Tag Consumption Tools

When SWID tag producers include digital signatures in their SWID tags, the data in the tags can be validated to ensure it has not been modified.  This provides a level of verification of the data that is otherwise not available to most IT management organizations.

TagVault.org provides a tool that can be used to unpack and validate the digital signature, check the authoritative time stamp associated with the SWID tag and use this information to validate that nothing in the SWID tag has been modified.  This validation step ensures that information is authoritative and can be used for both security and compliance processes.

TagVault.org is working with SWID tag producers to provide options for users who require further validation of an application (for example, validating that installed files have not been modified) can be accessed in a secure and reliable manner.  This set of capabilities is made possible by the fact that  reference information for a software product provided in the SWID tag can be identified as coming from a known and trusted supplier.

The Tag Validation tool is available as a free download.

Source code for the tool is available to TagVault.org members.

The following is a sample of the output from the tag validation tool when used on a Symantec certified SWID tag:

-------------------------------------------
SWID tag details:
-------------------------------------------
Software Title : Symantec NetBackup OpsCenter Agent
Software Version : 7.6.1.0
Tag Creator : Symantec Corporation
Software Licensor: Symantec Corporation
Software Creator : Symantec Corporation
Status: PASSED
Signature status: PASSED
-------------------------------------------
Certificate:
-------------------------------------------
Certificate owned by: CN=Steve Klos, OU=TagVault.org - Sample Key, O=TagVault.org, L=Piscataway, ST=NJ, C=US
Certificate CA name: CN=Steve Klos, OU=TagVault.org - Sample Key, O=TagVault.org, L=Piscataway, ST=NJ, C=US
Certificate validity dates:
 From: Fri Jun 07 08:51:03 PDT 2013
 To: Thu Sep 05 08:51:03 PDT 2013
-------------------------------------------
Timestamp:
-------------------------------------------
Timestamp: Fri Jun 07 11:31:38 PDT 2013
Timestamp owned by: 4: C=US,O=GeoTrust Inc,CN=GeoTrust Timestamping Signer 1
Timestamp CA name: CN=Thawte Timestamping CA,OU=Thawte Certification,O=Thawte,L=Durbanville,ST=Western Cape,C=ZA
Timestamp certificate validity dates:
 From: Tue Dec 31 16:00:00 PST 1996
 To: Thu Dec 31 15:59:59 PST 2020
Timestamp status: PASSED
-------------------------------------------
Signed Elements:
-------------------------------------------
Element[0->e_0]: swid:entitlement_required_indicator
Element[1->e_1]: swid:product_title
Element[2->e_2]: swid:product_version
Element[3->e_3]: swid:software_creator
Element[4->e_4]: swid:software_licensor
Element[5->e_5]: swid:software_id
Element[6->e_6]: swid:tag_creator