how are smartphone certificates encoded

1. where are certificates stored

1.1 on the smartphone

Device Certificates are stored under the {HKLM|HKCU}\Comm\Security\SystemCertificates key in subkeys named {store name}\Certificates\{SHA-1 hex thumbprint}, in a value named Blob

at device initialization, certificates are imported into the registry from \windows\sysroots.p7b or from *.provxml files.

some certificates are stored initially in the registry: HKLM\Security\WTLS\Certificates

valid store names are:

Privileged Execution Trust Authorities
Unprivileged Execution Trust Authorities: priv + unpriv are used for codesigning certificates
SPC: used for signed .CAB certificates
Root
ca: used for website certificates
disallowed
trust

1.2 on your pc

under these registry keys:

HKCU\Software\Microsoft\SystemCertificates
HKCU\Software\Policies\Microsoft\SystemCertificates
HKLM\SOFTWARE\Microsoft\EnterpriseCertificates
HKLM\SOFTWARE\Microsoft\SystemCertificates
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates

in subkeys {store name}\Certificates\{sha-1 hex thumbprint}, in a value named

Blob

under these directories:

c:\windows\system32\systemprofile\Application Data\Microsoft\SystemCertificates
c:\Documents and Settings\<username>\Application Data\Microsoft\SystemCertificates
C:\Documents and Settings\<username>\Microsoft\eVC in .cer files
C:\Documents and Settings\<username>\Application Data\Microsoft\Crypto\RSA



1.3 in files

in a .p7b file : application/x-pkcs7-certificates
in a .spc file : application/x-pkcs7-certificates
in a .p7c file : application/pkcs7-mime : certificate_wab_auto_file
in a .p7m file : application/pkcs7-mime : PKCS #7 MIME Message
in a .p10 file : certificate request
in a .p7r file : certificate response
in a .p7s file : certificate signature
in a .sst file : application/vnd.ms-pki.certstore
in a .crl file : certificate revocation list
in a .stl file : certificate trust list
in a .pvk file
in a .pfx file - encrypted .cer, .spc or .pvk file.
in a .cer file : application/x-x509-ca-cert : Security Certificate
in a .crt file : application/x-x509-ca-cert : Security Certificate
in a .der file : application/x-x509-ca-cert : Security Certificate
in a .xml file
in a .pem file



2. how are certificates encoded

2.1 in xml transport

as a base64 encoded asn.1 encoded certificate.

to convert a .cer file to base64:

openssl base64 -in certificate.cer

to calculate the sha1 hash of a .cer file:

openssl sha1 certificate.cer
<wap-provisioningdoc>
	<characteristic type="CertificateStore">
		<characteristic type="Privileged Execution Trust Authorities">
			<characteristic type="...sha1_hex...">
				<parm name="EncodedCertificate" value="...base64..."/>
				<parm name="Role" value="0"/>
			</characteristic>
		</characteristic>
	</characteristic>
</wap-provisioningdoc>


2.2 in .cer file

.cer files are the asn.1 x509 encoded certificate, to inspect:

openssl x509 -in certificate.cer -inform DER -text

2.3 in .pvk file

a 6 dword header, the last field == filesize - 6*sizeof(DWORD)
followed by a PUBLICKEYSTRUC { bType=7(PRIVATEKEYBLOB), bVersion=2, reserved=0, aiKeyAlg=0x2400(CALG_RSA_SIGN) }
followed by a RSAPUBKEY struct { magic='RSA2', bitlen=1024, pubexp=0x10001 }, followed by the public modulus
followed by the private key data: p, q, (d%(p-1)), (d%(q-1)), 1/q ( mod p ), d
the modulus and 'd' ( the private exponent ) are size bitlen/8, 
the other privkey values are size bitlen/16

2.4 in .pfx file

openssl pkcs12  -info -in certificate.pfx


2.5 viewing asn.1 data

openssl asn1parse -inform DER -i -dump -in certificate.ext

2.6 viewing .spc or .p7b data

openssl pkcs7  -print_certs -inform DER -in certificate.spc

2.7 layout of registry blobs

the registry blobs consist of several records of this format:

+0 DWORD propid
+4 DWORD unknown
+8 DWORD dwSize
+12 BYTE data[dwSize]


property is usually one of the following:
00000003 CERT_SHA1_HASH_PROP_ID                    sha1 of certificate ( == the registry keyname )
00000004 CERT_MD5_HASH_PROP_ID                     md5 of certificate
00000014 CERT_KEY_IDENTIFIER_PROP_ID               sha1 of SubjectPublicKeyInfo : SEQ[SEQ[rsa], key]
00000018 CERT_ISSUER_PUBLIC_KEY_MD5_HASH_PROP_ID   md5 of pubkey of signer
00000019 CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID  md5 of pubkey of this certificate
00000020 CERT_CERT_PROP_ID                         the certificate
00008000 CERT_FIRST_USER_PROP_ID                   the SPC role


3. how are certificates imported

certificates can be entered into a phone in several ways:

using rapiconfig.exe /p AddCert.xml
using spdps.exe or sp2002dps.exe
using prapi.exe -c certificatefile.cer



4. how to create certificates
(old information)

use makecert: ( store certificate in the registry )
   makecert -n "CN=key-common-name-minimum-32-chars" -ss my
or ( store the certificate in a file )
   makecert -n "CN=key-common-name-minimum-32-chars" -sv "privkey.pvk" "pubkeycert.cer"
automatically ( with unconvenient long name )
   spdps /create



5. how to list certificates on your system

run certmgr.exe
using the mmc certificate snapin, see this article
in startmenu->settings->controlpanel->internet options, select the 'content' tab, click the 'certificates' button
use rapiconfig /p querystore.xml


6. how to sign code with a certificate
(old information)

using signcode.exe interactively, by running signcode without commandline options.
using signcode.exe with commandline options: ( certificate in a file )
signcode -v privkey.pvk -spc pubkeycert.cer itsutils.dll
using signcode.exe with commandline options: ( certificate in registry )
signcode -cn key-common-name -s my itsutils.dll

note that the common-name is specified without 'CN=' in signcode, and with 'CN=' in makecert
using cabsigner.exe


7. how to verify a signature

links
Signing and Checking Code with Authenticode
Digital Code Signing Step-by-Step Guide


below is the most recent information (feb 2008) on codesigning

codesigning using makecert ( a tool from microsoft )
where is makecert.exe?

on my laptop there are several copies of makecert.exe, in the following places:
2003-03-24 23:03       39936 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/makecert.exe
2005-09-23 06:56       39936 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/makecert.exe
2005-09-23 08:17       32528 c:/Program Files/Microsoft Visual Studio 8/SmartDevices/SDK/SDKTools/makecert.exe
2006-11-02 00:17       39424 c:/WinDDK/6000/bin/SelfSign/makecert.exe


and pvk2pfx can be found here:
2005-03-24 18:31       14336 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/pvk2pfx.exe
2006-11-01 23:43       18944 c:/WinDDK/6000/bin/SelfSign/pvk2pfx.exe


signtool can be found here:
2005-04-14 17:12       69120 c:/Program Files/Microsoft Visual Studio 8/Common7/Tools/Bin/signtool.exe
2005-09-23 06:56       75776 c:/Program Files/Microsoft Visual Studio 8/SDK/v2.0/Bin/signtool.exe
2006-11-01 23:43      102912 c:/WinDDK/6000/bin/catalog/signtool.exe
2006-11-01 23:43      102912 c:/WinDDK/6000/bin/SelfSign/signtool.exe


create a selfsigned certificate authority certificate
makecert -b 01/02/2004 -n "CN=my CA" -r -sv CA-my.pvk CA-my.cer


 -r  means 'self-signed'
 i choose a date in the past, since most wince devices start at a fixed date.


create a certificate signed with the above CA certificate
makecert -b 01/02/2004 -n "CN=my code signing key 2008 02 26" -iv CA-my.pvk -ic CA-my.cer -sv codesign-my.pvk codesign-my.cer


the -iv and -ic specify the CA's private and public keys
the -n specifies the subject
on some devices the subject must be at least 32 characters.


convert it to a .pfx file
pvk2pfx.exe  -pvk codesign-my.pvk -spc codesign-my.cer -pfx codesign-my.pfx






upload it to your device
prapi -c codesign-my.cer


prapi is part of the itsutils collection


signing a binary

signtool sign -f codesign-my.pfx itsutils.dll


using openssl
alternatively it is also possible to create a CA and certificate using openssl.

+0	DWORD propid
+4	DWORD unknown
+8	DWORD dwSize
+12	BYTE data[dwSize]