Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Verifying XML Signatures

1 Introduction

1.1 Document Purpose

The purpose of this document is to outline how to manually validate the digital signatures of resources provided by Kemp. Resources such as firmware, patches and add-ons have associated XML files which contain the MD5 and SHA-256 checksums of the resource and are digitally signed by Kemp.

XML checksum files are currently not provided for LoadMaster templates.

You can automatically validate digital signatures easily using the LoadMaster Web User Interface (WUI). Simply enable the Display Verify Update Option check box in System Configuration > Miscellaneous Options > WUI Settings. This provides an option to upload the XML verification file when updating the LoadMaster software or installing an add-on file on the System Configuration > System Administration > Update Software page.

1.2 Intended Audience

This document is intended to guide any LoadMaster administrator or corporate security officer through the options to validate the integrity and authenticity of downloaded Kemp resources.

2 Kemp Digital Signatures

All LoadMaster releases and associated add-on packages are digitally signed using XML-format signature files (also known as 'detached signatures') that conform to the best practices defined by the World Wide Web Consortium (W3C) for XML Signature Syntax and Processing. The XML signature filenames include the filename of the downloaded installation package as a prefix with the extension .checksum.xml.

The digital signing process employs an SSL certificate that has an expiration date. When the certificate reaches its expiration date, signature validation using this certificate will fail. Therefore, vendors need to update this certificate occasionally so that verification of digital signatures continues to work.

On May 27th 2022, the SSL certificate used to sign LoadMaster release artifacts for LoadMaster Operating System (LMOS) version 7.2.56.x and prior releases expires.

All LoadMaster releases that occur after the above date (for example, LMOS 7.2.57.0) will be digitally signed using a newly obtained certificate.

What Does This Mean To You?

After 27th May 2022, verifying digital signatures for LMOS images and add-on packages will work only if the image or add-on package was signed with the new certificate. So, for example, you will be able to verify the XML signature in these scenarios:

  • Updating LMOS 7.2.55.0 to LMOS 7.2.57.0 (or a later version).

  • Installing an add-on package released with LMOS 7.2.57.0 (or a later version).

Verifying XML signatures will not work if you attempt to update the system with any LMOS update image or add-on package signed with the earlier, expired certificate. So, for example, XML signature verification will fail in these scenarios:

  • Updating any LMOS release using an LMOS 7.2.56.0 image.

  • Updating any LMOS release with the 7.2.55.0 Network Telemetry add-on package.

In these cases, you will need to skip XML signature verification when installing the LMOS image or add-on package. This can be done by navigating to System Configuration > Miscellaneous Options > WUI Settings and setting the Update Verification Options field to Optional. This allows you to skip XML verification when you install the image. Once the update is complete, XML verification for future upgrades can once again be set to Required (if desired).

If you have FIPS mode enabled, you will not be able to change the Update Verification Options field, which is set to Required in FIPS mode. If you need to update a FIPS system to an LMOS version signed with an expired certificate after 27th May 2022, please contact Support for assistance.

3 XML Signature Validation

There are a number of different approaches to validation of detached XML signature files.  The XML signature file is viewable in a text editor and looks something like the following:

Validating the XML Signature_2.png

3.1 SHA-256 Checksum Comparison

The basic process to validate the integrity of a Kemp resource is to do a checksum comparison:

1. Perform a local SHA-256 checksum on the downloaded Kemp resource.

- On Windows: certUtil -hashfile <PathToResource> SHA256

- On Unix: sha256sum <PathToResource>

2. Compare the locally generated SHA-256 checksum with the checksum contained in the XML signature file. To do this, open the XML signature file in a text editor and compare the SHA-256 checksum under <checksum><sha256> with the locally generated one.  If these values do not match, then the original resource has been altered and should not be trusted.

3. If the checksums match, validate the digital signature of the XML signature file.

3.2 Verifying the XML Digital Signature

A number of tools exist to validate detached XML signatures as provided by Kemp. Kemp recommends using the XMLSec Library (https://www.aleksey.com/xmlsec/) to verify the authenticity of XML signature files. This site provides sources and downloadable binaries for Windows platforms. This tool is available on many Linux environments as the xmlsec1 command.

3.2.1 XML 7.2.50 and Below

Verify the authenticity of the digital signature for XML files version 7.2.50 and below using the following xmlsec1 command.

xmlsec1 --verify <XMLSignatureFile>

xmlsec1.png

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.

3.2.2 XML 7.2.57 and 7.2.48.8 LTS and Above

As of LoadMaster firmware versions 7.2.57 and 7.2.48.8 LTS there is a new certificate used to verify the authenticity of the XML digital signature. To verify the authenticity of the XML digital signature, you must first download the Kemp certificate bundle.

This downloads a zip archive with three certificates:

1. root.kemp.crt - Root Kemp CA certificate

2. ca.kemp.crt - Intermediate Kemp CA certificate

3. codesign.kemp.crt - Kemp code signing certificate

Unzip the archive into a desired location.

kemp-cert.png

Verify the authenticity of the digital signature for XML files version 7.2.57 / 7.2.48.8 LTS and above using the following xmlsec1 command.

xmlsec1 --verify --enabled-key-data x509 --trusted-pem root.kemp.crt --trusted-pem ca.kemp.crt <XMLSignatureFile>

The expected output of successful verification is as follows:

OK

SignedInfo References (ok/all): 1/1

Manifests References (ok/all): 0/0

If there are any errors in the output of the above command, the XML signature file has been altered and should not be trusted.

Last Updated Date

This document was last updated on 18 May 2022.


Comments