Help Center/ Migration Center/ MgC Agent Usage Guide/ FAQs/ How Do I Verify the Integrity of the Database Basic Information Collector Package?
Updated on 2025-12-08 GMT+08:00
View PDF
Share

How Do I Verify the Integrity of the Database Basic Information Collector Package?

You can follow the instructions below to verify the integrity of the CMS digital signature before installing the database basic information collector package.

Windows

  1. Log in to the Windows server where the collector is to be installed as the Administrator user.
  2. Download and install OpenSSL 3.2.6 or later.
  3. Download the root CA certificate Huawei Software Integrity Protection Root CA.der from the Huawei Cloud Support website to the local PC.
  4. On the Collectors tab of the MgC Agent console, click Download on the Database basic info collector card, and click Download Installation Package and Download CMS and CRL. Download the collector installation program, CMS file, and CRL file to an empty directory (for example, C:\cmsVerify). Note that the file names must be the same as those shown in the following figure.

  5. Create the C:\cmsVerify\verify.ps1 file and paste the following content to the file. 

    $workDir = $args[0]  
$opensslBinPath = $args[1]  

function cmsVerify {  
	Write-Host "workDir: $workDir"  
	Write-Host "opensslBinPath: $opensslBinPath"  
	$packageName="agent_collector_database_all_basic_info-2.0.0.zip"  
	$packageFilePath = Join-Path $workDir $packageName  
	$cmsFilePath = "$packageFilePath.cms"  
	$crlFilePath = "$packageFilePath.cms.crl"  
	$rootCaFilePath = Join-Path $workDir "Huawei Software Integrity Protection Root CA.der"  
	$tmpDir = "tmp_$(Get-Date -Format 'yyyyMMddHHmmss')"  
	$fullTmpDir = Join-Path $workDir $tmpDir  
	$opensslExePath = Join-Path $opensslBinPath "openssl.exe"  
	New-Item -ItemType Directory -Path $fullTmpDir -Force | Out-Null  
	Write-Host "tmpPath: $fullTmpDir"  

	# get sign time  
	$asnOutput = & "$opensslExePath" asn1parse -inform DER -in $cmsFilePath  
	$signingTimeLineNum = $asnOutput | Out-String -Stream | Select-String -Pattern ":signingTime" | Select-Object -Skip 1 -First 1 | ForEach-Object { $_.LineNumber }  
	$timeLineNum = $signingTimeLineNum + 2  
	$originalTimeStr = ((($asnOutput | Select-Object -Index ($timeLineNum - 1))  -replace '\s+', '') -split ':UTCTIME:' ) | Select-Object -Skip 1 -First 1  
	$timeStr = $originalTimeStr.Trim()  
	$year = "20" + $timeStr.Substring(0, 2)  
	$month = $timeStr.Substring(2, 2)  
	$day = $timeStr.Substring(4, 2)  
	$hour = $timeStr.Substring(6, 2)  
	$minute = $timeStr.Substring(8, 2)  
	$second = $timeStr.Substring(10, 2)  
	$dateTime = New-Object DateTime ($year, $month, $day, $hour, $minute, $second)  
	$signTimestap = [int][double]::Parse((Get-Date $dateTime -UFormat "%s"))  
	Write-Host "signTimestap: $signTimestap"  

	# split the CRL file and obtain all revocation lists  
	Write-Host "start handle crl file"  
	$asn1ParseResult = & "$opensslExePath" asn1parse -in $crlFilePath -inform DER  
	$handledLen = 0  
	$crlPemPath = Join-Path $fullTmpDir "crl.pem"  
	New-Item -Path $crlPemPath -ItemType File -Force | Out-Null  
	for ($i = 1; $i -le 1000; $i++) {  
		$fileHead = $asn1ParseResult | Select-String -Pattern "^\s*${handledLen}:d=.*"  
		if (-not $fileHead) {  
			Write-Host "crl file is end"  
			break  
		}  
		Write-Host "find file head info: $fileHead"  
		$headLen = [regex]::Match($fileHead, 'hl=(\d+)').Groups[1].Value  
		$contLen = [regex]::Match($fileHead, '(?<!h)l=\s*(\d+)').Groups[1].Value  
		$headLen = [int]$headLen  
		$contLen = [int]$contLen  
		$totalLen = $headLen + $contLen  
		# extract CRL fragment  
		$tmpCrlPath = Join-Path $fullTmpDir "tmp.crl"  
		$buffer = [System.IO.File]::ReadAllBytes($crlFilePath)  
		$segment = $buffer[$handledLen..($handledLen + $totalLen - 1)]  
		[System.IO.File]::WriteAllBytes($tmpCrlPath, $segment)  
		# attempt to convert to PEM format  
		& "$opensslExePath" crl -inform DER -in $tmpCrlPath -outform PEM -out "$fullTmpDir\tmp.pem" 2>$null  
		if ($LASTEXITCODE -eq 0) {  
			Get-Content "$fullTmpDir\tmp.pem" | Add-Content $crlPemPath  
			Write-Host "convert to crl pem success!"  
		} else {  
			Write-Host "not crl format"  
		}  
		$handledLen += $totalLen  
	}  
	Write-Host "handle crl file finish"  

	# convert root CA format to CER  
	$rootCaCerPath = Join-Path $fullTmpDir "rootCa.cer"  
	& "$opensslExePath" x509 -inform der -in $rootCaFilePath -out $rootCaCerPath  

	# verify the integrity of the software package and obtain the certificate chain  
	Write-Host "start verify cms"  
	$cmsVerifiedData = Join-Path $fullTmpDir "cmsVerifiedData"  
	$cmsCertChain = Join-Path $fullTmpDir "cmsCertChain.pem"  
	& "$opensslExePath" cms -verify -attime $signTimestap -inform DER -in $cmsFilePath -content $packageFilePath -CAfile $rootCaCerPath -out $cmsVerifiedData -binary -purpose any -certsout $cmsCertChain  
	if ($LASTEXITCODE -eq 0) {  
		Write-Host "verify cms success!!!"  
	} else {  
		Write-Host "verify cms failed!!!"  
		return 1  
	}  

	# verify the validity of the certificate chain  
	Write-Host "start verify cert chain"  
	& "$opensslExePath" verify -attime $signTimestap -crl_check -CAfile $rootCaCerPath -untrusted $cmsCertChain -CRLfile $crlPemPath $cmsCertChain  
	if ($LASTEXITCODE -eq 0) {  
		Write-Host "verify cert chain success!!!"  
	} else {  
		Write-Host "verify cert chain failed!!!"  
		return 1  
	}  
    return 0  
}  

cmsVerify  
if ($LASTEXITCODE -eq 0) {  
    Write-Host "verify success!!!" -ForegroundColor Green  
} else {  
    Write-Host "verify failed!!!" -ForegroundColor Red  
}

  6. Open the PowerShell terminal and run the following script to verify the CMS signature. Replace the file directory and OpenSSL installation path with the actual ones. 

    C:\cmsVerify\verify.ps1 "C:\cmsVerify" "C:\OpenSSL-Win64\bin"

  7. If "verify success!!!" is displayed in the last line, the signature passes the verification. Otherwise, the verification fails.

Parent Topic: FAQs