diff options
Diffstat (limited to 'csarvalidation/src/main/java')
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java | 6 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java | 5 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java (renamed from csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java) | 117 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 26 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java | 39 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java | 62 | ||||
-rw-r--r-- | csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java | 45 |
7 files changed, 242 insertions, 58 deletions
diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java index 180dadd..beb556d 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java @@ -1093,7 +1093,7 @@ public class CSARArchive implements AutoCloseable { this.toscaMeta.getEntryLicense(), lineNo)); } - } else if(key.equalsIgnoreCase(TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE)) { + } else if(key.equalsIgnoreCase(getEntryCertificateParamName())) { this.toscaMeta.setEntryCertificate(value); this.certificatesFile= this.tempDir.resolve(this.toscaMeta.getEntryCertificate()).toFile(); if (!this.certificatesFile.exists()) { @@ -1247,6 +1247,10 @@ public class CSARArchive implements AutoCloseable { } } + public String getEntryCertificateParamName() { + return TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE; + } + String getEntryManifestParamName(){ return TOSCA_METADATA_TOSCA_META_ENTRY_MANIFEST; } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java index a6e2745..f3ce960 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java @@ -66,4 +66,9 @@ public class PnfCSARArchive extends CSARArchive { String getEntryChangeLogParamName() { return "ETSI-Entry-Change-Log"; } + + @Override + public String getEntryCertificateParamName() { + return "ETSI-Entry-Certificate"; + } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index 7a14709..2d85e35 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -23,33 +23,40 @@ import org.onap.cli.fw.schema.OnapCommandSchema; import org.onap.cvc.csar.CSARArchive; import org.onap.cvc.csar.FileArchive; import org.onap.cvc.csar.cc.VTPValidateCSARBase; +import org.onap.cvc.csar.parser.ManifestFileModel; +import org.onap.cvc.csar.parser.ManifestFileSplitter; import org.onap.cvc.csar.parser.SourcesParser; +import org.onap.cvc.csar.security.CmsSignatureValidator; +import org.onap.cvc.csar.security.CmsSignatureValidatorException; import org.onap.cvc.csar.security.ShaHashCodeGenerator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.io.File; import java.io.IOException; +import java.nio.charset.Charset; import java.nio.file.Files; import java.nio.file.Path; import java.security.NoSuchAlgorithmException; import java.util.List; import java.util.Optional; +import java.util.stream.Collectors; -@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml") -public class VTPValidateCSARR787966 extends VTPValidateCSARBase { +@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml") +public class VTPValidateCSARR130206 extends VTPValidateCSARBase { - private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class); + private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class); private static final String SHA_256 = "SHA-256"; private static final String SHA_512 = "SHA-512"; private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); + private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator(); public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { - CSARErrorUnableToFindCertificate() { + CSARErrorUnableToFindCertificate(String paramName) { super("0x4001"); - this.message = "Unable to find cert file defined by Entry-Certificate!"; + this.message = String.format("Unable to find cert file defined by %s!", paramName); } } @@ -84,7 +91,14 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { CSARErrorUnableToFindSource(String path) { super("0x4006"); - this.message = String.format("Source '%s' does not exist!", path); + this.message = String.format("Unable to calculate digest - file missing: %s", path); + } + } + + public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + CSARErrorInvalidSignature() { + super("0x4007"); + this.message = "File has invalid CMS signature!"; } } @@ -94,38 +108,54 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { try { FileArchive.Workspace workspace = csar.getWorkspace(); final Optional<Path> pathToCsarFolder = workspace.getPathToCsarFolder(); - if(pathToCsarFolder.isPresent()) { + if (pathToCsarFolder.isPresent()) { validate(csar, pathToCsarFolder.get()); } else { this.errors.add(new CSARErrorUnableToFindCsarContent()); } } catch (Exception e) { - LOG.error("Internal VTPValidateCSARR787966 command error", e); + LOG.error("Internal VTPValidateCSARR130206 command error", e); throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); } } - private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException { - + private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException { final CSARArchive.Manifest manifest = csar.getManifest(); - final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); - validateSecurityStructure(toscaMeta, csarRootDirectory, manifest); + + validateSecurityStructure(csar, csarRootDirectory); validateSources(csarRootDirectory, manifest); + + final File manifestMfFile = csar.getManifestMfFile(); + if (manifestMfFile != null) { + validateFileSignature(manifestMfFile); + } } - private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) { + private void validateFileSignature(File manifestMfFile) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + if (!isValid) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) { + final CSARArchive.Manifest manifest = csar.getManifest(); + final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); + final String entryCertificateParamName = csar.getEntryCertificateParamName(); final Optional<File> entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); - if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCertificate()); - } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) { + if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) { + this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName)); + } + + if (manifest.getCms() == null || manifest.getCms().isEmpty()) { this.errors.add(new CSARErrorUnableToFindCmsSection()); } } private Optional<File> resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { final String certificatePath = toscaMeta.getEntryCertificate(); - if(certificatePath == null){ + if (certificatePath == null) { return Optional.empty(); } else { return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); @@ -134,16 +164,22 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { final List<SourcesParser.Source> sources = manifest.getSources(); - for (SourcesParser.Source source: sources){ - final Path sourcePath = csarRootDirectory.resolve(source.getValue()); - if(!Files.exists(sourcePath)){ - this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); - } else { - if (!source.getAlgorithm().isEmpty()) { - validateSourceHashCode(csarRootDirectory, source); - } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); - } + for (SourcesParser.Source source : sources) { + if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { + validateSource(csarRootDirectory, source); + } + } + } + + private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final Path sourcePath = csarRootDirectory.resolve(source.getValue()); + if (!sourcePath.toFile().exists()) { + this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); + } else { + if (!source.getAlgorithm().isEmpty()) { + validateSourceHashCode(csarRootDirectory, source); + } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); } } } @@ -159,9 +195,9 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); final String algorithm = source.getAlgorithm(); - if(algorithm.equalsIgnoreCase(SHA_256)) { + if (algorithm.equalsIgnoreCase(SHA_256)) { return this.shaHashCodeGenerator.generateSha256(sourceData); - } else if(algorithm.equalsIgnoreCase(SHA_512)){ + } else if (algorithm.equalsIgnoreCase(SHA_512)) { return this.shaHashCodeGenerator.generateSha512(sourceData); } @@ -170,8 +206,29 @@ public class VTPValidateCSARR787966 extends VTPValidateCSARBase { @Override protected String getVnfReqsNo() { - return "R787966"; + return "R130206"; } } + +class ManifestFileSignatureValidator { + private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class); + private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); + private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); + + boolean isValid(File manifestFile) { + try { + ManifestFileModel mf = manifestFileSplitter.split(manifestFile); + return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData())); + } catch (CmsSignatureValidatorException e) { + LOG.error("Unable to verify signed data!", e); + return false; + } + } + + private byte[] toBytes(List<String> data) { + final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining()); + return updatedData.getBytes(Charset.defaultCharset()); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index a3ab865..034d35e 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -37,6 +37,7 @@ import java.util.Optional; public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); + private final CmsSignatureValidator securityManager = new CmsSignatureValidator(); static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { @@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } } - static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { - SignatureWithCertificationOnlyWarning() { - super("0x3003"); - this.message = "Warning. Zip package probably is valid. " + - "It contains only signature with certification cms and csar package. " + - "Unable to verify csar signature."; - } - } - - static class BrokenZipPackageError extends CSARArchive.CSARError { BrokenZipPackageError() { super("0x3004"); @@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); } else if (pathToCmsFile.isPresent()) { - this.errors.add(new SignatureWithCertificationOnlyWarning()); + verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get()); } else { this.errors.add(new BrokenZipPackageError()); } @@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); - byte[] csarContent = Files.readAllBytes(pathToCsarFile); byte[] signature = Files.readAllBytes(pathToCmsFile); byte[] publicCertification = Files.readAllBytes(pathToCertFile); - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException { + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile); + + if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){ this.errors.add(new CSARErrorInvalidSignature()); } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java new file mode 100644 index 0000000..f6b42fd --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java @@ -0,0 +1,39 @@ +/* + * Copyright 2019 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.parser; + +import java.util.Collections; +import java.util.List; + +public class ManifestFileModel { + private final List<String> data; + private final List<String> cms; + + public ManifestFileModel(List<String> data, List<String> cms) { + this.data = data; + this.cms = cms; + } + + public List<String> getData() { + return Collections.unmodifiableList(data); + } + + public List<String> getCMS() { + return Collections.unmodifiableList(cms); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java new file mode 100644 index 0000000..03a628c --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java @@ -0,0 +1,62 @@ +/* + * Copyright 2019 Nokia + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.parser; + + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class ManifestFileSplitter { + + public ManifestFileModel split(File manifestFile) { + String fileName = manifestFile.getAbsolutePath(); + List<String> data = new ArrayList<>(); + List<String> cms = new ArrayList<>(); + + try (Stream<String> stream = Files.lines(Paths.get(fileName))) { + List<String> lines = stream.collect(Collectors.toList()); + return createManifestFileModel(data, cms, lines); + + } catch (IOException e) { + throw new IllegalArgumentException(String.format("Unable to process manifest file! Wrong file path: '%s'", fileName)); + } + } + + private ManifestFileModel createManifestFileModel(List<String> data, List<String> cms, List<String> lines) { + boolean isCmsSection = false; + + for (String line : lines) { + if (line.contains("BEGIN CMS")) { + isCmsSection = true; + } + + if (isCmsSection) { + cms.add(line); + } else { + data.add(line); + } + } + return new ManifestFileModel(data, cms); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java index a168541..b8b3714 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java @@ -18,6 +18,7 @@ package org.onap.cvc.csar.security; import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; @@ -27,6 +28,7 @@ import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Store; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,23 +36,35 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.nio.charset.Charset; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collection; +import java.util.Optional; public class CmsSignatureValidator { private static final Logger LOG = LoggerFactory.getLogger(CmsSignatureValidator.class); public boolean verifySignedData( - final byte[] signature, - final byte[] certificate, - final byte[] csarFileContent) throws CmsSignatureValidatorException { - - try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(signature)) { - SignerInformation firstSigner = getSignerInformation(csarFileContent, signatureStream); - X509Certificate cert = loadCertificate(certificate); + final byte[] cmsSignature, + final Optional<byte[]> certificate, + final byte[] fileContent) throws CmsSignatureValidatorException { + + try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) { + CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream); + Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); + SignerInformation firstSigner = signers.iterator().next(); + + Store certificates = signedData.getCertificates(); + X509Certificate cert; + if (!certificate.isPresent()) { + X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates); + cert = loadCertificate(firstSignerFirstCertificate.getEncoded()); + } else { + cert = loadCertificate(certificate.get()); + } return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); } catch (CMSSignerDigestMismatchException e){ @@ -63,17 +77,22 @@ public class CmsSignatureValidator { } } - private SignerInformation getSignerInformation(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { + private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException { + Collection<X509CertificateHolder> firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); + if(!firstSignerCertificates.iterator().hasNext()){ + throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!"); + } + return firstSignerCertificates.iterator().next(); + } + + private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { ContentInfo signature = produceSignature(signatureStream); CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR); - CMSSignedData signedData = new CMSSignedData(signedContent, signature); - - Collection<SignerInformation> signers = signedData.getSignerInfos().getSigners(); - return signers.iterator().next(); + return new CMSSignedData(signedContent, signature); } private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException { - Object parsedObject = new PEMParser(new InputStreamReader(signatureStream)).readObject(); + Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject(); if (!(parsedObject instanceof ContentInfo)) { throw new CmsSignatureValidatorException("Signature is not recognized!"); } |