-
Bug
-
Resolution: Done
-
Medium
-
Dublin Release, El Alto Release, Frankfurt Release, Guilin Release
-
None
Certificate chain delivered within signature file is not taken into account during signature validation. Only signing (usually leaf/end) certificate is considered which is not inline with ETSI SOL004 v2.5.1 5.2. chapter:
The X.509 certificate may contain one single signing certificate or a complete certificate chain. The root certificate that may be present in this X.509 certificate file shall not be used for validation purposes. Only trusted root certificate pre-installed in NFVO shall be used for validation (see clause 5.1).
X.509 certificate mentioned above is explained in following line:
In option 2 (see clause 5.1), the VNF package authenticity and integrity is ensured by signing the CSAR file with the VNF provider private key (option 2 in clause 5.1). The digital signature is stored in a separate file. The VNF provider shall also include an X.509 certificate in a separate file with extension .cert or, if the signature format allows it, in the signature file itself. The VNF provider creates a zip file consisting of the CSAR file, signature and certificate files. The signature and certificate files shall be siblings of the CSAR file with extensions .sm and .cert respectively
Above information clearly states that signing certificate may contain also all intermediate certificates, or even root certificate, and whole certificate chain, except root certificate should be used during signature validation.
NOTE: the same behavior was observed when certificate chain is delivered in a separate file - so both supported options must be fixed.
- relates to
-
SDC-1980 Supporting onboarding packaging security
- Closed