Bug 1966612

Summary: [RFE] SCAP source data stream digital signature validation
Product: Red Hat Enterprise Linux 8 Reporter: Jan Černý <jcerny>
Component: openscapAssignee: Jan Černý <jcerny>
Status: CLOSED ERRATA QA Contact: Matus Marhefka <mmarhefk>
Severity: medium Docs Contact: Jan Fiala <jafiala>
Priority: medium    
Version: 8.4CC: ekolesni, jafiala, mhaicman, mollyredlipps
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openscap-1.3.5-2.el8 Doc Type: Enhancement
Doc Text:
.Validation of digitally signed SCAP source data streams To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP now validates digital signatures of digitally signed SCAP source data streams. As a result, OpenSCAP validates the digital signature when evaluating a digitally signed SCAP source data stream. The signature validation is performed automatically while loading the file. Data streams with invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the https://www.aleksey.com/xmlsec/[XML Security Library] with the OpenSSL cryptography library to validate the digital signature. You can skip the signature validation by adding the `--skip-signature-validation` option to the `oscap xccdf eval` command. IMPORTANT: OpenSCAP does not address the trustworthiness of certificates or public keys that are part of the `KeyInfo` signature element and that are used to verify the signature. You should verify such keys by yourselves to prevent evaluation of data streams that have been modified and signed by bad actors.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:04:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Černý 2021-06-01 14:00:32 UTC 
Description of problem:
As of SCAP 1.3 specification, Section 4.2 Source Data Streams, page 30:

Content consumers SHOULD validate XML digital signatures if they exist in the content. Validating a signature includes confirming that the signature value is valid, all of the reference hashes in the signature and manifest are correct, and the public key used to verify the signature is from a trusted source. A data stream with a signature that does not validate SHOULD NOT be evaluated by a content consumer.

The implementation should follow TMSAD specification.

It is also required by SCAP 1.3 validation program test requirements, requirement SCAP.R.900.

Version-Release number of selected component (if applicable):
openscap-1.3.4-5

How reproducible:
always

Steps to Reproduce:
1. get a digitally signed SCAP 1.3 source data stream
2. pass it to oscap xccdf eval

Actual results:
signature isn't verified

Expected results:
signature is verified, source data streams with an invalid singature are rejected

Additional info:
Fixed upstream by https://github.com/OpenSCAP/openscap/pull/1684 and https://github.com/OpenSCAP/openscap/pull/1719. The fixes are part of OpenSCAP 1.3.5 upstream release.

This BZ has been spun off from the https://bugzilla.redhat.com/show_bug.cgi?id=1815157. That BZ has a broader scope - it requests to implement the full TMASD specification including signing of result data streams. This one is only about signature verification, which is a part that is mandatory for the certification. However, the  https://bugzilla.redhat.com/show_bug.cgi?id=1815157 has a nice doc text which will be moved here.
Comment 27 errata-xmlrpc 2021-11-09 18:04:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openscap bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:4192
Comment 29 Jan Černý 2022-10-19 06:58:26 UTC 
Hi, can you explain how this software is related?