Use the RSA-2048 signature to verify the instance identity document
This topic explains how to verify the instance identity document using the RSA-2048 signature and the Amazon RSA-2048 public certificate.
To verify the instance identity document using the RSA-2048 signature and the Amazon RSA-2048 public certificate
-
Connect to the instance.
-
Retrieve the RSA-2048 signature from the instance metadata and add it to a file named
rsa2048
along the required header and footer. Use one of the following commands depending on the IMDS version used by the instance. -
Find the RSA-2048 public certificate for your Region in Amazon public certificates and add the contents to a new file named
certificate
. -
Use the OpenSSL smime command to verify the signature. Include the
-verify
option to indicate that the signature needs to be verified, and the-noverify
option to indicate that the certificate does not need to be verified.$
openssl smime -verify -inrsa2048
-inform PEM -certfilecertificate
-noverify | tee documentIf the signature is valid, the
Verification successful
message appears. If the signature cannot be verified, contact Amazon Web Services Support.
Prerequisites
This procedure requires the System.Security
Microsoft .NET Core class. To add the
class to your PowerShell session, run the following command.
PS C:\>
Add-Type -AssemblyName System.Security
Note
The command adds the class to the current PowerShell session only. If you start a new session, you must run the command again.
To verify the instance identity document using the RSA-2048 signature and the Amazon RSA-2048 public certificate
-
Connect to the instance.
-
Retrieve the RSA-2048 signature from the instance metadata, convert it to a byte array, and add it to a variable named
$Signature
. Use one of the following commands depending on the IMDS version used by the instance. -
Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named
$Document
. Use one of the following commands depending on the IMDS version used by the instance. -
Find the RSA-2048 public certificate for your Region in Amazon public certificates and add the contents to a new file named
certificate.pem
. -
Extract the certificate from the certificate file and store it in a variable named
$Store
.PS C:\>
$Store
= [Security.Cryptography.X509Certificates.X509Certificate2Collection]::new([Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Pathcertificate.pem
))) -
Verify the signature.
PS C:\>
$SignatureDocument
= [Security.Cryptography.Pkcs.SignedCms]::new()PS C:\>
$SignatureDocument
.Decode($Signature
)PS C:\>
$SignatureDocument
.CheckSignature($Store
, $true)If the signature is valid, the command returns no output. If the signature cannot be verified, the command returns
Exception calling "CheckSignature" with "2" argument(s): "Cannot find the original signer
. If your signature cannot be verified, contact Amazon Web Services Support. -
Validate the content of the instance identity document.
PS C:\>
[Linq.Enumerable]::SequenceEqual($SignatureDocument
.ContentInfo.Content,$Document
)If the content of the instance identity document is valid, the command returns
True
. If instance identity document cannot be validated, contact Amazon Web Services Support.