From 5e085985d5e333fbb000c37c8c508c0d46b7d7ee Mon Sep 17 00:00:00 2001 From: Bartosz Gardziejewski Date: Tue, 13 Oct 2020 14:10:28 +0200 Subject: Add error when CMS and TOSCA meta file are present, however TOSCA does not contains ETSI-Entry-Certificate Signed-off-by: Bartosz Gardziejewski Change-Id: I238ac7544f1eda9fa1bc0f2a89120dc3ae33437a Issue-ID: VNFSDK-660 --- .../cvc/csar/cc/sol004/VTPValidateCSARR130206.java | 35 +++++++++++++++------ .../VTPValidateCSARR130206IntegrationTest.java | 35 ++++++--------------- .../pnf/r130206/csar-cert-in-root-valid.csar | Bin 25868 -> 0 bytes .../resources/pnf/r130206/csar-cert-in-root.csar | Bin 6518 -> 0 bytes .../pnf/r130206/csar-with-tosca-no-cert-entry.csar | Bin 0 -> 5491 bytes 5 files changed, 36 insertions(+), 34 deletions(-) delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar delete mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar create mode 100644 csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-no-cert-entry.csar (limited to 'csarvalidation/src') diff --git a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java index 822ddde..05feb54 100644 --- a/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java +++ b/csarvalidation/src/main/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206.java @@ -166,7 +166,15 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { CSARErrorRootCertificateIsPresentDespiteTheEtsiEntryCertificate() { super("0x4013"); - this.message = "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate"; + this.message = "Certificate present in root catalog despite the TOSCA.meta file"; + } + } + + public static class CSARErrorUnableToFindCertificateEntryInTosca extends CSARArchive.CSARError { + + CSARErrorUnableToFindCertificateEntryInTosca() { + super("0x4014"); + this.message = "Unable to find ETSI-Entry-Certificate in Tosca file"; } } @@ -199,7 +207,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { if (containsCms(csar.getManifest())) { validateCmsSignature(csar, csarRootDirectory); } else if ( - containsCertificateInTosca(csar.getToscaMeta()) || + ( containsToscaMeta(csar) && containsCertificateInTosca(csar.getToscaMeta()) ) || containsCertificateInRootCatalog(csar) || containsHashOrAlgorithm(csar.getManifest())) { this.errors.add(new CSARErrorUnableToFindCms()); @@ -213,7 +221,7 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { CmsSignatureData signatureData = this.manifestFileSignatureValidator.createSignatureData(csar.getManifestMfFile()); if (signatureData.getCertificate().isPresent()) { validateCertificationUsingCmsCertificate(signatureData, csar, csarRootDirectory); - } else if (containsCertificateInTosca(csar.getToscaMeta())) { + } else if (containsToscaMeta(csar)) { validateCertificationUsingTosca(signatureData, csar, csarRootDirectory); } else if (containsCertificateInRootCatalog(csar)) { validateCertificationUsingCertificateFromRootDirectory(signatureData, csar, csarRootDirectory); @@ -231,6 +239,10 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { return cms != null && !cms.equals(EMPTY_STRING); } + private boolean containsToscaMeta(CSARArchive archive) { + return archive.getToscaMetaFile() != null; + } + private boolean containsCertificateInTosca(CSARArchive.TOSCAMeta toscaMeta) { String certificate = toscaMeta.getEntryCertificate(); return certificate != null && !certificate.equals(EMPTY_STRING); @@ -276,12 +288,17 @@ public class VTPValidateCSARR130206 extends VTPValidateCSARBase { } private boolean loadCertificateFromTosca(CmsSignatureData signatureData, CSARArchive csar) { - try { - final Path absolutePathToEntryCertificate = csar.getFileFromCsar(csar.getToscaMeta().getEntryCertificate()).toPath(); - signatureData.loadCertificate(absolutePathToEntryCertificate); - return true; - } catch (CertificateLoadingException e) { - this.errors.add(new CSARErrorUnableToFindEntryCertificate()); + if(csar.getToscaMeta().getEntryCertificate() != null) { + try { + final Path absolutePathToEntryCertificate = csar.getFileFromCsar(csar.getToscaMeta().getEntryCertificate()).toPath(); + signatureData.loadCertificate(absolutePathToEntryCertificate); + return true; + } catch (CertificateLoadingException e) { + this.errors.add(new CSARErrorUnableToFindEntryCertificate()); + return false; + } + } else { + this.errors.add(new CSARErrorUnableToFindCertificateEntryInTosca()); return false; } } diff --git a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java index cdaef79..443a61a 100644 --- a/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java +++ b/csarvalidation/src/test/java/org/onap/cvc/csar/cc/sol004/VTPValidateCSARR130206IntegrationTest.java @@ -20,8 +20,10 @@ package org.onap.cvc.csar.cc.sol004; import org.junit.Before; import org.junit.Ignore; import org.junit.Test; +import org.onap.cli.fw.error.OnapCommandException; import org.onap.cvc.csar.CSARArchive; +import java.net.URISyntaxException; import java.util.List; import static org.assertj.core.api.Assertions.assertThat; @@ -80,24 +82,6 @@ public class VTPValidateCSARR130206IntegrationTest { assertThat(errors.size()).isZero(); } - @Test - @Ignore("It is impossible to write test which will always pass, because certificate used to sign the file has time validity." + - "To verify signed package please please follow instructions from test/resources/README.txt file and comment @Ignore tag. " + - "Use instructions for option 1. Test was created for manual verification." - ) - public void manual_shouldValidateCsarWithCertificateInRootWithValidSignature() throws Exception { - - // given - configureTestCase(testCase, "pnf/r130206/csar-cert-in-root-valid.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); - - // when - testCase.execute(); - - // then - List errors = testCase.getErrors(); - assertThat(errors.size()).isZero(); - } - @Test public void shouldReportWarningForMissingCertInCmsToscaMetaAndRootCatalogAndMissingHashCodesInManifest() throws Exception{ @@ -150,10 +134,10 @@ public class VTPValidateCSARR130206IntegrationTest { } @Test - public void shouldReturnNoErrorWhenCertIsOnlyInRootDirectoryAndAlgorithmAndHashesAreCorrect() + public void shouldReturnErrorWhenCsarContainsToscaFileHoweverToscaDoesNotContainsCertEntryAndAlgorithmAndHashesAreCorrect() throws Exception{ // given - configureTestCase(testCase, "pnf/r130206/csar-cert-in-root.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); + configureTestCase(testCase, "pnf/r130206/csar-with-tosca-no-cert-entry.csar", "vtp-validate-csar-r130206.yaml", IS_PNF); // when testCase.execute(); @@ -162,7 +146,7 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(1); assertThat(convertToMessagesList(errors)).contains( - "File has invalid signature!" + "Unable to find ETSI-Entry-Certificate in Tosca file" ); } @@ -213,10 +197,11 @@ public class VTPValidateCSARR130206IntegrationTest { // then List errors = testCase.getErrors(); - assertThat(errors.size()).isEqualTo(2); + assertThat(errors.size()).isEqualTo(3); assertThat(convertToMessagesList(errors)).contains( "Source 'Artifacts/Deployment/Events/RadioNode_Pnf_v1.yaml' has wrong hash!", - "File has invalid signature!" + "Unable to find ETSI-Entry-Certificate in Tosca file", + "Certificate present in root catalog despite the TOSCA.meta file" ); } @@ -369,7 +354,7 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(2); assertThat(convertToMessagesList(errors)).contains( - "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "Certificate present in root catalog despite the TOSCA.meta file", "File has invalid signature!" ); } @@ -387,7 +372,7 @@ public class VTPValidateCSARR130206IntegrationTest { List errors = testCase.getErrors(); assertThat(errors.size()).isEqualTo(3); assertThat(convertToMessagesList(errors)).contains( - "Certificate present in root catalog despite the certificate is included in ETSI-Entry-Certificate", + "Certificate present in root catalog despite the TOSCA.meta file", "Source 'Artifacts/Deployment/Yang_module/yang-module1.yang' has wrong hash!", "File has invalid signature!" ); diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar deleted file mode 100644 index 70885d8..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root-valid.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar deleted file mode 100644 index d5d8f94..0000000 Binary files a/csarvalidation/src/test/resources/pnf/r130206/csar-cert-in-root.csar and /dev/null differ diff --git a/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-no-cert-entry.csar b/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-no-cert-entry.csar new file mode 100644 index 0000000..d5c27e1 Binary files /dev/null and b/csarvalidation/src/test/resources/pnf/r130206/csar-with-tosca-no-cert-entry.csar differ -- cgit 1.2.3-korg