SDC: Sign a package

Introduction

This article shows how to create a root certificate and a derived certificate to sign a package and onboard it to SDC.

Create root certificate CA (Certificate Authority) and its private key

Run the following command that will create the root certificate and it's private key. This certificate will represent the SDC Certificate Authority - CA.
The command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill that with any non blank information and do not repeat it in the child certificate that will be created further.

Create the package certificate issued by CA

Create the package private key package-private.key and an associated Certificate Signing Request (CSR) package.csr, used to create a certificate based on that key.

Now, create the package certificate issued by root certificate. Similar to the root certificate creation process, the command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill the CN with any non blank information and do not repeat the root CA certificate CN, otherwise the package signature validation will think the certificate is self signed.

Using the certificate authority/root certificate (-CA rootCA.cert), root certificate private key (-CAkey rootCA-private.key) and the package CSR (-in package.csr), run the following command to generate the package certificate package.cert:

Sign package with the package certificate and its private key

Choose one method among the two options:
 
Option 1: the following command will include the signing certificate, package.cert, inside the resulting package.cms:

In this option you don't need to add the certificate as a separate file in the signed zip package:

• package.zip

  • package.csar

  • package.cms

Option 2: the following command will not include the signing certificate, package.cert, inside the resulting package.cms. The only difference from Option 1 is the addition of -nocerts option:

In this option you need to add the certificate package.cert as a separate file in the signed zip package.

• package.zip

  • package.csar

  • package.cms

  • package.cert

Validate the CMS signature

To validate the CMS generated package.cms, use the following command with the CA rootCA.cert, package certificate package.cert and package.csar:

Copy root certificate to the SDC certificate folder

SDC currently keeps the certificates in the data/onap/cert folder. Copy the created rootCA.cert to that folder:

This can be done during runtime as SDC will read from that folder every time it validates a package.

<!> Be aware that currently SDC only checks for the number of certificates in /data/onap/cert folder to change the certificates in memory. If the number still the same, it will not update the list of certificates, so a simple replace will change nothing during runtime.

Upload your signed package

Test the certificates by onboarding the signed package to create a SDC VSP (Virtual Software Package).

Utility functions

Print certificate information

Print cryptographic message syntax information

Extract public key from certificate

Verify that a certificate was issued by a Certificate Authority (root certificate)

References

• https://www.openssl.org/docs/man1.0.2/man1/cms.html

• http://openssl.cs.utah.edu/docs/apps/cms.html

• https://stackoverflow.com/questions/49390332/openssl-cms-verify-doesnt-work-with-external-certificate

• https://raymii.org/s/tutorials/Sign_and_verify_text_files_to_public_keys_via_the_OpenSSL_Command_Line.html

• https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309

• https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/

• https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax

• https://en.wikipedia.org/wiki/Root_certificate