ); + return signatureData; + } catch (CertificateLoadingException | IOException | CMSException e) { + throw new CmsSignatureLoadingException("Unexpected error occurred during signature validation!", e); + } + } + + private SignerInformation getFirstSigner(Collection<SignerInformation> signers) { + return signers.iterator().next(); + } + + private Optional<byte[]> getFirstSignerCertificate( + Store<X509CertificateHolder> certificates, + SignerInformation firstSigner) + throws IOException { + Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); + Optional<byte[]> cert; + if (!firstSignerCertificates.isEmpty()) { + X509CertificateHolder firstSignerFirstCertificate = firstSignerCertificates.iterator().next(); + cert = Optional.of(firstSignerFirstCertificate.getEncoded()); + } else { + cert = Optional.empty(); + } + return cert; + } + + + private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureLoadingException, CMSException { + ContentInfo signature = produceSignature(signatureStream); + CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR); + return new CMSSignedData(signedContent, signature); + } + + private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureLoadingException { + Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject(); + if (!(parsedObject instanceof ContentInfo)) { + throw new CmsSignatureLoadingException("Signature is not recognized!"); + } + return ContentInfo.getInstance(parsedObject); + } + +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java new file mode 100644 index 0000000..0e203b2 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureLoadingException.java @@ -0,0 +1,29 @@ +/* + * Copyright 2020 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.security; + +public class CmsSignatureLoadingException extends Exception { + + public CmsSignatureLoadingException(String s) { + super(s); + } + + public CmsSignatureLoadingException(String s, Throwable t) { + super(s, t); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java index 47d4bef..5d7b879 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java @@ -17,30 +17,14 @@ package org.onap.cvc.csar.security; -import org.bouncycastle.asn1.cms.ContentInfo; -import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSException; -import org.bouncycastle.cms.CMSProcessableByteArray; -import org.bouncycastle.cms.CMSSignedData; import org.bouncycastle.cms.CMSSignerDigestMismatchException; -import org.bouncycastle.cms.CMSTypedData; -import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; -import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.operator.OperatorCreationException; -import org.bouncycastle.util.Store; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.nio.charset.Charset; -import java.security.cert.CertificateException; -import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; -import java.util.Collection; import java.util.Optional; public class CmsSignatureValidator { @@ -52,63 +36,30 @@ public class CmsSignatureValidator { final Optional<byte[]> certificate, final byte[] fileContent) throws CmsSignatureValidatorException { - try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) { - CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream); - Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); - SignerInformation firstSigner = signers.iterator().next(); - - Store<X509CertificateHolder> certificates = signedData.getCertificates(); - Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); - X509Certificate cert; - if (!firstSignerCertificates.isEmpty()) { - X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSignerCertificates); - cert = loadCertificate(firstSignerFirstCertificate.getEncoded()); - } else { - cert = loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist"))); + try { + CmsSignatureData signatureData = new CmsSignatureDataFactory().createForFirstSigner(cmsSignature, fileContent); + if( signatureData.getCertificate().isEmpty() ) { + signatureData.loadCertificate(certificate.orElseThrow(() -> new CmsSignatureValidatorException("No certificate found in cms signature and ETSI-Entry-Certificate doesn't exist"))); } + return verifySignedData(signatureData); + } catch ( CmsSignatureLoadingException e) { + throw new CmsSignatureValidatorException("Unexpected error occurred during signature validation!", e); + } + } - return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); + public boolean verifySignedData(final CmsSignatureData signatureData) throws CmsSignatureValidatorException { + try { + X509Certificate certificate = signatureData.getCertificate().orElseThrow(() -> new CMSException("No certificate found in signature data!")); + return signatureData.getSignerInformation().verify(new JcaSimpleSignerInfoVerifierBuilder().build(certificate)); } catch (CMSSignerDigestMismatchException e){ //message-digest attribute value does not match calculated value LOG.warn("CMS signer digest mismatch.", e); return false; } - catch (OperatorCreationException | IOException | CMSException e) { + catch (OperatorCreationException | CMSException e) { throw new CmsSignatureValidatorException("Unexpected error occurred during signature validation!", e); } } - private X509CertificateHolder getX509CertificateHolder(Collection<X509CertificateHolder> firstSignerCertificates) throws CmsSignatureValidatorException { - if(!firstSignerCertificates.iterator().hasNext()){ - throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!"); - } - return firstSignerCertificates.iterator().next(); - } - - private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { - ContentInfo signature = produceSignature(signatureStream); - CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR); - return new CMSSignedData(signedContent, signature); - } - - private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException { - Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject(); - if (!(parsedObject instanceof ContentInfo)) { - throw new CmsSignatureValidatorException("Signature is not recognized!"); - } - return ContentInfo.getInstance(parsedObject); - } - - - private X509Certificate loadCertificate(byte[] certFile) throws CmsSignatureValidatorException { - try (InputStream in = new ByteArrayInputStream(certFile)) { - CertificateFactory factory = CertificateFactory.getInstance("X.509"); - return (X509Certificate) factory.generateCertificate(in); - } catch (CertificateException | IOException e) { - throw new CmsSignatureValidatorException("Error during loading Certificate from bytes!", e); - } - } - - } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java index 75cd8de..1f708fd 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidatorException.java @@ -25,4 +25,5 @@ public class CmsSignatureValidatorException extends Exception { public CmsSignatureValidatorException(String s, Throwable t) { super(s, t); } + } |