How to sign XML file with PowerShell

  Hi,

It often happened in my developments to have to protect my sources, and be sure that the configuration XML file I used, was not modified by some people.

For that, the idea if to sign my configuration XML file, and later the program which has to read the file to first check XML signature.

Of course, you first need a “Code Signing” certificate

Param ([string]$CommandLine)
[void][reflection.assembly]::Load('System.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a')
function Sign-XML
{
 Param ( [xml]$xml, [system.Security.Cryptography.RSA]$rsaKey )
 
 [System.Security.Cryptography.xml.SignedXml]$signedXml = $NULL
 $signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml
 $signedXml.SigningKey = $rsaKey
 
 $Reference = New-Object System.Security.Cryptography.Xml.Reference
 $Reference.Uri = ""
 
 $env = New-Object System.Security.Cryptography.Xml.XmlDsigEnvelopedSignatureTransform
 
 $Reference.AddTransform($env);
 $signedXml.AddReference($Reference)
 $signedXml.ComputeSignature()
 
 [System.Xml.XmlElement]$xmlSignatur = $signedXml.GetXml()
 #Add signature to end of xml file
 $xml.DocumentElement.AppendChild($xml.ImportNode($xmlSignatur, $true))
 
 if ($xml.FirstChild -is [system.xml.XmlDeclaration])
 {
  $xml.RemoveChild($xml.FirstChild);
 }
 $xml
}
function Verify-XmlSignature
{
 Param (
  [xml]$checkxml,
  [system.Security.Cryptography.RSA]$Key
 )
 
 [System.Security.Cryptography.Xml.SignedXml]$signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $checkxml
 $XmlNodeList = $checkxml.GetElementsByTagName("Signature")
 $signedXml.LoadXml([System.Xml.XmlElement] ($XmlNodeList[0]))
 $check = $signedXml.CheckSignature($key)
 return $check
}
$SignerSubject = 'E=jeanyves.moschetto@yoursystems.eu, CN=Jean-Yves Moschetto, OU=Carib Infra, O=YourSystems, L=LILLE, S=NORD, C=FR'
$SigningCert = Get-ChildItem -Path cert:\CurrentUser\My -CodeSigningCert | Where-Object { $_.Subject -eq "$SignerSubject" }

$Source = [System.IO.FileInfo]$CommandLine
$Destination = "$($Source.DirectoryName)\$($Source.BaseName).signed$($Source.Extension)"
#DO ENCRYPT FILE HERE
[xml]$XMLsource = Get-content -Path $Source.FullName
Sign-XML -xml $XMLsource -rsaKey $SigningCert.PrivateKey
$XMLsource.Save($Destination)

#DO TEST DECRYPT FILE HERE - Function to be taken in program for which to protect xml
[xml]$XMLdestination = Get-content -Path $Destination 
$Result = Verify-XmlSignature -checkxml $XMLdestination -Key $SigningCert.PublicKey.Key

Result

This is beyond the result of a signed XML file. We can clearly see the added section “Signature”


    
        
            
            
            
                
                    
                
                
                aX1H1LG0cw06PPcLwxKLvxCdNFw=
            
        
        TXqx+h7TCs04o1vTUWkN/S43JQiEtbdv+Rx5/V6J+bRUABcapYlyiFnoiP3h071PKvTVDuECJ9Ospkmq2ezXHaV/VGj/5HFmsqWsd8WklG+15iD6daab6QZdoL0683WJN/am4OX0CU3097mcUSlljQZaeIj7LSM2quGhylU0RYzFWWIMkX4sY1jVvd+x4f3w6ivztbHClr70pyEOKLdrAiOosmxLQSI9HC/Do8GMnj4al7FUOx2VvyBj/Nu6YcWu0HWxQne8+OXjdyM74VoTVVnZDB1oYil4/2AE6RifoKYxQ7QAIrxMYzXHdc8TC7/xde0VAoDMnbp22jkHobyZGg==
    

Leave a Comment

Your email address will not be published.