======
README:
======

===========
Zip Content:
===========
1. pp-adv-asr1k-1712.1a-49-69.0.0.pack: 
Cisco provided protocol pack for which signature is to be verified.

2. protocolTaxonomy.json:
Cisco provided protocol pack taxonomy

3. NBAR_PROTOCOL_PACK_KEY_REL-CCO_RELEASE.pem: 
Cisco signed x.509 end-entity certificate containing public key that can be used to 
verify the signature. This certificate is chained to Cisco rootCA and SubCA posted on
http://www.cisco.com/security/pki/certs

4. pp-adv-all-17.12-49-69.0.0.pack.signature: 
Signature generated for the protocol pack.

5. cisco_x509_verify_release.py : 
Signature verification program. After downloading image, 
its digital signature, and the x.509 certificate, this program can be 
used to verify the 3-tier x.509 certificate chain and signature. Certificate
chain validation is done by verifying the authenticity of end-entity 
using Cisco-sourced SubCA and root CA (which the script
either reads locally or downloads from Cisco). Then this authenticated
end-entity certificate is used to verify the signature.

6. cisco_x509_verify_release.py.signature :
Signature generated for the verification script. 

7. README: This file.

============
Requirements:
============
1. Python 2.7.4 or later
2. OpenSSL

=========================================
How to run signature verification program:
=========================================
Extract the public key from the public cert:
-------------------------------------------
openssl x509 -pubkey -noout -in NBAR_PROTOCOL_PACK_KEY_REL-CCO_RELEASE.pem > pub-EE-cert.pubkey

Verify the verify script using the public key and signature files:
-----------------------------------------------------------------
openssl dgst -sha512 -verify pub-EE-cert.pubkey -signature cisco_x509_verify_release.py.signature cisco_x509_verify_release.py

expected output:
---------------
Verified OK

Verify the protocol pack:
------------------------
python cisco_x509_verify_release.py -e NBAR_PROTOCOL_PACK_KEY_REL-CCO_RELEASE.pem -i pp-adv-asr1k-1712.1a-49-69.0.0.pack -s pp-adv-all-17.12-49-69.0.0.pack.signature -v dgst -sha512

expected output:
---------------
Retrieving CA certificate from http://www.cisco.com/security/pki/certs/crcam2.cer ...
Successfully retrieved and verified crcam2.cer.
Retrieving SubCA certificate from http://www.cisco.com/security/pki/certs/innerspace.cer ...
Successfully retrieved and verified innerspace.cer.
Successfully verified root, subca and end-entity certificate chain.
Successfully fetched a public key from NBAR_PROTOCOL_PACK_KEY_REL-CCO_RELEASE.pem.
Successfully verified the signature of pp-adv-asr1k-1712.1a-49-69.0.0.pack using NBAR_PROTOCOL_PACK_KEY_REL-CCO_RELEASE.pem


