Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Verifying XML Signatures

1 Introduction

1.1 Document Purpose

The purpose of this document is to outline how to manually validate the digital signatures of resources provided by Kemp. Resources such as firmware, patches and add-ons have associated XML files which contain the MD5 and SHA-256 checksums of the resource and are digitally signed by Kemp.

XML checksum files are currently not provided for LoadMaster templates.

As of firmware version 7.2.49, you can automatically validate digital signatures easily using the LoadMaster Web User Interface (WUI). Simply enable the Display Verify Update Option check box in System Configuration > Miscellaneous Options > WUI Settings. This provides an option to upload the XML verification file when updating the LoadMaster software or installing an add-on file on the System Configuration > System Administration > Update Software page.

1.2 Intended Audience

This document is intended to guide any LoadMaster administrator or corporate security officer through the options to validate the integrity and authenticity of downloaded Kemp resources.

2 Kemp Digital Signatures

Kemp provides digital signatures as XML signature files (known as detached signatures) as defined by the World Wide Web Consortium (W3C) recommendation for XML Signature Syntax and Processing. Kemp XML signatures prior to version 7.2.51 use a Kemp certificate issued by a public CA (Certification Authority) . XML signatures version 7.2.51 and above and 7.2.48.3 LTS and above use a Kemp certificate issued by our internal Kemp Certificate Authority.

The Kemp XML signature filenames include the original resource filename as a prefix with the extension .checksum.xml and are provided as separate file downloads when downloading the original Kemp resource.

3 XML Signature Validation

There are a number of different approaches to validation of detached XML signature files.  The XML signature file is viewable in a text editor and looks something like the following:

Validating the XML Signature_2.png

3.1 SHA-256 Checksum Comparison

The basic process to validate the integrity of a Kemp resource is to do a checksum comparison:

1. Perform a local SHA-256 checksum on the downloaded Kemp resource.

- On Windows: certUtil -hashfile <PathToResource> SHA256

- On Unix: sha256sum <PathToResource>

2. Compare the locally generated SHA-256 checksum with the checksum contained in the XML signature file. To do this, open the XML signature file in a text editor and compare the SHA-256 checksum under <checksum><sha256> with the locally generated one.  If these values do not match, then the original resource has been altered and should not be trusted.

3. If the checksums match, validate the digital signature of the XML signature file.

3.2 Verifying the XML Digital Signature

A number of tools exist to validate detached XML signatures as provided by Kemp. Kemp recommends using the XMLSec Library (https://www.aleksey.com/xmlsec/) to verify the authenticity of XML signature files. This site provides sources and downloadable binaries for Windows platforms. This tool is available on many Linux environments as the xmlsec1 command.

3.2.1 XML 7.2.50 and below

Verify the authenticity of the digital signature for XML files version 7.2.50 and below using the following xmlsec1 command.

xmlsec1 --verify <XMLSignatureFile>

xmlsec1.png

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.

3.2.2 XML 7.2.51 and above & 7.2.48.3 LTS and above

Since version 7.2.51 and 7.2.48.3 LTS, we have changed the method of digitally signing the XML files. These XML files are signed using a Kemp certificate issued by our internal Kemp Certificate Authority. Therefore, to verify the authenticity of the XML digital signature, you must first download the Kemp certificate bundle using the link here

This downloads a zip archive with three certificates:

1. root.kemp.crt - Root Kemp CA certificate

2. ca.kemp.crt - Intermediate Kemp CA certificate

3. codesign.kemp.crt - Kemp code signing certificate

Unzip the archive into a desired location.

kemp-cert.png

Verify the authenticity of the digital signature for XML files version 7.2.51 / 7.2.48.3 LTS and above using the following xmlsec1 command.

xmlsec1 --verify --trusted-pem <KempRootCert> --trusted-pem <KempCACert> --trusted-pem <KempCodesignCert> <XMLSignatureFile>

xmlsec1_2.png

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.

Last Updated Date

This document was last updated on 19 March 2021.


Comments