Swid tag signing guidelines refers to the process of digitally signing software identification (SWID) tags to ensure the integrity and authenticity of the tags.
This is important to protect against tampering or spoofing of tags, which could lead to false positives or negatives when scanning for vulnerabilities.
Types of Swid Tag Signatures
There are two types of signatures that can be applied to swid tags:
1. RSA signatures – these provide authentication and integrity protection for the tag contents. The signature is generated using an RSA private key, and verified using the corresponding public key.
2. X.509 signatures – these provide authentication for the signer, as well as integrity protection for the tag contents. The signature is generated using an X.509 certificate, and verified using the corresponding public key.
To generate a signature, you will need to choose one of the two types of signatures and use the appropriate tool.
RSA Signatures
To generate an RSA signature, you will need to use the openssl tool. The following command will generate a signature for a file called tag.xml:
openssl dgst -sha256 -sign privatekey.pem tag.xml > tag.xml.sig
To verify the signature, you will need to use the openssl tool again. The following command will verify the signature for a file called tag.xml:
openssl dgst -sha256 -verify publickey.pem -signature tag.xml.sig tag.xml
X.509 Signatures
To generate an X.509 signature, you will need to use the openssl tool. The following command will generate a signature for a file called tag.xml:
openssl smime -sign -in tag.xml -outform DER -signer certificate.pem > tag.xml.sig
To verify the signature, you will need to use the openssl tool again. The following command will verify the signature for a file called tag.xml:
openssl smime -verify -inform DER -noverify -content tag.xml -signer certificate.pem > outfile 2>&1
if grep -q “Verification successful” outfile; then
echo “Tag is valid”
else
echo “Tag is invalid”
fi
rm outfile
Applying a Signature to a Swid Tag
Once you have generated a signature, you will need to apply it to the swid tag. This can be done using one of two methods:
Embedding the signature in the swid tag
This is the recommended method, as it allows the signature to be verified without having to fetch any additional files. To embed the signature in the tag, you will need to add a <Signature> element to the tag, and place the contents of the signature file (tag.xml.sig in the example above) inside it.
The Signature element should be placed after the <SoftwareIdentity> element, and before any <Meta> elements. It should contain the following attributes:
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”
Id=”Signature1″
<Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#” Id=”Signature1″>
… contents of signature file (tag.xml.sig) goes here …
</Signature>
Adding a reference to the signature file
This method can be used if you do not want to embed the signature in the tag, or if the file is too large to embed. To add a reference to the signature file, you will need to add a <Signature> element to the tag, and set the URI attribute to point to the location of the signature file.
The Signature element should be placed after the <SoftwareIdentity> element, and before any <Meta> elements. It should contain the following attributes:
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”
Id=”Signature1″
URI=”#SignatureFile1″
<Signature xmlns:ds=”http://www.w3.org/2000/09/xmldsig#” Id=”Signature1″ URI=”#SignatureFile1″/>
In addition, you will need to add a <ds:Reference> element to the tag, and set the URI attribute to point to the location of the signature file. This element should be placed inside the <ds:SignedInfo> element. It should contain the following attributes:
Id=”Reference1″
URI=”#SignatureFile1″
<ds:Reference Id=”Reference1″ URI=”#SignatureFile1″>
… reference contents goes here …
</ds:Reference>