Uploaded image for project: 'Vnfsdk'
  1. Vnfsdk
  2. VNFSDK-596

Package security SOL004 Option 1 - Package security SOL004 Option 1 - add warnings to OCLIP json response

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Medium Medium
    • None
    • None
    • None

      ETSI GS NFV-SOL 004 V2.7.1 (2019-12) https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/004/02.07.01_60/gs_NFV-SOL004v020701p.pdf
      ONAP PNF and VNF requirements: https://docs.onap.org/en/frankfurt/submodules/vnfrqts/requirements.git/docs/Chapter5/Tosca/ONAP%20VNF%20or%20PNF%20CSAR%20Package.html#vnf-or-pnf-package-authenticity-and-integrity

      CoS:
      if manifest contains any signs of Package security SOL004 Option 1 usage:

      • CMS signature
      • Hash
      • Algorithm
      • ETSI-Entry-Certificate tag in TOSCA-Metadata/TOSCA.meta file
      • <tosca definitins main yaml name>.cert file in root folder when TOSCA-Metadata/TOSCA.meta file doesn't exists in csar package

      then:

      • all items (Source: entries) mentioned in manifest should have valid Hash and Algorithm.
      • CMS signature in manifest should be valid

      Any rule violation report as an error for Requirement: R-130206 (currently implemented)

      In another case when there is no:

      • CMS signature,
      • Hash,
      • Algorithm,
      • ETSI-Entry-Certificate tag in TOSCA-Metadata/TOSCA.meta file
      • <tosca definitins main yaml name>.cert file in root folder when TOSCA-Metadata/TOSCA.meta file doesn't exists in csar package

      then rule should report warning with information that rule is not applied to csar package.

      Currently all warnings from rules are transformed to passed when user executes whole pnf rules, but there is no info about any warnings.
      Consider new field in oclip json response (warnings)

          {
      "passed": true,
      "vnfreqName": "r130206",
      "description": "The VNF/PNF package shall contain a Digest (a.k.a. hash) for each of the components of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. In addition, the VNF provider shall include a signing certificate that includes the VNF provider public key, following a pre-defined naming convention and located either at the root of the archive or in a predefined location (e.g. directory).\n",
      "errors": [],
      "warnings": [
      {
          "vnfreqNo": "130206",
          "code": "xyz",
          "message": "Warning. Consider adding package integrity and  authenticity assurance according to ETSI NFV-SOL 004 Security Option 1 ",
          "file": "MainServiceTemplate.mf",
          "lineNumber": -1
        }
]
    },

      oclip --product onap-dublin csar-validate --pnf --csar r130206/csar-option1-valid.csar

            adamwudzinski adamwudzinski
            kkuzmick kkuzmick
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: