Explicitly allow xmlsec1 to load key data from KeyValue #2244
Conversation
evgenyz
force-pushed
the
fix-xmlsec-1.3
branch
2 times, most recently
from
d5cb3d6 to
2bd2b35
Compare
|
@dodys Hey! Can you please confirm that it fixes the problem for you? |
|
Rawhide fails because of this: #2246 |
| if(res < 0) { | ||
| oscap_seterr(OSCAP_EFAMILY_XML, "failed to enable key data: rsa"); | ||
| goto cleanup; | ||
| } |
There was a problem hiding this comment.
Is there a way how to test this change? Can we have a test for this?
There was a problem hiding this comment.
Well, we have the test. It works for current 1.2.x. When 1.3.x will hit Rawhide it still should work (I've tested it with Ubuntu 25.10 and custom build of libxml1 for Rawhide).
There was a problem hiding this comment.
Where is the test located? Can it be added to the upstream test suite?
There was a problem hiding this comment.
That's the test: https://github.com/OpenSCAP/openscap/tree/main/tests/DS/signed. It fails with xmlsec1 v1.3.x. See the referred issue.
There was a problem hiding this comment.
With this change it no longer fails.
There was a problem hiding this comment.
But we don't have xmlsec1 1.3 in our CI yet.
There was a problem hiding this comment.
ah great! thanks, this is really helpful
The default behaviour of xmlsec1 has changed int 1.3.x versions. It is now the response of the application to explicitly allow loading keys from KeyValue elements of the document.
The default behaviour of xmlsec1 has changed int 1.3.x versions. It is now the response of the application to explicitly allow loading keys from KeyValue elements of the document.
Fixes: #2241.