From bd711684187e95a1dd3cd53622714aae22bb417c Mon Sep 17 00:00:00 2001
From: Bogumil Zebek <bogumil.zebek@nokia.com>
Date: Thu, 9 May 2019 13:28:17 +0200
Subject: Security verification

Change-Id: I759e3698a25dd4f84dc345c3fd4c0d201b75d233
Issue-ID: VNFSDK-395
Signed-off-by: Zebek Bogumil <bogumil.zebek@nokia.com>
---
 .../cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 75 +++++++++++++++++-----
 1 file changed, 58 insertions(+), 17 deletions(-)

(limited to 'csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004')

diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
index 621ede0..97efd11 100644
--- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
+++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java
@@ -36,34 +36,46 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
 
     private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class);
 
-    public static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
+    static class CSARErrorInvalidSignature extends CSARArchive.CSARError {
         CSARErrorInvalidSignature() {
             super("0x3001");
             this.message = "Invalid CSAR signature!";
         }
     }
 
-    @Override
-    protected void validateCSAR(CSARArchive csar) throws OnapCommandException {
+    static class CsarFileNotAvailableError extends CSARArchive.CSARError {
+        CsarFileNotAvailableError() {
+            super("0x3002");
+            this.message = "Missing. Csar file is not available!";
+        }
+    }
 
-        try {
-            final CmsSignatureValidator securityManager = new CmsSignatureValidator();
+    static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError {
+        SignatureWithCertificationOnlyWarning() {
+            super("0x3003");
+            this.message = "Warning. Zip package probably is valid. " +
+                    "It contains only signature with certification cms and csar package. " +
+                    "Unable to verify csar signature.";
+        }
+    }
 
-            FileArchive.Workspace workspace = csar.getWorkspace();
-            final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile();
-            final Optional<Path> pathToCertFile = workspace.getPathToCertFile();
-            final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile();
 
-            if (workspace.isZip() && pathToCsarFile.isPresent() && pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
-                    byte[] csarContent = Files.readAllBytes(pathToCsarFile.get());
-                    byte[] signature = Files.readAllBytes(pathToCmsFile.get());
-                    byte[] publicCertification = Files.readAllBytes(pathToCertFile.get());
+    static class BrokenZipPackageError extends CSARArchive.CSARError {
+        BrokenZipPackageError() {
+            super("0x3004");
+            this.message = "Missing. Unable to find certification files.";
+        }
+    }
 
-                    if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
-                        this.errors.add(new CSARErrorInvalidSignature());
-                    }
-                }
 
+    @Override
+    protected void validateCSAR(CSARArchive csar) throws OnapCommandException {
+
+        try {
+            FileArchive.Workspace workspace = csar.getWorkspace();
+            if (workspace.isZip()) {
+                verifyZipStructure(workspace);
+            }
         } catch (Exception e) {
             LOG.error("Internal VTPValidateCSARR787965 command error", e);
             throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787965 command error. See logs.");
@@ -71,6 +83,35 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase {
 
     }
 
+    private void verifyZipStructure(FileArchive.Workspace workspace) throws Exception {
+        final Optional<Path> pathToCsarFile = workspace.getPathToCsarFile();
+        final Optional<Path> pathToCertFile = workspace.getPathToCertFile();
+        final Optional<Path> pathToCmsFile = workspace.getPathToCmsFile();
+        if(!pathToCsarFile.isPresent()) {
+            this.errors.add(new CsarFileNotAvailableError());
+        } else {
+            if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) {
+                verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get());
+            } else if (pathToCmsFile.isPresent()) {
+                this.errors.add(new SignatureWithCertificationOnlyWarning());
+            } else {
+                this.errors.add(new BrokenZipPackageError());
+            }
+        }
+    }
+
+    private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws Exception {
+        final CmsSignatureValidator securityManager = new CmsSignatureValidator();
+
+        byte[] csarContent = Files.readAllBytes(pathToCsarFile);
+        byte[] signature = Files.readAllBytes(pathToCmsFile);
+        byte[] publicCertification = Files.readAllBytes(pathToCertFile);
+
+        if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) {
+            this.errors.add(new CSARErrorInvalidSignature());
+        }
+    }
+
     @Override
     protected String getVnfReqsNo() {
         return "R787965";
-- 
cgit 1.2.3-korg