From 0562debfc5cdd31e61c016aea40272c6c02ad3cb Mon Sep 17 00:00:00 2001 From: Bogumil Zebek Date: Wed, 14 Aug 2019 10:52:37 +0200 Subject: CMS signature validation Change-Id: Ie5d1c835d0e6a760f1b7de651a3833cb87b727e0 Issue-ID: VNFSDK-396 Signed-off-by: Zebek Bogumil --- .../main/java/org/onap/cvc/csar/CSARArchive.java | 6 +- .../java/org/onap/cvc/csar/PnfCSARArchive.java | 5 + .../cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 234 +++++++++++++++++++++ .../cvc/csar/cc/sol004/VTPValidateCSARR787965.java | 26 ++- .../cvc/csar/cc/sol004/VTPValidateCSARR787966.java | 177 ---------------- .../onap/cvc/csar/parser/ManifestFileModel.java | 39 ++++ .../onap/cvc/csar/parser/ManifestFileSplitter.java | 62 ++++++ .../cvc/csar/security/CmsSignatureValidator.java | 45 ++-- 8 files changed, 389 insertions(+), 205 deletions(-) create mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java delete mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java create mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java create mode 100644 csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java (limited to 'csarvalidation/src/main/java/org/onap/cvc') diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java index 180dadd..beb556d 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/CSARArchive.java @@ -1093,7 +1093,7 @@ public class CSARArchive implements AutoCloseable { this.toscaMeta.getEntryLicense(), lineNo)); } - } else if(key.equalsIgnoreCase(TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE)) { + } else if(key.equalsIgnoreCase(getEntryCertificateParamName())) { this.toscaMeta.setEntryCertificate(value); this.certificatesFile= this.tempDir.resolve(this.toscaMeta.getEntryCertificate()).toFile(); if (!this.certificatesFile.exists()) { @@ -1247,6 +1247,10 @@ public class CSARArchive implements AutoCloseable { } } + public String getEntryCertificateParamName() { + return TOSCA_METADATA_TOSCA_META_ENTRY_CERTIFICATE; + } + String getEntryManifestParamName(){ return TOSCA_METADATA_TOSCA_META_ENTRY_MANIFEST; } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java index a6e2745..f3ce960 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/PnfCSARArchive.java @@ -66,4 +66,9 @@ public class PnfCSARArchive extends CSARArchive { String getEntryChangeLogParamName() { return "ETSI-Entry-Change-Log"; } + + @Override + public String getEntryCertificateParamName() { + return "ETSI-Entry-Certificate"; + } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java new file mode 100644 index 0000000..2d85e35 --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -0,0 +1,234 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.cc.sol004; + + +import org.onap.cli.fw.error.OnapCommandException; +import org.onap.cli.fw.schema.OnapCommandSchema; +import org.onap.cvc.csar.CSARArchive; +import org.onap.cvc.csar.FileArchive; +import org.onap.cvc.csar.cc.VTPValidateCSARBase; +import org.onap.cvc.csar.parser.ManifestFileModel; +import org.onap.cvc.csar.parser.ManifestFileSplitter; +import org.onap.cvc.csar.parser.SourcesParser; +import org.onap.cvc.csar.security.CmsSignatureValidator; +import org.onap.cvc.csar.security.CmsSignatureValidatorException; +import org.onap.cvc.csar.security.ShaHashCodeGenerator; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.Charset; +import java.nio.file.Files; +import java.nio.file.Path; +import java.security.NoSuchAlgorithmException; +import java.util.List; +import java.util.Optional; +import java.util.stream.Collectors; + +@OnapCommandSchema(schema = "vtp-validate-csar-r130206.yaml") +public class VTPValidateCSARR130206 extends VTPValidateCSARBase { + + private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR130206.class); + private static final String SHA_256 = "SHA-256"; + private static final String SHA_512 = "SHA-512"; + + private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); + private final ManifestFileSignatureValidator manifestFileSignatureValidator = new ManifestFileSignatureValidator(); + + + public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { + CSARErrorUnableToFindCertificate(String paramName) { + super("0x4001"); + this.message = String.format("Unable to find cert file defined by %s!", paramName); + } + } + + public static class CSARErrorUnableToFindCmsSection extends CSARArchive.CSARError { + CSARErrorUnableToFindCmsSection() { + super("0x4002"); + this.message = "Unable to find CMS section in manifest!"; + } + } + + public static class CSARErrorUnableToFindCsarContent extends CSARArchive.CSARError { + CSARErrorUnableToFindCsarContent() { + super("0x4003"); + this.message = "Unable to find csar content!"; + } + } + + public static class CSARErrorWrongHashCode extends CSARArchive.CSARError { + CSARErrorWrongHashCode(String path) { + super("0x4004"); + this.message = String.format("Source '%s' has wrong hash!", path); + } + } + + public static class CSARErrorUnableToFindAlgorithm extends CSARArchive.CSARError { + CSARErrorUnableToFindAlgorithm(String path) { + super("0x4005"); + this.message = String.format("Source '%s' has hash, but unable to find algorithm tag!", path); + } + } + + public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { + CSARErrorUnableToFindSource(String path) { + super("0x4006"); + this.message = String.format("Unable to calculate digest - file missing: %s", path); + } + } + + public static class CSARErrorInvalidSignature extends CSARArchive.CSARError { + CSARErrorInvalidSignature() { + super("0x4007"); + this.message = "File has invalid CMS signature!"; + } + } + + @Override + protected void validateCSAR(CSARArchive csar) throws OnapCommandException { + + try { + FileArchive.Workspace workspace = csar.getWorkspace(); + final Optional pathToCsarFolder = workspace.getPathToCsarFolder(); + if (pathToCsarFolder.isPresent()) { + validate(csar, pathToCsarFolder.get()); + } else { + this.errors.add(new CSARErrorUnableToFindCsarContent()); + } + } catch (Exception e) { + LOG.error("Internal VTPValidateCSARR130206 command error", e); + throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); + } + + } + + private void validate(CSARArchive csar, Path csarRootDirectory) throws IOException, NoSuchAlgorithmException { + final CSARArchive.Manifest manifest = csar.getManifest(); + + validateSecurityStructure(csar, csarRootDirectory); + validateSources(csarRootDirectory, manifest); + + final File manifestMfFile = csar.getManifestMfFile(); + if (manifestMfFile != null) { + validateFileSignature(manifestMfFile); + } + } + + private void validateFileSignature(File manifestMfFile) { + final boolean isValid = this.manifestFileSignatureValidator.isValid(manifestMfFile); + if (!isValid) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void validateSecurityStructure(CSARArchive csar, Path csarRootDirectory) { + final CSARArchive.Manifest manifest = csar.getManifest(); + final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); + final String entryCertificateParamName = csar.getEntryCertificateParamName(); + final Optional entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); + if (!entryCertificate.isPresent() || !entryCertificate.get().exists()) { + this.errors.add(new CSARErrorUnableToFindCertificate(entryCertificateParamName)); + } + + if (manifest.getCms() == null || manifest.getCms().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindCmsSection()); + } + } + + private Optional resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { + final String certificatePath = toscaMeta.getEntryCertificate(); + if (certificatePath == null) { + return Optional.empty(); + } else { + return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); + } + } + + private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { + final List sources = manifest.getSources(); + for (SourcesParser.Source source : sources) { + if (!source.getAlgorithm().isEmpty() || !source.getHash().isEmpty()) { + validateSource(csarRootDirectory, source); + } + } + } + + private void validateSource(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final Path sourcePath = csarRootDirectory.resolve(source.getValue()); + if (!sourcePath.toFile().exists()) { + this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); + } else { + if (!source.getAlgorithm().isEmpty()) { + validateSourceHashCode(csarRootDirectory, source); + } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { + this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); + } + } + } + + private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + String hashCode = generateHashCode(csarRootDirectory, source); + if (!hashCode.equals(source.getHash())) { + this.errors.add(new CSARErrorWrongHashCode(source.getValue())); + } + } + + private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { + final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); + final String algorithm = source.getAlgorithm(); + + if (algorithm.equalsIgnoreCase(SHA_256)) { + return this.shaHashCodeGenerator.generateSha256(sourceData); + } else if (algorithm.equalsIgnoreCase(SHA_512)) { + return this.shaHashCodeGenerator.generateSha512(sourceData); + } + + throw new UnsupportedOperationException(String.format("Algorithm '%s' is not supported!", algorithm)); + } + + @Override + protected String getVnfReqsNo() { + return "R130206"; + } + + +} + +class ManifestFileSignatureValidator { + private static final Logger LOG = LoggerFactory.getLogger(ManifestFileSignatureValidator.class); + private final ManifestFileSplitter manifestFileSplitter = new ManifestFileSplitter(); + private final CmsSignatureValidator cmsSignatureValidator = new CmsSignatureValidator(); + + boolean isValid(File manifestFile) { + try { + ManifestFileModel mf = manifestFileSplitter.split(manifestFile); + return cmsSignatureValidator.verifySignedData(toBytes(mf.getCMS()), Optional.empty(), toBytes(mf.getData())); + } catch (CmsSignatureValidatorException e) { + LOG.error("Unable to verify signed data!", e); + return false; + } + } + + private byte[] toBytes(List data) { + final String updatedData = data.stream().map(it -> it + "\r\n").collect(Collectors.joining()); + return updatedData.getBytes(Charset.defaultCharset()); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java index a3ab865..034d35e 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787965.java @@ -37,6 +37,7 @@ import java.util.Optional; public class VTPValidateCSARR787965 extends VTPValidateCSARBase { private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787965.class); + private final CmsSignatureValidator securityManager = new CmsSignatureValidator(); static class CSARErrorInvalidSignature extends CSARArchive.CSARError { CSARErrorInvalidSignature() { @@ -52,16 +53,6 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } } - static class SignatureWithCertificationOnlyWarning extends CSARArchive.CSARError { - SignatureWithCertificationOnlyWarning() { - super("0x3003"); - this.message = "Warning. Zip package probably is valid. " + - "It contains only signature with certification cms and csar package. " + - "Unable to verify csar signature."; - } - } - - static class BrokenZipPackageError extends CSARArchive.CSARError { BrokenZipPackageError() { super("0x3004"); @@ -95,7 +86,7 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { if (pathToCertFile.isPresent() && pathToCmsFile.isPresent()) { verifyTwoFileCertification(pathToCsarFile.get(), pathToCertFile.get(), pathToCmsFile.get()); } else if (pathToCmsFile.isPresent()) { - this.errors.add(new SignatureWithCertificationOnlyWarning()); + verifyOneFileCertification(pathToCsarFile.get(), pathToCmsFile.get()); } else { this.errors.add(new BrokenZipPackageError()); } @@ -103,13 +94,20 @@ public class VTPValidateCSARR787965 extends VTPValidateCSARBase { } private void verifyTwoFileCertification(Path pathToCsarFile, Path pathToCertFile, Path pathToCmsFile) throws IOException, CmsSignatureValidatorException { - final CmsSignatureValidator securityManager = new CmsSignatureValidator(); - byte[] csarContent = Files.readAllBytes(pathToCsarFile); byte[] signature = Files.readAllBytes(pathToCmsFile); byte[] publicCertification = Files.readAllBytes(pathToCertFile); - if (!securityManager.verifySignedData(signature, publicCertification,csarContent)) { + if (!securityManager.verifySignedData(signature, Optional.of(publicCertification) ,csarContent)) { + this.errors.add(new CSARErrorInvalidSignature()); + } + } + + private void verifyOneFileCertification(Path pathToCsarFile, Path pathToSignatureAndCmsFile) throws IOException, CmsSignatureValidatorException { + byte[] csarContent = Files.readAllBytes(pathToCsarFile); + byte[] signature = Files.readAllBytes(pathToSignatureAndCmsFile); + + if(!securityManager.verifySignedData(signature, Optional.empty(), csarContent)){ this.errors.add(new CSARErrorInvalidSignature()); } } diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java deleted file mode 100644 index 7a14709..0000000 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR787966.java +++ /dev/null @@ -1,177 +0,0 @@ -/* - * Copyright 2019 Nokia - *

- * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - *

- * http://www.apache.org/licenses/LICENSE-2.0 - *

- * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - */ - -package org.onap.cvc.csar.cc.sol004; - - -import org.onap.cli.fw.error.OnapCommandException; -import org.onap.cli.fw.schema.OnapCommandSchema; -import org.onap.cvc.csar.CSARArchive; -import org.onap.cvc.csar.FileArchive; -import org.onap.cvc.csar.cc.VTPValidateCSARBase; -import org.onap.cvc.csar.parser.SourcesParser; -import org.onap.cvc.csar.security.ShaHashCodeGenerator; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; - -import java.io.File; -import java.io.IOException; -import java.nio.file.Files; -import java.nio.file.Path; -import java.security.NoSuchAlgorithmException; -import java.util.List; -import java.util.Optional; - -@OnapCommandSchema(schema = "vtp-validate-csar-r787966.yaml") -public class VTPValidateCSARR787966 extends VTPValidateCSARBase { - - private static final Logger LOG = LoggerFactory.getLogger(VTPValidateCSARR787966.class); - private static final String SHA_256 = "SHA-256"; - private static final String SHA_512 = "SHA-512"; - - private final ShaHashCodeGenerator shaHashCodeGenerator = new ShaHashCodeGenerator(); - - - public static class CSARErrorUnableToFindCertificate extends CSARArchive.CSARError { - CSARErrorUnableToFindCertificate() { - super("0x4001"); - this.message = "Unable to find cert file defined by Entry-Certificate!"; - } - } - - public static class CSARErrorUnableToFindCmsSection extends CSARArchive.CSARError { - CSARErrorUnableToFindCmsSection() { - super("0x4002"); - this.message = "Unable to find CMS section in manifest!"; - } - } - - public static class CSARErrorUnableToFindCsarContent extends CSARArchive.CSARError { - CSARErrorUnableToFindCsarContent() { - super("0x4003"); - this.message = "Unable to find csar content!"; - } - } - - public static class CSARErrorWrongHashCode extends CSARArchive.CSARError { - CSARErrorWrongHashCode(String path) { - super("0x4004"); - this.message = String.format("Source '%s' has wrong hash!", path); - } - } - - public static class CSARErrorUnableToFindAlgorithm extends CSARArchive.CSARError { - CSARErrorUnableToFindAlgorithm(String path) { - super("0x4005"); - this.message = String.format("Source '%s' has hash, but unable to find algorithm tag!", path); - } - } - - public static class CSARErrorUnableToFindSource extends CSARArchive.CSARError { - CSARErrorUnableToFindSource(String path) { - super("0x4006"); - this.message = String.format("Source '%s' does not exist!", path); - } - } - - @Override - protected void validateCSAR(CSARArchive csar) throws OnapCommandException { - - try { - FileArchive.Workspace workspace = csar.getWorkspace(); - final Optional pathToCsarFolder = workspace.getPathToCsarFolder(); - if(pathToCsarFolder.isPresent()) { - validate(csar, pathToCsarFolder.get()); - } else { - this.errors.add(new CSARErrorUnableToFindCsarContent()); - } - } catch (Exception e) { - LOG.error("Internal VTPValidateCSARR787966 command error", e); - throw new OnapCommandException("0x3000", "Internal VTPValidateCSARR787966 command error. See logs."); - } - - } - - private void validate(CSARArchive csar, Path csarRootDirectory ) throws IOException, NoSuchAlgorithmException { - - final CSARArchive.Manifest manifest = csar.getManifest(); - final CSARArchive.TOSCAMeta toscaMeta = csar.getToscaMeta(); - validateSecurityStructure(toscaMeta, csarRootDirectory, manifest); - validateSources(csarRootDirectory, manifest); - } - - private void validateSecurityStructure(CSARArchive.TOSCAMeta toscaMeta , Path csarRootDirectory, CSARArchive.Manifest manifest) { - final Optional entryCertificate = resolveCertificateFilePath(toscaMeta, csarRootDirectory); - if (!entryCertificate.isPresent() || !entryCertificate.get().exists() && !manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCertificate()); - } else if (entryCertificate.get().exists() && manifest.getCms().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindCmsSection()); - } - } - - private Optional resolveCertificateFilePath(CSARArchive.TOSCAMeta toscaMeta, Path csarRootDirectory) { - final String certificatePath = toscaMeta.getEntryCertificate(); - if(certificatePath == null){ - return Optional.empty(); - } else { - return Optional.of(csarRootDirectory.resolve(certificatePath).toFile()); - } - } - - private void validateSources(Path csarRootDirectory, CSARArchive.Manifest manifest) throws NoSuchAlgorithmException, IOException { - final List sources = manifest.getSources(); - for (SourcesParser.Source source: sources){ - final Path sourcePath = csarRootDirectory.resolve(source.getValue()); - if(!Files.exists(sourcePath)){ - this.errors.add(new CSARErrorUnableToFindSource(source.getValue())); - } else { - if (!source.getAlgorithm().isEmpty()) { - validateSourceHashCode(csarRootDirectory, source); - } else if (source.getAlgorithm().isEmpty() && !source.getHash().isEmpty()) { - this.errors.add(new CSARErrorUnableToFindAlgorithm(source.getValue())); - } - } - } - } - - private void validateSourceHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { - String hashCode = generateHashCode(csarRootDirectory, source); - if (!hashCode.equals(source.getHash())) { - this.errors.add(new CSARErrorWrongHashCode(source.getValue())); - } - } - - private String generateHashCode(Path csarRootDirectory, SourcesParser.Source source) throws NoSuchAlgorithmException, IOException { - final byte[] sourceData = Files.readAllBytes(csarRootDirectory.resolve(source.getValue())); - final String algorithm = source.getAlgorithm(); - - if(algorithm.equalsIgnoreCase(SHA_256)) { - return this.shaHashCodeGenerator.generateSha256(sourceData); - } else if(algorithm.equalsIgnoreCase(SHA_512)){ - return this.shaHashCodeGenerator.generateSha512(sourceData); - } - - throw new UnsupportedOperationException(String.format("Algorithm '%s' is not supported!", algorithm)); - } - - @Override - protected String getVnfReqsNo() { - return "R787966"; - } - - -} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java new file mode 100644 index 0000000..f6b42fd --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileModel.java @@ -0,0 +1,39 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.parser; + +import java.util.Collections; +import java.util.List; + +public class ManifestFileModel { + private final List data; + private final List cms; + + public ManifestFileModel(List data, List cms) { + this.data = data; + this.cms = cms; + } + + public List getData() { + return Collections.unmodifiableList(data); + } + + public List getCMS() { + return Collections.unmodifiableList(cms); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java new file mode 100644 index 0000000..03a628c --- /dev/null +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/parser/ManifestFileSplitter.java @@ -0,0 +1,62 @@ +/* + * Copyright 2019 Nokia + *

+ * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + *

+ * http://www.apache.org/licenses/LICENSE-2.0 + *

+ * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +package org.onap.cvc.csar.parser; + + +import java.io.File; +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Paths; +import java.util.ArrayList; +import java.util.List; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class ManifestFileSplitter { + + public ManifestFileModel split(File manifestFile) { + String fileName = manifestFile.getAbsolutePath(); + List data = new ArrayList<>(); + List cms = new ArrayList<>(); + + try (Stream stream = Files.lines(Paths.get(fileName))) { + List lines = stream.collect(Collectors.toList()); + return createManifestFileModel(data, cms, lines); + + } catch (IOException e) { + throw new IllegalArgumentException(String.format("Unable to process manifest file! Wrong file path: '%s'", fileName)); + } + } + + private ManifestFileModel createManifestFileModel(List data, List cms, List lines) { + boolean isCmsSection = false; + + for (String line : lines) { + if (line.contains("BEGIN CMS")) { + isCmsSection = true; + } + + if (isCmsSection) { + cms.add(line); + } else { + data.add(line); + } + } + return new ManifestFileModel(data, cms); + } +} diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java index a168541..b8b3714 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/security/CmsSignatureValidator.java @@ -18,6 +18,7 @@ package org.onap.cvc.csar.security; import org.bouncycastle.asn1.cms.ContentInfo; +import org.bouncycastle.cert.X509CertificateHolder; import org.bouncycastle.cms.CMSException; import org.bouncycastle.cms.CMSProcessableByteArray; import org.bouncycastle.cms.CMSSignedData; @@ -27,6 +28,7 @@ import org.bouncycastle.cms.SignerInformation; import org.bouncycastle.cms.jcajce.JcaSimpleSignerInfoVerifierBuilder; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.operator.OperatorCreationException; +import org.bouncycastle.util.Store; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,23 +36,35 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; +import java.nio.charset.Charset; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collection; +import java.util.Optional; public class CmsSignatureValidator { private static final Logger LOG = LoggerFactory.getLogger(CmsSignatureValidator.class); public boolean verifySignedData( - final byte[] signature, - final byte[] certificate, - final byte[] csarFileContent) throws CmsSignatureValidatorException { - - try (ByteArrayInputStream signatureStream = new ByteArrayInputStream(signature)) { - SignerInformation firstSigner = getSignerInformation(csarFileContent, signatureStream); - X509Certificate cert = loadCertificate(certificate); + final byte[] cmsSignature, + final Optional certificate, + final byte[] fileContent) throws CmsSignatureValidatorException { + + try (ByteArrayInputStream cmsSignatureStream = new ByteArrayInputStream(cmsSignature)) { + CMSSignedData signedData = getCMSSignedData(fileContent, cmsSignatureStream); + Collection signers = signedData.getSignerInfos().getSigners(); + SignerInformation firstSigner = signers.iterator().next(); + + Store certificates = signedData.getCertificates(); + X509Certificate cert; + if (!certificate.isPresent()) { + X509CertificateHolder firstSignerFirstCertificate = getX509CertificateHolder(firstSigner, certificates); + cert = loadCertificate(firstSignerFirstCertificate.getEncoded()); + } else { + cert = loadCertificate(certificate.get()); + } return firstSigner.verify(new JcaSimpleSignerInfoVerifierBuilder().build(cert)); } catch (CMSSignerDigestMismatchException e){ @@ -63,17 +77,22 @@ public class CmsSignatureValidator { } } - private SignerInformation getSignerInformation(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { + private X509CertificateHolder getX509CertificateHolder(SignerInformation firstSigner, Store certificates) throws CmsSignatureValidatorException { + Collection firstSignerCertificates = certificates.getMatches(firstSigner.getSID()); + if(!firstSignerCertificates.iterator().hasNext()){ + throw new CmsSignatureValidatorException("No certificate found in cms signature that should contain one!"); + } + return firstSignerCertificates.iterator().next(); + } + + private CMSSignedData getCMSSignedData(byte[] innerPackageFileCSAR, ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException, CMSException { ContentInfo signature = produceSignature(signatureStream); CMSTypedData signedContent = new CMSProcessableByteArray(innerPackageFileCSAR); - CMSSignedData signedData = new CMSSignedData(signedContent, signature); - - Collection signers = signedData.getSignerInfos().getSigners(); - return signers.iterator().next(); + return new CMSSignedData(signedContent, signature); } private ContentInfo produceSignature(ByteArrayInputStream signatureStream) throws IOException, CmsSignatureValidatorException { - Object parsedObject = new PEMParser(new InputStreamReader(signatureStream)).readObject(); + Object parsedObject = new PEMParser(new InputStreamReader(signatureStream, Charset.defaultCharset())).readObject(); if (!(parsedObject instanceof ContentInfo)) { throw new CmsSignatureValidatorException("Signature is not recognized!"); } -- cgit 1.2.3-korg