Verifying XML Signatures

1 Introduction

1.1 Document Purpose

The purpose of this document is to outline how to validate the digital signatures of resources provided by KEMP. Resources such as firmware, templates, patches and add-ons have associated XML files that contain the digital signature for the resource.

1.2 Intended Audience

This document is intended to guide any LoadMaster administrator or corporate security officer through the options to validate the integrity and authenticity of downloaded KEMP resources.

2 KEMP Digital Signatures

KEMP provides digital signatures as XML signature files (known as detached signatures) as defined by the World Wide Web Consortium (W3C) recommendation for XML Signature Syntax and Processing. KEMP XML signatures use a KEMP certificate issued by a public CA (Certification Authority) to enable validation of authenticity against a known external authority (the public CA).

The KEMP XML signature filenames include the original resource filename as a prefix with the extension .checksum.xml and are provided as separate file downloads when downloading the original KEMP resource.

3 Validating the XML Signature

There are a number of different approaches to validation of detached XML signature files.  The XML checksum file is viewable in a text editor and looks something like the following:

Validating the XML Signature.png

The basic process to validate the XML is as follows:

1. Perform a local checksum on a downloaded KEMP resource (SHA-256).

2. Open the XML signature file and compare the locally generated checksum with the values contained in the XML signature file. To do this, open the XML signature file in a text editor and compare the values contained in the XML signature file under <checksum><sha256>.  If these values do not match, then the original resource has been altered and should not be trusted.

3. If the checksums match, validate the XML using an XML signature validation tool.

4 XML Signature Validation Tools

A number of tools exist to validate detached XML signatures as provided by KEMP. KEMP make no specific recommendation of which tool to use as the validation and integrity of the tool must be validated by the customer.

4.1 XMLSec Library

The XMLSec Library (https://www.aleksey.com/xmlsec/) is a collection of tools that may be used to generate and validate XML signatures. This site provides sources and downloadable binaries for Windows platforms. This tool is available on many Linux environments as the xmlsec1 command.

XMLSec Library.png

4.2 XML Validation using PowerShell

KEMP have created a PowerShell module that can be used to validate detached XML signatures. No warranty or support is provided with this module, which should be validated by your internal security staff before use. The code for the module is included below.

Add-Type -AssemblyName System.Security

# Add SHA-256 per http://stackoverflow.com/questions/30759119/verifying-xml-signature-in-powershell-with-pem-certificate

Add-Type @'

        public class RSAPKCS1SHA256SignatureDescription : System.Security.Cryptography.SignatureDescription

            {

                public RSAPKCS1SHA256SignatureDescription()

                {

                    base.KeyAlgorithm = "System.Security.Cryptography.RSACryptoServiceProvider";

                    base.DigestAlgorithm = "System.Security.Cryptography.SHA256Managed";

                    base.FormatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureFormatter";

                    base.DeformatterAlgorithm = "System.Security.Cryptography.RSAPKCS1SignatureDeformatter";

                }

                public override System.Security.Cryptography.AsymmetricSignatureDeformatter CreateDeformatter(System.Security.Cryptography.AsymmetricAlgorithm key)

                {

                    System.Security.Cryptography.AsymmetricSignatureDeformatter asymmetricSignatureDeformatter = (System.Security.Cryptography.AsymmetricSignatureDeformatter)

                        System.Security.Cryptography.CryptoConfig.CreateFromName(base.DeformatterAlgorithm);

                    asymmetricSignatureDeformatter.SetKey(key);

                    asymmetricSignatureDeformatter.SetHashAlgorithm("SHA256");

                    return asymmetricSignatureDeformatter;

                }

            }

'@

$RSAPKCS1SHA256SignatureDescription = New-Object RSAPKCS1SHA256SignatureDescription

[System.Security.Cryptography.CryptoConfig]::AddAlgorithm($RSAPKCS1SHA256SignatureDescription.GetType(), "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256")

Function Get-FileName($initialDirectory){

    [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") | Out-Null

    $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog

    $OpenFileDialog.initialDirectory = $initialDirectory

    $OpenFileDialog.filter = "XML (*.xml)| *.xml"

    $OpenFileDialog.ShowDialog() | Out-Null

    $OpenFileDialog.filename

}

function ChkCert($cert)

{

$tmp = [System.IO.Path]::GetTempFileName()

$cert | Out-File $tmp

$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($tmp)

Remove-Item $tmp -Force

return $Certificate

}

$file = Get-FileName "C:\"

$xml = New-Object Xml.XmlDocument

$xml.PreserveWhitespace = $true

$xml.Load($file)

$signed = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml

$signed.LoadXml($xml.DocumentElement.Signature)

$x509 = $xml.file.Signature.KeyInfo.X509Data.X509Certificate

$cert = ChkCert($x509)

$thumbprint = $cert.Thumbprint

$issuer = $cert.Issuer

$subject = $cert.Subject

$serial = $cert.SerialNumber

if ($signed.CheckSignature() -eq $true){

    [System.Windows.Forms.MessageBox]::Show("XML Signature validation succeeded`n`nCertificate Subject Name: $subject`n`nCertificate Issuer: $issuer`n`nCertificate Serial Number: $serial`n`nCertificate Thumbprint: $thumbprint")

}

else{

    [System.Windows.Forms.MessageBox]::Show("XML Signature validation failed`n`nCertificate Subject Name: $subject`n`nCertificate Issuer: $issuer`n`nCertificate Serial Number: $serial`n`nCertificate Thumbprint: $thumbprint")

}

 

Document History

 

Date

Change

Reason for Change

Version

Resp.

Nov 2016

Initial draft

First draft of document

1.0

POC

Jan 2017

Minor change

Updated Copyright Notices

2.0

POC

July 2017 Minor change Enhancements made 3.0 LB

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments