Verifying XML Signatures
Contents
1 Introduction
1.1 Document Purpose
The purpose of this document is to outline how to manually validate the digital signatures of resources provided by Kemp. Resources such as firmware, patches and add-ons have associated XML files which contain the MD5 and SHA-256 checksums of the resource and are digitally signed by Kemp.
As of firmware version 7.2.49, you can automatically validate digital signatures easily on the product User Interface (UI). Simply enable the Display Verify Update Option check box in System Configuration > Miscellaneous Options > WUI Settings. This provides an option to upload the XML verification file when updating the software or installing an add-on file on the System Configuration > System Administration > Update Software page.
1.2 Intended Audience
This document is intended to guide any administrator or corporate security officer through the options to validate the integrity and authenticity of downloaded Kemp resources.
1.3 Scope
XML checksum files are currently not provided for application templates.
2 Kemp Digital Signatures
Kemp provides digital signatures as XML signature files (known as detached signatures) as defined by the World Wide Web Consortium (W3C) recommendation for XML Signature Syntax and Processing. Kemp XML signatures prior to version 7.2.51 use a Kemp certificate issued by a public CA (Certification Authority) . XML signatures version 7.2.51 and above and 7.2.48.3 LTS and above use a Kemp certificate issued by our internal Kemp Certificate Authority.
The Kemp XML signature filenames include the original resource filename as a prefix with the extension .checksum.xml and are provided as separate file downloads when downloading the original Kemp resource.
3 XML Signature Validation
There are a number of different approaches to validation of detached XML signature files. The XML signature file is viewable in a text editor and looks something like the following:
3.1 SHA-256 Checksum Comparison
The basic process to validate the integrity of a Kemp resource is to do a checksum comparison:
1. Perform a local SHA-256 checksum on the downloaded Kemp resource.
- On Windows: certUtil -hashfile <PathToResource> SHA256
- On Unix: sha256sum <PathToResource>
2. Compare the locally generated SHA-256 checksum with the checksum contained in the XML signature file. To do this, open the XML signature file in a text editor and compare the SHA-256 checksum under <checksum><sha256> with the locally generated one. If these values do not match, then the original resource has been altered and should not be trusted.
3. If the checksums match, validate the digital signature of the XML signature file.
3.2 Verifying the XML Digital Signature
A number of tools exist to validate detached XML signatures as provided by Kemp. Kemp recommends using the XMLSec Library (https://www.aleksey.com/xmlsec/) to verify the authenticity of XML signature files. This site provides sources and downloadable binaries for Windows platforms. This tool is available on many Linux environments as the xmlsec1 command.
3.2.1 XML 7.2.50 and below
Verify the authenticity of the digital signature for XML files version 7.2.50 and below using the following xmlsec1 command.
xmlsec1 --verify <XMLSignatureFile>
If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.
3.2.2 XML 7.2.51 and above & 7.2.48.3 LTS and above
Since version 7.2.51 and 7.2.48.3 LTS, we have changed the method of digitally signing the XML files. These XML files are signed using a Kemp certificate issued by our internal Kemp Certificate Authority. Therefore, to verify the authenticity of the XML digital signature, you must first download the Kemp certificate bundle using the link here
This downloads a zip archive with three certificates:
1. root.kemp.crt - Root Kemp CA certificate
2. ca.kemp.crt - Intermediate Kemp CA certificate
3. codesign.kemp.crt - Kemp code signing certificate
Unzip the archive into a desired location.
Verify the authenticity of the digital signature for XML files version 7.2.51 / 7.2.48.3 LTS and above using the following xmlsec1 command.
xmlsec1 --verify --trusted-pem <KempRootCert> --trusted-pem <KempCACert> --trusted-pem <KempCodesignCert> <XMLSignatureFile>
If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.
Last Updated Date
This document was last updated on 8th June 2021.