-
Bug
-
Resolution: Done
-
High
-
Frankfurt Release
According to SOL004 https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.07.01_60/gs_NFV-SOL004v020701p.pdf chapter 5.1 when integrity security for TOSCA CSAR is used (Option 1) -in VNFSDK we can be observed an issue with CMS signature not containing certificate.
When manifest file is signed using CMS not containing certificate.
openssl cms -sign -signer package-robot-sdc-valid.cert -inkey package-private-robot-sdc-valid.key -outform PEM -binary -nocerts -in ../repo/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API_with_hash/pnf_main_descriptor.mf >> ../repo/demo/tosca/vnfsdk/test_SDC_and_VNFSDK_API_with_hash/pnf_main_descriptor.mf
we see an issue with "vnfreqName": "r130206".
[
{
"scenario": "onap-dublin",
"testCaseName": "csar-validate",
"testSuiteName": "validation",
"executionId": "5e947272-c2a1-42d6-8dc4-cb5a91eedba7-1588762728209",
"parameters": {
"csar": "/tmp/data/vtp-tmp-files/test_cms.csar",
"pnf": "true"
},
"results": {
"vnf": {
"name": "myPnf",
"vendor": "Acme",
"version": "1.0",
"type": "TOSCA",
"mode": "WITH_TOSCA_META_DIR"
},
"date": "Wed May 06 10:58:48 UTC 2020",
"criteria": "FAILED",
"results": [
{
"passed": true,
"vnfreqName": "SOL004",
"description": "V2.4.1 (2018-02)",
"errors": []
},
{
"passed": true,
"vnfreqName": "r10087",
"description": "The VNF package MUST contain all standard artifacts as specified in ETSI GS NFV-SOL004 including\nManifest file, VNFD (or Main TOSCA/YAML based Service Template) and other optional artifacts.\nCSAR Manifest file as per SOL004 - for example ROOT\\ MainServiceTemplate.mf\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r87234",
"description": "The VNF/PNF package provided by a VNF/PNF vendor MAY be either with TOSCA-Metadata directory (CSAR Option 1)\nor without TOSCA-Metadata directory (CSAR Option 2) as specified in ETSI GS NFV-SOL004. On-boarding entity\n(ONAP SDC) must support both options.\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r35854",
"description": "The VNF/PNF Descriptor (VNFD/PNFD) provided by VNF/PNF vendor MUST comply with TOSCA/YAML based Service template\nfor VNF/PNF descriptor specified in ETSI NFV-SOL001.\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r15837",
"description": "Major TOSCA Types specified in ETSI NFV-SOL001 standard draft.\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r17852",
"description": "The VNFD/PNFD MAY include TOSCA/YAML definitions that are not part of NFV Profile. If provided,\nthese definitions MUST comply with TOSCA Simple Profile in YAML v.1.2.\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r293901",
"description": "For a VNF/PNF package CSAR MUST contains a TOSCA-Metadata directory with the TOSCA.meta metadata file.\nThe TOSCA.meta metadata file MUST includes block_0 with the Entry-Definitions keyword pointing to a TOSCA definitions\nYAML file.\nAdditional keyname extension must be included as following:\n-ETSI-Entry-Manifest\n-ETSI-Entry-Change-Log\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r146092",
"description": "The VNF/PNF package Manifest file MUST contain: non-mano artifact set with following ONAP public tag\n-onap_ansible_playbooks\n-onap_others\n-onap_pm_dictionary\n-onap_pnf_sw_information\n-onap_scripts\n-onap_ves_events\n-onap_yang_modules\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r57019",
"description": "The PNF TOSCA CSAR package Manifest file MUST start with the PNF package metadata\nin the form of a name-value pairs. Each pair shall appear on a different line.\nThe name is specified as following:\n-pnfd_provider\n-pnfd_name\n-pnfd_release_date_time\n-pnfd_archive_version\n",
"errors": []
},
{
"passed": true,
"vnfreqName": "r787965",
"description": "If the VNF or PNF CSAR Package utilizes Option 2 for package security, then the complete CSAR file MUST be digitally signed with the VNF or PNF provider private key. The VNF or PNF provider delivers one zip file consisting of the CSAR file, a signature file and a certificate file that includes the VNF or PNF provider public key. The certificate may also be included in the signature container, if the signature format allows that. The VNF or PNF provider creates a zip file consisting of the CSAR file with .csar extension, signature and certificate files. The signature and certificate files must be siblings of the CSAR file with extensions .cms and .cert respectively.\n",
"errors": []
},
{
"passed": false,
"vnfreqName": "r130206",
"description": "The VNF/PNF package shall contain a Digest (a.k.a. hash) for each of the components of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. In addition, the VNF provider shall include a signing certificate that includes the VNF provider public key, following a pre-defined naming convention and located either at the root of the archive or in a predefined location (e.g. directory).\n",
"errors": [
{
"vnfreqNo": "R130206",
"code": "0x4007",
"message": "File has invalid CMS signature!",
"lineNumber": -1
}
]
}
],
"contact": "ONAP VTP Team onap-discuss@lists.onap.org",
"platform": "VNFSDK - VNF Test Platform (VTP) 1.0"
},
"status": "COMPLETED",
"startTime": "2020-05-06T10:58:48.149",
"endTime": "2020-05-06T10:58:48.553"
}
]
When CMS containing certificate is used everything is fine.
According to SOL004
The certificate may also be included in the signature container, if the signature format allows that.
For example, the CMS format allows to include the certificate in the same container as the
signature.
so CMS without certificate should be valid as certificate is included to package.
- mentioned in
-
Page Loading...