[SCAP.R.900] Add option to verify signature of signed XML files

[iankko]

The oscap tool currently supports --fetch-remote-resources option to download remote XCCDF / OVAL content from 3rd-party locations depending on the URL in the check.

Since some XML content might be signed (to ensure data integrity), when fetching remote XCCDF / OVAL content, there should be --verify option to verify the signature of the signed XML content (IOW verify the signed content is truly the authentic one).

Therefore this request for enhancement is filed in order the new --verify option to be added into the oscap command (at appropriate places where --fetch-remote-resources is allowed and where signed XML content can be expected to be provided).

The idea is that --verify option would automatically detect the key, the content has been signed with. It would try to download the public key for that key, and perform the signature verification.

Optionally the --key option could be specified too (if necessary) which would mean to hold the location of the public key, which should be used for signed XML content verification.

In ideal case the --fetch--remote-resources option would be able to detect if the XML content is signed or not. In the case it's not signed, it would proceed as currently. In the case the content is signed, and --verify option was provided, it would try to download the corresponding public key for that content, and verify the integrity of the content. If it wouldn't be able to locate the public key, it would issue Unable to locate public key for content verification. Use --key option to specify the location. message or something similar.

Thank you for the consideration.

Regards, Jan.

[matejak]

This is a feature request that is essential for SCAP 1.3 support.