Use the RSA-2048 signature to verify the instance identity document
This topic explains how to verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate.
Prerequisites
This procedure requires the System.Security
Microsoft .NET Core class. To add the
class to your PowerShell session, run the following command.
PS C:\>
Add-Type -AssemblyName System.Security
Note
The command adds the class to the current PowerShell session only. If you start a new session, you must run the command again.
To verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate
-
Connect to the instance.
-
Retrieve the RSA-2048 signature from the instance metadata, convert it to a byte array, and add it to a variable named
$Signature
. Use one of the following commands depending on the IMDS version used by the instance. -
Retrieve the plaintext instance identity document from the instance metadata, convert it to a byte array, and add it to a variable named
$Document
. Use one of the following commands depending on the IMDS version used by the instance. -
Find the RSA-2048 public certificate for your Region in AWS public certificates and add the contents to a new file named
certificate.pem
. -
Extract the certificate from the certificate file and store it in a variable named
$Store
.PS C:\>
$Store
= [Security.Cryptography.X509Certificates.X509Certificate2Collection]::new([Security.Cryptography.X509Certificates.X509Certificate2]::new((Resolve-Pathcertificate.pem
))) -
Verify the signature.
PS C:\>
$SignatureDocument
= [Security.Cryptography.Pkcs.SignedCms]::new()PS C:\>
$SignatureDocument
.Decode($Signature
)PS C:\>
$SignatureDocument
.CheckSignature($Store
, $true)If the signature is valid, the command returns no output. If the signature cannot be verified, the command returns
Exception calling "CheckSignature" with "2" argument(s): "Cannot find the original signer
. If your signature cannot be verified, contact AWS Support. -
Validate the content of the instance identity document.
PS C:\>
[Linq.Enumerable]::SequenceEqual($SignatureDocument
.ContentInfo.Content,$Document
)If the content of the instance identity document is valid, the command returns
True
. If instance identity document cannot be validated, contact AWS Support.