Document potential security issue with plain PEM passwords.

gocsaf · Aug 17, 2023 · 9d2489b · 9d2489b
1 parent 42709a8
commit 9d2489b
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 1 deletion.
diff --git a/docs/csaf_checker.md b/docs/csaf_checker.md
@@ -69,6 +69,8 @@ type 2: error
 
 The checker result is a success if no checks resulted in type 2, and a failure otherwise.
 
+Using the `client-passphrase` option may imply an [security issue](https://pkg.go.dev/crypto/[email protected]#DecryptPEMBlock).
+
 The option `timerange` allows to only check advisories from a given time interval.
 It is only allowed to specify one off them. 
 There are following variants:

diff --git a/docs/csaf_downloader.md b/docs/csaf_downloader.md
@@ -69,6 +69,8 @@ worker              = 2
 validatorpreset     = ["mandatory"]
 ```
 
+Using the `client-passphrase` option may imply an [security issue](https://pkg.go.dev/crypto/[email protected]#DecryptPEMBlock).
+
 The `timerange` parameter enables downloading advisories which last changes falls
 into a given intervall. There are three possible notations:
 

diff --git a/docs/examples/aggregator.toml b/docs/examples/aggregator.toml
@@ -40,7 +40,7 @@ insecure = true
   write_indices = true
   client_cert = "./../devca1/testclient1.crt"
   client_key = "./../devca1/testclient1-key.pem"
-#  client_passphrase =
+#  client_passphrase = # See checker doc for security remark.
 #  header =
 
 [[providers]]