http://itsme.home.xs4all.nl/projects/xda/smartphone-certificates.html
1. where are certificates stored
1.1 on the smartphone
Device Certificates are stored under the {HKLM|HKCU}\Comm\Security\SystemCertificates key in subkeys named {store name}\Certificates\{SHA-1 hex thumbprint}, in a value named Blob
at device initialization, certificates are imported into the registry from \windows\sysroots.p7b or from *.provxml files.
some certificates are stored initially in the registry: HKLM\Security\WTLS\Certificates
valid store names are:
Privileged Execution Trust Authorities
Unprivileged Execution Trust Authorities
priv + unpriv are used for codesigning certificates
SPC
used for signed .CAB certificates
Root
ca
used for website certificates
disallowed
trust
1.2 on your pc
under these registry keys:
HKCU\Software\Microsoft\SystemCertificates
HKCU\Software\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
in subkeys {store name}\Certificates\{sha-1 hex thumbprint}, in a value named Blob
under these directories:
c:\windows\system32\systemprofile\Application Data\Microsoft\SystemCertificates
c:\Documents and Settings\<username>\Application Data\Microsoft\SystemCertificates
C:\Documents and Settings\<username>\Microsoft\eVC in .cer files
C:\Documents and Settings\<username>\Application Data\Microsoft\Crypto\RSA
1.3 in files
in a .p7b file : application/x-pkcs7-certificates
in a .spc file : application/x-pkcs7-certificates
in a .p7c file : application/pkcs7-mime : certificate_wab_auto_file
in a .p7m file : application/pkcs7-mime : PKCS #7 MIME Message
in a .p10 file : certificate request
in a .p7r file : certificate response
in a .p7s file : certificate signature
in a .sst file : application/vnd.ms-pki.certstore
in a .crl file : certificate revocation list
in a .stl file : certificate trust list
in a .pvk file
in a .pfx file - encrypted .cer, .spc or .pvk file.
in a .cer file : application/x-x509-ca-cert : Security Certificate
in a .crt file : application/x-x509-ca-cert : Security Certificate
in a .der file : application/x-x509-ca-cert : Security Certificate
in a .xml file
in a .pem file
2. how are certificates encoded
2.1 in xml transport
as a base64 encoded asn.1 encoded certificate.
to convert a .cer file to base64:
openssl base64 -in certificate.cer
to calculate the sha1 hash of a .cer file:
openssl sha1 certificate.cer
<wap-provisioningdoc>
<characteristic type="CertificateStore">
<characteristic type="Privileged Execution Trust Authorities">
<characteristic type="...sha1_hex...">
<parm name="EncodedCertificate" value="...base64..."/>
<parm name="Role" value="0"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
2.2 in .cer file
.cer files are the asn.1 x509 encoded certificate, to inspect:
openssl x509 -in certificate.cer -inform DER -text
2.3 in .pvk file
a 6 dword header, the last field == filesize - 6*sizeof(DWORD)
followed by a PUBLICKEYSTRUC { bType=7(PRIVATEKEYBLOB), bVersion=2, reserved=0, aiKeyAlg=0x2400(CALG_RSA_SIGN) }
followed by a RSAPUBKEY struct { magic='RSA2', bitlen=1024, pubexp=0x10001 }, followed by the public modulus
followed by the private key data: p, q, (d%(p-1)), (d%(q-1)), 1/q ( mod p ), d
the modulus and 'd' ( the private exponent ) are size bitlen/8, the other privkey values are size bitlen/16
2.4 in .pfx file
openssl pkcs12 -info -in certificate.pfx
2.5 viewing asn.1 data
openssl asn1parse -inform DER -i -dump -in certificate.ext
2.6 viewing .spc or .p7b data
openssl pkcs7 -print_certs -inform DER -in certificate.spc
2.7 layout of registry blobs
the registry blobs consist of several records of this format:
+0 DWORD propid
+4 DWORD unknown
+8 DWORD dwSize
+12 BYTE data[dwSize]
property is usually one of the following:
00000003 CERT_SHA1_HASH_PROP_ID sha1 of certificate ( == the registry keyname )
00000004 CERT_MD5_HASH_PROP_ID md5 of certificate
00000014 CERT_KEY_IDENTIFIER_PROP_ID sha1 of SubjectPublicKeyInfo : SEQ[SEQ[rsa], key]
00000018 CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID md5 of pubkey of signer
00000019 CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID md5 of pubkey of this certificate
00000020 CERT_CERT_PROP_ID the certificate
00008000 CERT_FIRST_USER_PROP_ID the SPC role
3. how are certificates imported
certificates can be entered into a phone in several ways:
using rapiconfig.exe /p AddCert.xml
using spdps.exe or sp2002dps.exe
using prapi.exe -c certificatefile.cer
4. how to create certificates
(old information)
use makecert: ( store certificate in the registry )
makecert -n "CN=key-common-name-minimum-32-chars" -ss my
or ( store the certificate in a file )
makecert -n "CN=key-common-name-minimum-32-chars" -sv "privkey.pvk" "pubkeycert.cer"
automatically ( with unconvenient long name )
spdps /create
5. how to list certificates on your system
run certmgr.exe
using the mmc certificate snapin, see this article
in startmenu->settings->controlpanel->internet options, select the 'content' tab, click the 'certificates' button
use rapiconfig /p querystore.xml
6. how to sign code with a certificate
(old information)
using signcode.exe interactively, by running signcode without commandline options.
using signcode.exe with commandline options: ( certificate in a file )
signcode -v privkey.pvk -spc pubkeycert.cer itsutils.dll
using signcode.exe with commandline options: ( certificate in registry )
signcode -cn key-common-name -s my itsutils.dll
note that the common-name is specified without 'CN=' in signcode, and with 'CN=' in makecert
using cabsigner.exe
7. how to verify a signature
links
below is the most recent information (feb 2008) on codesigning
codesigning using makecert ( a tool from microsoft )
where is makecert.exe?
on my laptop there are several copies of makecert.exe, in the following places:
2003-03-24 23:03 39936 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/makecert.exe
2005-09-23 06:56 39936 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/makecert.exe
2005-09-23 08:17 32528 c:/Program Files/Microsoft Visual Studio 8/SmartDevices/SDK/SDKTools/makecert.exe
2006-11-02 00:17 39424 c:/WinDDK/6000/bin/SelfSign/makecert.exe
and pvk2pfx can be found here:
2005-03-24 18:31 14336 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/pvk2pfx.exe
2006-11-01 23:43 18944 c:/WinDDK/6000/bin/SelfSign/pvk2pfx.exe
signtool can be found here:
2005-04-14 17:12 69120 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/signtool.exe
2005-09-23 06:56 75776 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/signtool.exe
2006-11-01 23:43 102912 c:/WinDDK/6000/bin/catalog/signtool.exe
2006-11-01 23:43 102912 c:/WinDDK/6000/bin/SelfSign/signtool.exe
create a selfsigned certificate authority certificate
makecert -b 01/02/2004 -n "CN=my CA" -r -sv CA-my.pvk CA-my.cer
-r means 'self-signed'
i choose a date in the past, since most wince devices start at a fixed date.
create a certificate signed with the above CA certificate
makecert -b 01/02/2004 -n "CN=my code signing key 2008 02 26" -iv CA-my.pvk -ic CA-my.cer -sv codesign-my.pvk codesign-my.cer
the -iv and -ic specify the CA's private and public keys
the -n specifies the subject
on some devices the subject must be at least 32 characters.
convert it to a .pfx file
pvk2pfx.exe -pvk codesign-my.pvk -spc codesign-my.cer -pfx codesign-my.pfx
upload it to your device
prapi -c codesign-my.cer
prapi is part of the itsutils collection
signing a binary
signtool sign -f codesign-my.pfx itsutils.dll
using openssl
alternatively it is also possible to create a CA and certificate using openssl.
0 件のコメント:
コメントを投稿