Hi,
It often happened in my developments to have to protect my sources, and be sure that the configuration XML file I used, was not modified by some people.
For that, the idea if to sign my configuration XML file, and later the program which has to read the file to first check XML signature.
Of course, you first need a « Code Signing » certificate
Param ([string]$CommandLine)
[void][reflection.assembly]::Load('System.Security, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a')
function Sign-XML
{
Param ( [xml]$xml, [system.Security.Cryptography.RSA]$rsaKey )
[System.Security.Cryptography.xml.SignedXml]$signedXml = $NULL
$signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $xml
$signedXml.SigningKey = $rsaKey
$Reference = New-Object System.Security.Cryptography.Xml.Reference
$Reference.Uri = ""
$env = New-Object System.Security.Cryptography.Xml.XmlDsigEnvelopedSignatureTransform
$Reference.AddTransform($env);
$signedXml.AddReference($Reference)
$signedXml.ComputeSignature()
[System.Xml.XmlElement]$xmlSignatur = $signedXml.GetXml()
#Add signature to end of xml file
$xml.DocumentElement.AppendChild($xml.ImportNode($xmlSignatur, $true))
if ($xml.FirstChild -is [system.xml.XmlDeclaration])
{
$xml.RemoveChild($xml.FirstChild);
}
$xml
}
function Verify-XmlSignature
{
Param (
[xml]$checkxml,
[system.Security.Cryptography.RSA]$Key
)
[System.Security.Cryptography.Xml.SignedXml]$signedXml = New-Object System.Security.Cryptography.Xml.SignedXml -ArgumentList $checkxml
$XmlNodeList = $checkxml.GetElementsByTagName("Signature")
$signedXml.LoadXml([System.Xml.XmlElement] ($XmlNodeList[0]))
$check = $signedXml.CheckSignature($key)
return $check
}
$SignerSubject = 'E=jeanyves.moschetto@yoursystems.eu, CN=Jean-Yves Moschetto, OU=Carib Infra, O=YourSystems, L=LILLE, S=NORD, C=FR'
$SigningCert = Get-ChildItem -Path cert:\CurrentUser\My -CodeSigningCert | Where-Object { $_.Subject -eq "$SignerSubject" }
$Source = [System.IO.FileInfo]$CommandLine
$Destination = "$($Source.DirectoryName)\$($Source.BaseName).signed$($Source.Extension)"
#DO ENCRYPT FILE HERE
[xml]$XMLsource = Get-content -Path $Source.FullName
Sign-XML -xml $XMLsource -rsaKey $SigningCert.PrivateKey
$XMLsource.Save($Destination)
#DO TEST DECRYPT FILE HERE - Function to be taken in program for which to protect xml
[xml]$XMLdestination = Get-content -Path $Destination
$Result = Verify-XmlSignature -checkxml $XMLdestination -Key $SigningCert.PublicKey.Key
Result
This is beyond the result of a signed XML file. We can clearly see the added section « Signature »
aX1H1LG0cw06PPcLwxKLvxCdNFw=
TXqx+h7TCs04o1vTUWkN/S43JQiEtbdv+Rx5/V6J+bRUABcapYlyiFnoiP3h071PKvTVDuECJ9Ospkmq2ezXHaV/VGj/5HFmsqWsd8WklG+15iD6daab6QZdoL0683WJN/am4OX0CU3097mcUSlljQZaeIj7LSM2quGhylU0RYzFWWIMkX4sY1jVvd+x4f3w6ivztbHClr70pyEOKLdrAiOosmxLQSI9HC/Do8GMnj4al7FUOx2VvyBj/Nu6YcWu0HWxQne8+OXjdyM74VoTVVnZDB1oYil4/2AE6RifoKYxQ7QAIrxMYzXHdc8TC7/xde0VAoDMnbp22jkHobyZGg==