2012年6月26日火曜日

smartphone-certificates

http://itsme.home.xs4all.nl/projects/xda/smartphone-certificates.html


1. where are certificates stored

1.1 on the smartphone

Device Certificates are stored under the {HKLM|HKCU}\Comm\Security\SystemCertificates key in subkeys named {store name}\Certificates\{SHA-1 hex thumbprint}, in a value named Blob
at device initialization, certificates are imported into the registry from \windows\sysroots.p7b or from *.provxml files.

some certificates are stored initially in the registry: HKLM\Security\WTLS\Certificates

valid store names are:

Privileged Execution Trust Authorities
Unprivileged Execution Trust Authorities
priv + unpriv are used for codesigning certificates
SPC
used for signed .CAB certificates
Root
ca
used for website certificates
disallowed
trust
1.2 on your pc

under these registry keys:
HKCU\Software\Microsoft\SystemCertificates
HKCU\Software\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates
in subkeys {store name}\Certificates\{sha-1 hex thumbprint}, in a value named Blob
under these directories:

c:\windows\system32\systemprofile\Application Data\Microsoft\SystemCertificates
c:\Documents and Settings\<username>\Application Data\Microsoft\SystemCertificates
C:\Documents and Settings\<username>\Microsoft\eVC in .cer files
C:\Documents and Settings\<username>\Application Data\Microsoft\Crypto\RSA
1.3 in files

in a .p7b file : application/x-pkcs7-certificates
in a .spc file : application/x-pkcs7-certificates
in a .p7c file : application/pkcs7-mime : certificate_wab_auto_file
in a .p7m file : application/pkcs7-mime : PKCS #7 MIME Message
in a .p10 file : certificate request
in a .p7r file : certificate response
in a .p7s file : certificate signature
in a .sst file : application/vnd.ms-pki.certstore
in a .crl file : certificate revocation list
in a .stl file : certificate trust list
in a .pvk file
in a .pfx file - encrypted .cer, .spc or .pvk file.
in a .cer file : application/x-x509-ca-cert : Security Certificate
in a .crt file : application/x-x509-ca-cert : Security Certificate
in a .der file : application/x-x509-ca-cert : Security Certificate
in a .xml file
in a .pem file
2. how are certificates encoded

2.1 in xml transport

as a base64 encoded asn.1 encoded certificate.
to convert a .cer file to base64:
openssl base64 -in certificate.cer

to calculate the sha1 hash of a .cer file:
openssl sha1 certificate.cer

<wap-provisioningdoc>
        <characteristic type="CertificateStore">
                <characteristic type="Privileged Execution Trust Authorities">
                        <characteristic type="...sha1_hex...">
                                <parm name="EncodedCertificate" value="...base64..."/>
                                <parm name="Role" value="0"/>
                        </characteristic>
                </characteristic>
        </characteristic>
</wap-provisioningdoc>
2.2 in .cer file

.cer files are the asn.1 x509 encoded certificate, to inspect:
openssl x509 -in certificate.cer -inform DER -text
2.3 in .pvk file

a 6 dword header, the last field == filesize - 6*sizeof(DWORD)
followed by a PUBLICKEYSTRUC { bType=7(PRIVATEKEYBLOB), bVersion=2, reserved=0, aiKeyAlg=0x2400(CALG_RSA_SIGN) }
followed by a RSAPUBKEY struct { magic='RSA2', bitlen=1024, pubexp=0x10001 }, followed by the public modulus
followed by the private key data: p, q, (d%(p-1)), (d%(q-1)), 1/q ( mod p ), d
the modulus and 'd' ( the private exponent ) are size bitlen/8, the other privkey values are size bitlen/16
2.4 in .pfx file

openssl pkcs12 -info -in certificate.pfx
2.5 viewing asn.1 data

openssl asn1parse -inform DER -i -dump -in certificate.ext
2.6 viewing .spc or .p7b data

openssl pkcs7 -print_certs -inform DER -in certificate.spc
2.7 layout of registry blobs

the registry blobs consist of several records of this format:
+0      DWORD propid
+4      DWORD unknown
+8      DWORD dwSize
+12     BYTE data[dwSize]
property is usually one of the following:
00000003 CERT_SHA1_HASH_PROP_ID                    sha1 of certificate ( == the registry keyname )
00000004 CERT_MD5_HASH_PROP_ID                     md5 of certificate
00000014 CERT_KEY_IDENTIFIER_PROP_ID               sha1 of SubjectPublicKeyInfo : SEQ[SEQ[rsa], key]
00000018 CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID   md5 of pubkey of signer
00000019 CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID  md5 of pubkey of this certificate
00000020 CERT_CERT_PROP_ID                         the certificate
00008000 CERT_FIRST_USER_PROP_ID                   the SPC role
3. how are certificates imported

certificates can be entered into a phone in several ways:
using rapiconfig.exe /p AddCert.xml
using spdps.exe or sp2002dps.exe
using prapi.exe -c certificatefile.cer
4. how to create certificates

(old information)
use makecert: ( store certificate in the registry )
makecert -n "CN=key-common-name-minimum-32-chars" -ss my
or ( store the certificate in a file )
makecert -n "CN=key-common-name-minimum-32-chars" -sv "privkey.pvk" "pubkeycert.cer"
automatically ( with unconvenient long name )
spdps /create
5. how to list certificates on your system

run certmgr.exe
using the mmc certificate snapin, see this article
in startmenu->settings->controlpanel->internet options, select the 'content' tab, click the 'certificates' button
use rapiconfig /p querystore.xml
6. how to sign code with a certificate

(old information)
using signcode.exe interactively, by running signcode without commandline options.
using signcode.exe with commandline options: ( certificate in a file )
signcode -v privkey.pvk -spc pubkeycert.cer itsutils.dll
using signcode.exe with commandline options: ( certificate in registry )
signcode -cn key-common-name -s my itsutils.dll
note that the common-name is specified without 'CN=' in signcode, and with 'CN=' in makecert
using cabsigner.exe
7. how to verify a signature

links

  • Signing and Checking Code with Authenticode
  • Digital Code Signing Step-by-Step Guide
  • below is the most recent information (feb 2008) on codesigning
    codesigning using makecert ( a tool from microsoft )

    where is makecert.exe?

    on my laptop there are several copies of makecert.exe, in the following places:
    2003-03-24 23:03       39936 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/makecert.exe
    2005-09-23 06:56       39936 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/makecert.exe
    2005-09-23 08:17       32528 c:/Program Files/Microsoft Visual Studio 8/SmartDevices/SDK/SDKTools/makecert.exe
    2006-11-02 00:17       39424 c:/WinDDK/6000/bin/SelfSign/makecert.exe
    and pvk2pfx can be found here:
    2005-03-24 18:31       14336 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/pvk2pfx.exe
    2006-11-01 23:43       18944 c:/WinDDK/6000/bin/SelfSign/pvk2pfx.exe
    signtool can be found here:
    2005-04-14 17:12       69120 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/signtool.exe
    2005-09-23 06:56       75776 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/signtool.exe
    2006-11-01 23:43      102912 c:/WinDDK/6000/bin/catalog/signtool.exe
    2006-11-01 23:43      102912 c:/WinDDK/6000/bin/SelfSign/signtool.exe
    create a selfsigned certificate authority certificate

    makecert -b 01/02/2004 -n "CN=my CA" -r -sv CA-my.pvk CA-my.cer
    -r means 'self-signed'
    i choose a date in the past, since most wince devices start at a fixed date.
    create a certificate signed with the above CA certificate

    makecert -b 01/02/2004 -n "CN=my code signing key 2008 02 26" -iv CA-my.pvk -ic CA-my.cer -sv codesign-my.pvk codesign-my.cer
    the -iv and -ic specify the CA's private and public keys
    the -n specifies the subject
    on some devices the subject must be at least 32 characters.
    convert it to a .pfx file

    pvk2pfx.exe  -pvk codesign-my.pvk -spc codesign-my.cer -pfx codesign-my.pfx
    upload it to your device

    prapi -c codesign-my.cer
    prapi is part of the itsutils collection
    signing a binary

    signtool sign -f codesign-my.pfx itsutils.dll
    using openssl

    alternatively it is also possible to create a CA and certificate using openssl.

    0 件のコメント:

    コメントを投稿