From bd711684187e95a1dd3cd53622714aae22bb417c Mon Sep 17 00:00:00 2001 From: Bogumil Zebek Date: Thu, 9 May 2019 13:28:17 +0200 Subject: Security verification Change-Id: I759e3698a25dd4f84dc345c3fd4c0d201b75d233 Issue-ID: VNFSDK-395 Signed-off-by: Zebek Bogumil --- .../org/onap/cvc/csar/ZipFileContentValidator.java | 52 -------- .../org/onap/cvc/csar/cc/VTPValidateCSARBase.java | 10 -- .../cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 75 +++++++++--- .../onap/cvc/csar/ZipFileContentValidatorTest.java | 134 --------------------- .../VTPValidateCSARR787965IntegrationTest.java | 37 +++++- .../src/test/resources/pnf/r787965/broken.zip | Bin 0 -> 1867 bytes .../pnf/r787965/signature-and-certificate.zip | Bin 0 -> 4499 bytes 7 files changed, 94 insertions(+), 214 deletions(-) delete mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java delete mode 100644 csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java create mode 100644 csarvalidation/src/test/resources/pnf/r787965/broken.zip create mode 100644 csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java deleted file mode 100644 index 801d8cf..0000000 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/ZipFileContentValidator.java +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright 2019 Nokia - *

- * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - *

- * http://www.apache.org/licenses/LICENSE-2.0 - *

- * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.onap.cvc.csar; - -import java.util.ArrayList; -import java.util.List; - -public class ZipFileContentValidator { - - public static class CSARErrorCertMissing extends CSARArchive.CSARError { - CSARErrorCertMissing() { - super("0x1008"); - this.message = "Missing. Cert file is not available!"; - } - } - - public static class CSARErrorCMSMissing extends CSARArchive.CSARError { - CSARErrorCMSMissing() { - super("0x1009"); - this.message = "Missing. CMS file is not available!"; - } - } - - public List validate(FileArchive.Workspace workspace){ - final ArrayList retValue = new ArrayList<>(); - - if(!workspace.getPathToCertFile().isPresent()){ - retValue.add(new CSARErrorCertMissing()); - } - - if(!workspace.getPathToCmsFile().isPresent()){ - retValue.add(new CSARErrorCMSMissing()); - } - - return retValue; - } -} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java index eafdbde..6e67df9 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/VTPValidateCSARBase.java @@ -22,9 +22,7 @@ import org.onap.cli.fw.error.OnapCommandExecutionFailed; import org.onap.cli.fw.input.OnapCommandParameter; import org.onap.cvc.csar.CSARArchive; import org.onap.cvc.csar.CSARArchive.CSARError; -import org.onap.cvc.csar.FileArchive; import org.onap.cvc.csar.PnfCSARArchive; -import org.onap.cvc.csar.ZipFileContentValidator; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,8 +32,6 @@ import java.util.List; public abstract class VTPValidateCSARBase extends OnapCommand { protected static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARBase.class); - private final ZipFileContentValidator zipFileContentValidator = new ZipFileContentValidator(); - protected abstract void validateCSAR(CSARArchive csar) throws Exception; protected abstract String getVnfReqsNo(); @@ -52,12 +48,6 @@ public abstract class VTPValidateCSARBase extends OnapCommand { try (CSARArchive csar = isPnf ? new PnfCSARArchive(): new CSARArchive()){ csar.init(path); - - FileArchive.Workspace workspace = csar.getWorkspace(); - if(workspace.isZip()) { - errors.addAll(zipFileContentValidator.validate(workspace)); - } - csar.parse(); errors.addAll(csar.getErrors()); diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index 621ede0..97efd11 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -36,34 +36,46 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); - public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { super("0x3001"); this.message = "Invalid CSAR signature!"; } } - @Override - protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + static class CsarFileNotAvailableError extends CSARArchive.CSARError { + CsarFileNotAvailableError() { + super("0x3002"); + this.message = "Missing. Csar file is not available!"; + } + } - try { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); + static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { + SignatureWithCertificationOnlyWarning() { + super("0x3003"); + this.message = "Warning. Zip package probably is valid. " + + "It contains only signature with certification cms and csar package. " + + "Unable to verify csar signature."; + } + } - FileArchive.Workspace workspace = csar.getWorkspace(); - final Optional pathToCsarFile = workspace.getPathToCsarFile(); - final Optional pathToCertFile = workspace.getPathToCertFile(); - final Optional pathToCmsFile = workspace.getPathToCmsFile(); - if (workspace.isZip() && pathToCsarFile.isPresent() && pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { - byte[] csarContent = Files.readAllBytes(pathToCsarFile.get()); - byte[] signature = Files.readAllBytes(pathToCmsFile.get()); - byte[] publicCertification = Files.readAllBytes(pathToCertFile.get()); + static class BrokenZipPackageError extends CSARArchive.CSARError { + BrokenZipPackageError() { + super("0x3004"); + this.message = "Missing. Unable to find certification files."; + } + } - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { - this.errors.add(new CSARErrorInvalidSignature()); - } - } + @Override + protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + + try { + FileArchive.Workspace workspace = csar.getWorkspace(); + if (workspace.isZip()) { + verifyZipStructure(workspace); + } } catch (Exception e) { LOG.error("Internal VTPValidateCSARR787965 command error", e); throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787965 command error. See logs."); @@ -71,6 +83,35 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } + private void verifyZipStructure(FileArchive.Workspace workspace) throws Exception { + final Optional pathToCsarFile = workspace.getPathToCsarFile(); + final Optional pathToCertFile = workspace.getPathToCertFile(); + final Optional pathToCmsFile = workspace.getPathToCmsFile(); + if(!pathToCsarFile.isPresent()) { + this.errors.add(new CsarFileNotAvailableError()); + } else { + if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { + verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); + } else if (pathToCmsFile.isPresent()) { + this.errors.add(new SignatureWithCertificationOnlyWarning()); + } else { + this.errors.add(new BrokenZipPackageError()); + } + } + } + + private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws Exception { + final CmsSignatureValidator securityManager = new CmsSignatureValidator(); + + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToCmsFile); + byte[] publicCertification = Files.readAllBytes(pathToCertFile); + + if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + @Override protected String getVnfReqsNo() { return "R787965"; diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java deleted file mode 100644 index 7da91f8..0000000 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/ZipFileContentValidatorTest.java +++ /dev/null @@ -1,134 +0,0 @@ -/* - * Copyright 2019 Nokia - *

- * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - *

- * http://www.apache.org/licenses/LICENSE-2.0 - *

- * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.onap.cvc.csar; - -import org.junit.Before; -import org.junit.Test; -import org.junit.runner.RunWith; -import org.mockito.Mock; -import org.mockito.junit.MockitoJUnitRunner; - -import java.nio.file.Path; -import java.util.List; -import java.util.stream.Collectors; - -import static org.assertj.core.api.Assertions.assertThat; - -@RunWith(MockitoJUnitRunner.class) -public class ZipFileContentValidatorTest { - - @Mock - Path rootFolder; - @Mock - Path pathToCsarWorkspace; - @Mock - Path certFile; - @Mock - Path csarFile; - @Mock - Path cmsFile; - - private ZipFileContentValidator zipFileContentValidator; - - - @Before - public void setUp(){ - zipFileContentValidator = new ZipFileContentValidator(); - } - - @Test - public void shouldReportThatCertFileAndCmsFileIsNotAvailable() { - // given - FileArchive.Workspace workspace = FileArchive.Workspace.forZip( - rootFolder, - pathToCsarWorkspace, - null, - null, - null - ); - - // when - List errors = zipFileContentValidator.validate(workspace); - - // then - assertThat(errors.size()).isEqualTo(2); - assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( - "Missing. Cert file is not available!", "Missing. CMS file is not available!" - ); - } - - @Test - public void shouldReportThatCertFileIsNotAvailable() { - // given - FileArchive.Workspace workspace = FileArchive.Workspace.forZip( - rootFolder, - pathToCsarWorkspace, - null, - cmsFile, - csarFile - ); - - // when - List errors = zipFileContentValidator.validate(workspace); - - // then - assertThat(errors.size()).isEqualTo(1); - assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( - "Missing. Cert file is not available!" - ); - } - - @Test - public void shouldReportThatCmsFileIsNotAvailable() { - // given - FileArchive.Workspace workspace = FileArchive.Workspace.forZip( - rootFolder, - pathToCsarWorkspace, - certFile, - null, - csarFile - ); - - // when - List errors = zipFileContentValidator.validate(workspace); - - // then - assertThat(errors.size()).isEqualTo(1); - assertThat(errors.stream().map(CSARArchive.CSARError::getMessage).collect(Collectors.toList())).contains( - "Missing. CMS file is not available!" - ); - } - - @Test - public void shouldNotReportAnyErrorWhenAllFilesAreAvailable() { - // given - FileArchive.Workspace workspace = FileArchive.Workspace.forZip( - rootFolder, - pathToCsarWorkspace, - certFile, - cmsFile, - csarFile - ); - - // when - List errors = zipFileContentValidator.validate(workspace); - - // then - assertThat(errors.size()).isEqualTo(0); - } -} \ No newline at end of file diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java index c19fe99..ffbf87e 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965IntegrationTest.java @@ -59,6 +59,42 @@ public class VTPValidateCSARR787965IntegrationTest { ); } + @Test + public void shouldReportThatZipContainsSignatureWithCertificationFileAndPackageIsProbableValid() throws Exception { + + // given + configureTestCase(testCase, "pnf/r787965/signature-and-certificate.zip"); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Warning. Zip package probably is valid. " + + "It contains only signature with certification cms and csar package. " + + "Unable to verify csar signature." + ); + } + + @Test + public void shouldReportThatZipPackageIsBroken() throws Exception { + + // given + configureTestCase(testCase, "pnf/r787965/broken.zip"); + + // when + testCase.execute(); + + // then + List errors = testCase.getErrors(); + assertThat(errors.size()).isEqualTo(1); + assertThat(convertToMessagesList(errors)).contains( + "Missing. Unable to find certification files." + ); + } + @Test public void shouldDoNotReportAnyErrorWhenPackageHasValidSignature() throws Exception { @@ -73,5 +109,4 @@ public class VTPValidateCSARR787965IntegrationTest { assertThat(errors.size()).isEqualTo(0); } - } \ No newline at end of file diff --git a/csarvalidation/src/test/resources/pnf/r787965/broken.zip b/csarvalidation/src/test/resources/pnf/r787965/broken.zip new file mode 100644 index 0000000..5447a8f Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r787965/broken.zip differ diff --git a/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip b/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip new file mode 100644 index 0000000..47470f4 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r787965/signature-and-certificate.zip differ -- cgit 1.2.3-korg