Bug 1966612
Summary: | [RFE] SCAP source data stream digital signature validation | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Jan Černý <jcerny> |
Component: | openscap | Assignee: | Jan Černý <jcerny> |
Status: | CLOSED ERRATA | QA Contact: | Matus Marhefka <mmarhefk> |
Severity: | medium | Docs Contact: | Jan Fiala <jafiala> |
Priority: | medium | ||
Version: | 8.4 | CC: | ekolesni, jafiala, mhaicman, mollyredlipps |
Target Milestone: | beta | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openscap-1.3.5-2.el8 | Doc Type: | Enhancement |
Doc Text: |
.Validation of digitally signed SCAP source data streams
To conform with the Security Content Automation Protocol (SCAP) 1.3 specifications, OpenSCAP now validates digital signatures of digitally signed SCAP source data streams. As a result, OpenSCAP validates the digital signature when evaluating a digitally signed SCAP source data stream. The signature validation is performed automatically while loading the file. Data streams with invalid signatures are rejected, and OpenSCAP does not evaluate their content. OpenSCAP uses the https://www.aleksey.com/xmlsec/[XML Security Library] with the OpenSSL cryptography library to validate the digital signature.
You can skip the signature validation by adding the
`--skip-signature-validation` option to the `oscap xccdf eval` command.
IMPORTANT: OpenSCAP does not address the trustworthiness of certificates or public keys that are part of the `KeyInfo` signature element and that are used to verify the signature. You should verify such keys by yourselves to prevent evaluation of data streams that have been modified and signed by bad actors.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-11-09 18:04:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Černý
2021-06-01 14:00:32 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (openscap bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2021:4192 Hi, can you explain how this software is related? |