From 0562debfc5cdd31e61c016aea40272c6c02ad3cb Mon Sep 17 00:00:00 2001 From: Bogumil Zebek Date: Wed, 14 Aug 2019 10:52:37 +0200 Subject: CMS signature validation Change-Id: Ie5d1c835d0e6a760f1b7de651a3833cb87b727e0 Issue-ID: VNFSDK-396 Signed-off-by: Zebek Bogumil --- .../cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 234 +++++++++++++++++++++ .../cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 26 ++- .../cvc/csar/cc/sol004/VTPValidateCSARR787966.java | 177 ---------------- 3 files changed, 246 insertions(+), 191 deletions(-) create mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java delete mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java (limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004') diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java new file mode 100644 index 0000000..2d85e35 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -0,0 +1,234 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.cc.sol004; + + +import org.onap.cli.fw.error.OnapCommandException; +import org.onap.cli.fw.schema.OnapCommandSchema; +import org.onap.cvc.csar.CSARArchive; +import org.onap.cvc.csar.FileArchive; +import org.onap.cvc.csar.cc.VTPValidateCSARBase; +import org.onap.cvc.csar.parser.ManifestFileModel; +import org.onap.cvc.csar.parser.ManifestFileSplitter; +import org.onap.cvc.csar.parser.SourcesParser; +import org.onap.cvc.csar.security.CmsSignatureValidator; +import org.onap.cvc.csar.security.CmsSignatureValidatorException; +import org.onap.cvc.csar.security.ShaHashCodeGenerator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.Charset; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.NoSuchAlgorithmException; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml") +public class VTPValidateCSARR130206 extends VTPValidateCSARBase { + + private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class); + private static final String SHA_256 = "SHA-256"; + private static final String SHA_512 = "SHA-512"; + + private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); + private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator(); + + + public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { + CSARErrorUnableToFindCertificate(String paramName) { + super("0x4001"); + this.message = String.format("Unable to find cert file defined by %s!", paramName); + } + } + + public static class CSARErrorUnableToFindCmsSection extends CSARArchive.CSARError { + CSARErrorUnableToFindCmsSection() { + super("0x4002"); + this.message = "Unable to find CMS section in manifest!"; + } + } + + public static class CSARErrorUnableToFindCsarContent extends CSARArchive.CSARError { + CSARErrorUnableToFindCsarContent() { + super("0x4003"); + this.message = "Unable to find csar content!"; + } + } + + public static class CSARErrorWrongHashCode extends CSARArchive.CSARError { + CSARErrorWrongHashCode(String path) { + super("0x4004"); + this.message = String.format("Source '%s' has wrong hash!", path); + } + } + + public static class CSARErrorUnableToFindAlgorithm extends CSARArchive.CSARError { + CSARErrorUnableToFindAlgorithm(String path) { + super("0x4005"); + this.message = String.format("Source '%s' has hash, but unable to find algorithm tag!", path); + } + } + + public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { + CSARErrorUnableToFindSource(String path) { + super("0x4006"); + this.message = String.format("Unable to calculate digest - file missing: %s", path); + } + } + + public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + CSARErrorInvalidSignature() { + super("0x4007"); + this.message = "File has invalid CMS signature!"; + } + } + + @Override + protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + + try { + FileArchive.Workspace workspace = csar.getWorkspace(); + final Optional pathToCsarFolder = workspace.getPathToCsarFolder(); + if (pathToCsarFolder.isPresent()) { + validate(csar, pathToCsarFolder.get()); + } else { + this.errors.add(new CSARErrorUnableToFindCsarContent()); + } + } catch (Exception e) { + LOG.error("Internal VTPValidateCSARR130206 command error", e); + throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); + } + + } + + private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException { + final CSARArchive.Manifest manifest = csar.getManifest(); + + validateSecurityStructure(csar, csarRootDirectory); + validateSources(csarRootDirectory, manifest); + + final File manifestMfFile = csar.getManifestMfFile(); + if (manifestMfFile != null) { + validateFileSignature(manifestMfFile); + } + } + + private void validateFileSignature(File manifestMfFile) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + if (!isValid) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) { + final CSARArchive.Manifest manifest = csar.getManifest(); + final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); + final String entryCertificateParamName = csar.getEntryCertificateParamName(); + final Optional entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); + if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) { + this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName)); + } + + if (manifest.getCms() == null || manifest.getCms().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindCmsSection()); + } + } + + private Optional resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { + final String certificatePath = toscaMeta.getEntryCertificate(); + if (certificatePath == null) { + return Optional.empty(); + } else { + return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); + } + } + + private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { + final List sources = manifest.getSources(); + for (SourcesParser.Source source : sources) { + if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { + validateSource(csarRootDirectory, source); + } + } + } + + private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final Path sourcePath = csarRootDirectory.resolve(source.getValue()); + if (!sourcePath.toFile().exists()) { + this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); + } else { + if (!source.getAlgorithm().isEmpty()) { + validateSourceHashCode(csarRootDirectory, source); + } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); + } + } + } + + private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + String hashCode = generateHashCode(csarRootDirectory, source); + if (!hashCode.equals(source.getHash())) { + this.errors.add(new CSARErrorWrongHashCode(source.getValue())); + } + } + + private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); + final String algorithm = source.getAlgorithm(); + + if (algorithm.equalsIgnoreCase(SHA_256)) { + return this.shaHashCodeGenerator.generateSha256(sourceData); + } else if (algorithm.equalsIgnoreCase(SHA_512)) { + return this.shaHashCodeGenerator.generateSha512(sourceData); + } + + throw new UnsupportedOperationException(String.format("Algorithm '%s' is not supported!", algorithm)); + } + + @Override + protected String getVnfReqsNo() { + return "R130206"; + } + + +} + +class ManifestFileSignatureValidator { + private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class); + private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); + private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); + + boolean isValid(File manifestFile) { + try { + ManifestFileModel mf = manifestFileSplitter.split(manifestFile); + return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData())); + } catch (CmsSignatureValidatorException e) { + LOG.error("Unable to verify signed data!", e); + return false; + } + } + + private byte[] toBytes(List data) { + final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining()); + return updatedData.getBytes(Charset.defaultCharset()); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index a3ab865..034d35e 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -37,6 +37,7 @@ import java.util.Optional; public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); + private final CmsSignatureValidator securityManager = new CmsSignatureValidator(); static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { @@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } } - static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { - SignatureWithCertificationOnlyWarning() { - super("0x3003"); - this.message = "Warning. Zip package probably is valid. " + - "It contains only signature with certification cms and csar package. " + - "Unable to verify csar signature."; - } - } - - static class BrokenZipPackageError extends CSARArchive.CSARError { BrokenZipPackageError() { super("0x3004"); @@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); } else if (pathToCmsFile.isPresent()) { - this.errors.add(new SignatureWithCertificationOnlyWarning()); + verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get()); } else { this.errors.add(new BrokenZipPackageError()); } @@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); - byte[] csarContent = Files.readAllBytes(pathToCsarFile); byte[] signature = Files.readAllBytes(pathToCmsFile); byte[] publicCertification = Files.readAllBytes(pathToCertFile); - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException { + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile); + + if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){ this.errors.add(new CSARErrorInvalidSignature()); } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java deleted file mode 100644 index 7a14709..0000000 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java +++ /dev/null @@ -1,177 +0,0 @@ -/* - * Copyright 2019 Nokia - *

- * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - *

- * http://www.apache.org/licenses/LICENSE-2.0 - *

- * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.onap.cvc.csar.cc.sol004; - - -import org.onap.cli.fw.error.OnapCommandException; -import org.onap.cli.fw.schema.OnapCommandSchema; -import org.onap.cvc.csar.CSARArchive; -import org.onap.cvc.csar.FileArchive; -import org.onap.cvc.csar.cc.VTPValidateCSARBase; -import org.onap.cvc.csar.parser.SourcesParser; -import org.onap.cvc.csar.security.ShaHashCodeGenerator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.File; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.NoSuchAlgorithmException; -import java.util.List; -import java.util.Optional; - -@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml") -public class VTPValidateCSARR787966 extends VTPValidateCSARBase { - - private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class); - private static final String SHA_256 = "SHA-256"; - private static final String SHA_512 = "SHA-512"; - - private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); - - - public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { - CSARErrorUnableToFindCertificate() { - super("0x4001"); - this.message = "Unable to find cert file defined by Entry-Certificate!"; - } - } - - public static class CSARErrorUnableToFindCmsSection extends CSARArchive.CSARError { - CSARErrorUnableToFindCmsSection() { - super("0x4002"); - this.message = "Unable to find CMS section in manifest!"; - } - } - - public static class CSARErrorUnableToFindCsarContent extends CSARArchive.CSARError { - CSARErrorUnableToFindCsarContent() { - super("0x4003"); - this.message = "Unable to find csar content!"; - } - } - - public static class CSARErrorWrongHashCode extends CSARArchive.CSARError { - CSARErrorWrongHashCode(String path) { - super("0x4004"); - this.message = String.format("Source '%s' has wrong hash!", path); - } - } - - public static class CSARErrorUnableToFindAlgorithm extends CSARArchive.CSARError { - CSARErrorUnableToFindAlgorithm(String path) { - super("0x4005"); - this.message = String.format("Source '%s' has hash, but unable to find algorithm tag!", path); - } - } - - public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { - CSARErrorUnableToFindSource(String path) { - super("0x4006"); - this.message = String.format("Source '%s' does not exist!", path); - } - } - - @Override - protected void validateCSAR(CSARArchive csar) throws OnapCommandException { - - try { - FileArchive.Workspace workspace = csar.getWorkspace(); - final Optional pathToCsarFolder = workspace.getPathToCsarFolder(); - if(pathToCsarFolder.isPresent()) { - validate(csar, pathToCsarFolder.get()); - } else { - this.errors.add(new CSARErrorUnableToFindCsarContent()); - } - } catch (Exception e) { - LOG.error("Internal VTPValidateCSARR787966 command error", e); - throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); - } - - } - - private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException { - - final CSARArchive.Manifest manifest = csar.getManifest(); - final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); - validateSecurityStructure(toscaMeta, csarRootDirectory, manifest); - validateSources(csarRootDirectory, manifest); - } - - private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) { - final Optional entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); - if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCertificate()); - } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCmsSection()); - } - } - - private Optional resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { - final String certificatePath = toscaMeta.getEntryCertificate(); - if(certificatePath == null){ - return Optional.empty(); - } else { - return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); - } - } - - private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { - final List sources = manifest.getSources(); - for (SourcesParser.Source source: sources){ - final Path sourcePath = csarRootDirectory.resolve(source.getValue()); - if(!Files.exists(sourcePath)){ - this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); - } else { - if (!source.getAlgorithm().isEmpty()) { - validateSourceHashCode(csarRootDirectory, source); - } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); - } - } - } - } - - private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { - String hashCode = generateHashCode(csarRootDirectory, source); - if (!hashCode.equals(source.getHash())) { - this.errors.add(new CSARErrorWrongHashCode(source.getValue())); - } - } - - private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { - final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); - final String algorithm = source.getAlgorithm(); - - if(algorithm.equalsIgnoreCase(SHA_256)) { - return this.shaHashCodeGenerator.generateSha256(sourceData); - } else if(algorithm.equalsIgnoreCase(SHA_512)){ - return this.shaHashCodeGenerator.generateSha512(sourceData); - } - - throw new UnsupportedOperationException(String.format("Algorithm '%s' is not supported!", algorithm)); - } - - @Override - protected String getVnfReqsNo() { - return "R787966"; - } - - -} -- cgit 1.2.3-korg