From 657849e70f70f700cc8470af48351f3ae6b47b6f Mon Sep 17 00:00:00 2001 From: Aleksandra Maciaga Date: Wed, 13 May 2020 14:16:06 +0200 Subject: Fix VNF/PNF package integrity issue with CMS signature not containing certificate Signed-off-by: Aleksandra Maciaga Issue-ID: VNFSDK-582 Change-Id: Id3dc6c8e1ead183449fcf903d9b9b886e4796e84 --- .../cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 45 ++++++++++++++-------- 1 file changed, 28 insertions(+), 17 deletions(-) (limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java') diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index fefe65b..74706c7 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -148,25 +148,32 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { validateNonManoCohesionWithSources(nonMano, sources); final File manifestMfFile = csar.getManifestMfFile(); + final String absolutePathToEntryCertificate = getAbsolutePathToEntryCertificate(csar, csarRootDirectory); if (manifestMfFile != null) { - validateFileSignature(manifestMfFile); + validateFileSignature(manifestMfFile, absolutePathToEntryCertificate); } } + private String getAbsolutePathToEntryCertificate(CSARArchive csar, Path csarRootDirectory) { + final String entryCertificateFileName = csar.getToscaMeta().getEntryCertificate(); + return String.format("%s/%s", csarRootDirectory.toAbsolutePath(), entryCertificateFileName); + } + + private void validateNonManoCohesionWithSources(final Map>> nonMano, final List sources) { final Collection>> values = nonMano.values(); final List nonManoSourcePaths = values.stream() - .map(Map::values) - .flatMap(Collection::stream) - .flatMap(List::stream) - .filter(it -> !it.isEmpty()) - .collect(Collectors.toList()); + .map(Map::values) + .flatMap(Collection::stream) + .flatMap(List::stream) + .filter(it -> !it.isEmpty()) + .collect(Collectors.toList()); final List sourcePaths = sources.stream() - .map(SourcesParser.Source::getValue) - .collect(Collectors.toList()); + .map(SourcesParser.Source::getValue) + .collect(Collectors.toList()); if (!sourcePaths.containsAll(nonManoSourcePaths)) { this.errors.add(new CSARErrorContentMismatch()); @@ -174,8 +181,8 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } - private void validateFileSignature(File manifestMfFile) { - final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + private void validateFileSignature(File manifestMfFile, String absolutePathToEntryCertificate) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile, absolutePathToEntryCertificate); if (!isValid) { this.errors.add(new CSARErrorInvalidSignature()); } @@ -205,7 +212,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final List sources = manifest.getSources(); for (SourcesParser.Source source : sources) { if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { @@ -215,7 +222,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSource(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final Path sourcePath = csarRootDirectory.resolve(source.getValue()); if (!sourcePath.toFile().exists()) { this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); @@ -229,7 +236,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { String hashCode = generateHashCode(csarRootDirectory, source); if (!hashCode.equals(source.getHash())) { this.errors.add(new CSARErrorWrongHashCode(source.getValue())); @@ -237,7 +244,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) - throws NoSuchAlgorithmException, IOException { + throws NoSuchAlgorithmException, IOException { final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); final String algorithm = source.getAlgorithm(); @@ -262,15 +269,19 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); - boolean isValid(File manifestFile) { + boolean isValid(File manifestFile, String absolutePathToEntryCertificate) { try { + byte[] entryCertificate = Files.readAllBytes(new File(absolutePathToEntryCertificate).toPath()); ManifestFileModel mf = manifestFileSplitter.split(manifestFile); return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS(), mf.getNewLine()), - Optional.empty(), - toBytes(mf.getData(), mf.getNewLine())); + Optional.of(entryCertificate), + toBytes(mf.getData(), mf.getNewLine())); } catch (CmsSignatureValidatorException e) { LOG.error("Unable to verify signed data!", e); return false; + } catch (IOException e) { + LOG.error("Unable to read ETSI entry certificate file!", e); + return false; } } -- cgit 1.2.3-korg