[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Open-scap] Signed datastreams



Hi,
openscap in git master (tested with 27c7eb1b2fb30882f7b0b680cc12a2ab7750ed1f) can read and interpret signed datastreams. By itself it won't do any checking of the signatures though!

Safely evaluating signed content (with signature verification) involves the following steps:

1) Install xmlsec1 and at least one of its crypto engines. (Fedora 17: # yum install xmlsec1 xmlsec1-openssl)

2) Run xmlsec1 --verify on the content:

This simple example will only show 2 specific cases of verifying the signature, the steps may vary depending on which technique was used to sign the datastream.

Assuming the datastream was signed with a private key and we have the respective public key to verify it with:
  $ xmlsec1 --verify --pubkey-pem pub.key datastream.xml

Assuming the datastream was signed with a certificate and we have the respective public part of the certificate to verify it with:
  $ xmlsec1 --verify --pubkey-cert-pem pubcert.key datastream.xml

There are countless other options, for more details see $ xmlsec1 --help-verify

Successful output should look similar to this:

$ xmlsec1 verify --pubkey-pem key.pub datastream.xml 
OK
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0

And the exit code must be 0 before proceeding.

3) If the previous steps resulted in successful verification, proceed by evaluating the datastream:

$ oscap xccdf eval datastream.xml


(If you want to experiment with various crypto engines of xmlsec, see $ xmlsec1-config --help.)

Supporting all the possible variants specified in xmldsig-core [1] directly in openscap would be very tricky. If you are already using signed datastreams, how are you signing and verifying the signatures? We are interested in alternative workflows and ideas to make the process easier.

[1] http://www.w3.org/TR/xmldsig-core/

-- 
Martin Preisler


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]