Sign XML files with XMLSec Tool using PKCS#11 library

According to a five-year forecast for IDC Global DataSphere, 2024-2028, it is predicted that the amount of data created, distributed, captured, and consumed will reach 175 ZettaBytes (ZB) by 2025. To understand it better, 1 ZB is equivalent to a trillion Gigabytes (GB). Most of this data is unstructured and needs something that provides it meaning. This is where XML files come into play.

eXtensible Markup Language or XML, is a markup language that establishes rules and organizes any data. It also tells how to store and transport the data over the Internet. XML uses markup symbols or tags, which modern browsers and data processing applications use to process that information.

XML Signing

XML files are used in large numbers, making them an integral part of our web-based applications and technology. But should you trust any XML file? How can you develop confidence in the authenticity of that XML file? You need a digital proof or signature to authenticate and verify its source.

XML signing helps you attach your digital credentials, which will help the receiver fully trust the file’s content. Now, to ease up this process, Encryption Consulting provides you with PKCS#11 Wrapper, which is a software library that provides a Java interface to interact with PKCS#11-compliant devices such as Hardware Security Modules (HSMs), smart cards, or any key vaults.

Along with PKCS#11 Wrapper, we will use the XMLSec tool, a command line tool for signing, verifying, encrypting, and decrypting XML documents.

Configuration of PKCS#11 Wrapper on Ubuntu

Prerequisites

Before we look into the process of XML Signing using XMLSec Tool and our PKCS11 Wrapper in Linux (Ubuntu) machine, ensure the following are ready:

Ubuntu Version: Ubuntu version 22.04 or later (tested environment is Ubuntu 24.02) 
Dependencies: Install liblog4cxx12 and curl.

To install the dependencies, run the following commands

sudo apt-get install curl
sudo apt-get install liblog4cxx12

Installing EC’s PKCS#11 Wrapper

Step 1: Go to EC CodeSign Secure’s v3.01’s Signing Tools section and download the PKCS#11 Wrapper for Ubuntu. 

Step 2: After that, generate a P12 Authentication certificate from the System Setup > User > Generate Authentication Certificate dropdown.

Step 3: Go to your Ubuntu client system and edit the configuration files (ec_PKCS#11client.ini and PKCS#11properties.cfg) downloaded in the PKCS#11 Wrapper.

Installing XMLSec Tool

Step 1: Install the latest version of XMLSec Tool (xmlsectool-3.0.0-bin.zip) using this link. 

Step 2: You can extract the zip file into a directory of your choice.

Download and install Java on your Ubuntu machine.

Step 1: Download Amazon Corretto 17 Java (You can check other supported Java versions with XMLSec Tool here.)

wget -O – https://apt.corretto.aws/corretto.key | sudo gpg –dearmor -o /usr/share/keyrings/corretto-keyring.gpg && \ echo “deb [signed-by=/usr/share/keyrings/corretto-keyring.gpg] https://apt.corretto.aws stable main” | sudo tee /etc/apt/sources.list.d/corretto.list

Step 2: Install Java Package

sudo apt-get update; sudo apt-get install -y java-17-amazon-corretto-jdk

Step 3: Check whether Java has been installed properly or not

java -version

Add Java to Environment Variable

Step 1: Set Amazon Corretto 17 Java as the active version

update-alternatives –config java

Step 2: Add “JAVA_HOME” variable in the ~/.bashrc file

echo “export JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto” >> ~/.bashrc

Step 3: Check the ~/.bashrc file

tail -3 ~/.bashrc

Step 4: Reload the Environment variables

source ~/.bashrc

Step 5: Check JAVA_HOME variable value

echo $JAVA_HOME

Signing

Step 1: Change the working directory of the terminal to that folder which contains your “ec_pkcs11client.ini” file.

Step 2: Run the signing command from this directory.

<Path of xmlsectool.sh file> –sign –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of XML file> –outFile <Path of the signed XML file>

A sample command is provided below:

../xmlsectool-3.0.0-bin/xmlsectool-3.0.0/xmlsectool.sh –sign –pkcs11Config pkcs11properties.cfg –keyAlias DemoCertificate –keyPassword NONE –inFile ../xmlSample.xml –outFile ../out-xmlSample.xml

Verification

Run the verification command

<Path of xmlsectool.sh file> –verifySignature –pkcs11Config <Path of pkcs11properties.cfg> –keyAlias <Key alias of the signing certificate> –keyPassword NONE –inFile <Path of the signed XML file>

A sample command is provided below:

../xmlsectool-3.0.0-bin/xmlsectool-3.0.0/xmlsectool.sh –verifySignature –pkcs11Config pkcs11properties.cfg –keyAlias gpg2 –keyPassword NONE –inFile ../out-sample.xml