-
Sub-task
-
Resolution: Unresolved
-
Medium
-
None
-
None
-
None
VNF Package Manifest file provided by a VNF vendor shall include a Signature CMS container as specified in ETSI GS NFV-SOL004. The Signature container has a structure in a standard format (e.g. CMS) which contains signature and additional data needed to process the signature (e.g. certificates, algorithms, etc.). The manifest file is the key for decision regarding a VNF package integrity and validity in terms of its contained artifacts.
As specified in https://jira.onap.org/browse/VNFSDK-208 the Manifest file contains a Digest (a.k.a. hash) for each of the components of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. In addition, the VNF provider shall include a signing X.509 certificate that includes the VNF provider public key.
VNF package consumer (SDC) verify the signature with the VNF provider public key. A trusted root certificate pre‑installed in ONAP shall be used for validation.
The signature and all necessary data to interpret it (algorithm used to generate the hash and encryption method) shall be included in a structure in a standard format following digital signatures best practices and encoded in a textual representation according to IETF RFC 7468 in CMS format.
Example of valid manifest file entries including manifest signature in CMS format:
Source: MRF.yaml
Algorithm: SHA-256
Hash: 09e5a788acb180162c51679ae4c998039fa6644505db2415e35107d1ee213943
Source: scripts/install.sh
Algorithm: SHA-256
Hash: d0e7828293355a07c2dccaaa765c80b507e60e6167067c950dc2e6b0da0dbd8b
Source: https://www.vendor_org.com/MRF/v4.1/scripts/scale/scale.sh
Algorithm: SHA-256
Hash: 36f945953929812aca2701b114b068c71bd8c95ceb3609711428c26325649165
----BEGIN CMS----
MIGDBgsqhkiG9w0BCRABCaB0MHICAQAwDQYLKoZIhvcNAQkQAwgwXgYJKoZIhvcN
AQcBoFEET3icc87PK0nNK9ENqSxItVIoSa0o0S/ISczMs1ZIzkgsKk4tsQ0N1nUM
dvb05OXi5XLPLEtViMwvLVLwSE0sKlFIVHAqSk3MBkkBAJv0Fx0=
----END CMS----
Open Source from Java development forum (Oracle) may be reused.
- Implementation of JAR manifest file including SHA-256 and X.509 signature creation and validation