Code Signing Reading Time: 7 minutes

Sign XML files with XMLSec Tool using PKCS#11 library

Sign XML files with XMLSec Tool using PKCS#11 library
Last updated on

According to a five-year forecast for IDC Global DataSphere, 2024-2028, it is predicted that the amount of data created, distributed, captured, and consumed will reach 175 ZettaBytes (ZB) by 2025. To understand it better, 1 ZB is equivalent to a trillion Gigabytes (GB). Most of this data is unstructured and needs something that provides it meaning. This is where XML files come into play.

eXtensible Markup Language or XML, is a markup language that establishes rules and organizes any data. It also tells how to store and transport the data over the Internet. XML uses markup symbols or tags, which modern browsers and data processing applications use to process that information.

XML Signing

XML files are used in large numbers, making them an integral part of our web-based applications and technology. But should you trust any XML file? How can you develop confidence in the authenticity of that XML file? You need a digital proof or signature to authenticate and verify its source. 

XML signing helps you attach your digital credentials, which will help the receiver fully trust the file’s content. Now, to ease up this process, Encryption Consulting provides you with PKCS#11 Wrapper, which is a software library that provides a Java interface to interact with PKCS#11-compliant devices such as Hardware Security Modules (HSMs), smart cards, or any key vaults. 

Along with PKCS#11 Wrapper, we will use the XMLSec tool, a command line tool for signing, verifying, encrypting, and decrypting XML documents.

Configuration of PKCS#11 Wrapper on Ubuntu

Prerequisites

Before we look into the process of XML Signing using XMLSec Tool and our PKCS11 Wrapper in Linux (Ubuntu) machine, ensure the following are ready:

  • Ubuntu Version: Ubuntu version 22.04 or later (tested environment is Ubuntu 24.02)  
  • Dependencies: Install rapidjson-dev, liblog4cxx-dev, libcurl4-openssl-dev, liblog4cxx12, and curl. 

To install the dependencies, run the following commands

  • sudo apt-get install curl 
  • sudo apt-get install rapidjson-dev 
  • sudo apt-get install liblog4cxx-dev 
  • sudo apt-get install libcurl4-openssl-dev 
  • sudo apt-get install liblog4cxx12 

Installing EC’s PKCS#11 Wrapper 

Step 1: Go to EC CodeSign Secure’s v3.01’sSigning Tools section and download the PKCS#11 Wrapper for Ubuntu.  

Download PKCS#11 from Codesign Secure

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.

Generate P12 Certificates

Step 3: Go to your Ubuntu client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper. 

Edit Configuration files on Ubuntu

Installing XMLSec Tool

Step 1: Install the latest version of XMLSec Tool (xmlsectool-3.0.0-bin.zip) using this link.  

Download Latest XMLsec

Step 2: You can extract the zip file into a directory of your choice. 

Extract zipped XMLsec

Download and install Java on your Ubuntu machine.

Step 1: Download Amazon Corretto 17 Java  (You can check other supported Java versions with XMLSec Tool here.

wget -O – https://apt.corretto.aws/corretto.key | sudo gpg –dearmor -o /usr/share/keyrings/corretto-keyring.gpg && \ echo “deb [signed-by=/usr/share/keyrings/corretto-keyring.gpg] https://apt.corretto.aws stable main” | sudo tee /etc/apt/sources.list.d/corretto.list

Step 2: Install Java Package

sudo apt-get update; sudo apt-get install -y java-17-amazon-corretto-jdk 

Step 3: Check whether Java has been installed properly or not 

java -version

Check Java version

Add Java to Environment Variable 

Step 1: Set Amazon Corretto 17 Java as the active version 

update-alternatives –config java

Set Amazon Corretto 17

Step 2: Add “JAVA_HOME” variable in the ~/.bashrc file 

echo “export JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto” >> ~/.bashrc

Add Java home variable

Step 3: Check the ~/.bashrc file 

tail -3 ~/.bashrc 

Check BashRc File

Step 4: Reload the Environment variables 

source ~/.bashrc 

Reload environment variables

Step 5: Check JAVA_HOME variable value 

echo $JAVA_HOME 

Check Java home variable

Signing 

Step 1: Change the working directory of the terminal to that folder which contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” files.

Change Working Directory

Step 2: Run the signing command from this directory. 

<Path of xmlsectool.sh file> –sign –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of XML file> –outFile <Path of the signed XML file> 

A sample command is provided below:

../xmlsectool-3.0.0-bin/xmlsectool-3.0.0/xmlsectool.sh –sign –pkcs11Config pkcs11properties.cfg –keyAlias DemoCertificate –keyPassword NONE –inFile ../xmlSample.xml –outFile ../out-xmlSample.xml 

Verification 

Run the verification command

<Path of xmlsectool.sh file> –verifySignature –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of the signed XML file> 

A sample command is provided below: 

../xmlsectool-3.0.0-bin/xmlsectool-3.0.0/xmlsectool.sh –verifySignature –pkcs11Config pkcs11properties.cfg –keyAlias gpg2 –keyPassword NONE –inFile ../out-sample.xml 

Configuration of PKCS#11 Wrapper on MacOS

Prerequisites 

Before we look into the process of XML Signing using XMLSec Tool and our PKCS#11 Wrapper in MacOS machine, ensure the following are ready: 

  • MacOS Version: MacOS version 13 (Ventura) or later (tested environment is MacOS 15.1 Sequoia)  
  • Dependencies: Install liblog4cxx and curl.  

To install the dependencies, run the following commands 

  • brew install log4cxx 
  • brew install curl 

Installing EC’s PKCS#11 Wrapper

Step 1: Go to EC CodeSign Secure’s v3.01’sSigning Tools section and download the PKCS#11 Wrapper for Mac.  

Download PKCS#11 for mac

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown. 

Generate P12 Certificates

Step 3: Go to your MacOS client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper. 

Edit configuration file

Installing XMLSec Tool

Step 1: Download the latest version of XMLSec Tool (xmlsectool-3.0.0-bin.zip) using this link.  

Install XMLsec tool

You will need this shell file to perform the XML signing

XMLsectool.sh file after download

Download and install Java in your MacOS machine.

Step 1: Download Amazon Corretto 17 Java ( You can check other supported Java versions with XMLSec Tool here ). 

You can use this link to download the .pkg file for MacOS environment 

Step 2: Install Java Package 

Begin the installation using the downloaded file. 

Install XMLsectool

Step 3: Check whether Java has been installed properly or not 

java -version 

Check Java version

Add Java to Environment Variable 

Step 1: Get complete installation path of Amazon Corretto 17 Java 

/usr/libexec/java_home –verbose 

Get Complete installation path for Corretto 17

Step 2: Add “JAVA_HOME” variable in the ~/.zshrc file 

echo ‘export JAVA_HOME=”/Library/Java/JavaVirtualMachines/amazon-corretto-17.jdk/Contents/Home”‘ >> ~/.zshrc 

Add Java home variable

Step 3: Reload the Environment variables 

source ~/.zshrc 

Reload environment variable

Step 4: Check JAVA_HOME variable value 

echo $JAVA_HOME 

Check Java home variable

Signing

Step 1: Change the working directory of the terminal to that folder which contains your “ec_pkcs11client.ini” and “pkcs11properties.cfg” file. 

Change Working directory

Step 2: Run the signing command from this directory. 

<Path of xmlsectool.sh file> –sign –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of XML file> –outFile <Path of the signed XML file> 

A sample command is provided below: 

../xmlsectool-3.0.0/xmlsectool.sh –sign –pkcs11Config pkcs11properties.cfg –keyAlias DemoCertificate –keyPassword NONE –inFile ../xmlSample.xml –outFile ../SignedSample.xml 

Verification 

Run the verification command

<Path of xmlsectool.sh file> –verifySignature –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of the signed XML file> 

A sample command is provided below: 

../xmlsectool-3.0.0/xmlsectool.sh –verifySignature –pkcs11Config pkcs11properties.cfg –keyAlias gpg2 –keyPassword NONE –inFile ../Signedsample.xml 

Conclusion 

With unstructured data on the rise, XML document signing is the need of the hour. The seamless integration of our PKCS#11 Wrapper and XMLSec tool offers a flexible and efficient solution for XML document signing.  

Using Encryption Consulting’s CodeSign Secure solution, you can build and increase your customer trust. It provides features like client-side hashing, role-based access, and application management to secure your data. It allows you to integrate various DevOps CI/CD pipelines for hands-free, automated code signing.

Tags:

Free Downloads

Datasheet of Code Signing Solution

Code signing is a process to confirm the authenticity and originality of digital information such as a piece of software code.

Download

About the Author

Aryan Kumar's profile picture

Aryan Ajay Kumar is a cybersecurity consultant at Encryption Consulting. He safeguards data for clients by leveraging his knowledge of various technical domains, such as PKI, HSM, and Code Signing. His programming skills and knowledge of data science further enhance his ability to create complex cloud solutions. Aryan's impressive track record includes successful collaborations with top organizations on high-profile projects. Aryan's life also extends far beyond the world of cybersecurity. He enjoys playing football and is an avid reader. He is always seeking new ways to grow personally and professionally and loves various creative pursuits, like crafting or watching an inspiring movie. His passion for life and work enables him to contribute unique ideas and unwavering dedication.

You might also be interested in

Prevent supply chain attacks using Encryption Consulting’s Build Verifier
Prevent supply chain attacks using Encryption Consulting’s Build Verifier September 6, 2023
OVA and OVF Signing: The Key to Secure Virtual Appliances
OVA and OVF Signing: The Key to Secure Virtual Appliances October 18, 2023
Securing your Windows Environment with CodeSign Secure and AppLocker
Securing your Windows Environment with CodeSign Secure and AppLocker September 12, 2024
How Code Signing Aligns With DevSecOps?
How Code Signing Aligns With DevSecOps? April 6, 2024

Explore More Topics

Explore the full range of services offered by Encryption Consulting.

Feel free to schedule a demo to gain a comprehensive understanding of all the services Encryption Consulting provides.

Request a demo