How certapp Processes Input File Information

This section provides information on the guidelines that the certapp tool follows to process various entities in the input files used to create certificate store files.

Note: Input text files can be 7-bit text or UTF-8. If a file is UTF-8, it can optionally start with a UTF-8 Byte Order Marker. This is the marker that Windows uses when saving files as UTF-8.

White spaces

The certapp tool ignores white space (space, tab, carriage return and line feed characters) in input files. Instead, the line-ending convention of the platform on which the tool runs is followed.

Double-quoted strings

The certapp tool treats a series of bytes within double quote characters (in the input files) as a single token.

A double quote character can be included in a double-quoted string by preceding it with a back slash, as shown in the following example:

This is how you include \” in a double-quoted string.

A backslash character can be included in a double quoted string by preceding it with another back slash, as shown in the following example:

This is how you include \\ in a double-quoted string.

The double quote syntax can be used to set any text field value, such as the certificate label, to any UTF-8 value, including quote characters, spaces, UTF-8 escape sequences and so on.

Note: UTF-8 values are defined such that a UTF-8 escape sequence never contains a back slash character.

Enumerated types

All enumerated values can be specified as numeric values, though using text values is strongly recommended.

Numeric values

Any numeric value can be entered in decimal as a raw number or in hexadecimal by prefixing the number with 0x.

Capability sets

For a certificate, a capability set is a list of capabilities allowed in applications that have the certificate as their trust anchor. Capability set values can be specified as numeric bit offsets (starting from 0), though using text values is strongly recommended, as shown in the following example:

CapabilitySet {ProtServ DiskAdmin NetworkControl 
AllFiles SwEvent NetworkServices LocalServices}

Subject and issuer key identifiers

It is recommended that you set the SubjectKeyId field to an auto value in the input file for creating the certificate store file. In addition, set the IssuerKeyId field either to auto or to an empty octet string.

When the SubjectKeyId and the IssuerKeyId fields are set to auto or if you omit setting values for these fields in the input file, the certapp tool performs its own processing to determine their values. The following sub-sections provide the details.

Setting SubjectKeyId to auto

When SubjectKeyId is set to auto or if the field is omitted, then the following algorithm is used for determining the value of the field:

  • If the store type is not SWI certificate store, the certificate type is not user, and an X.509 SubjectKeyId extension with length less than or equal to 20 bytes is present, then this extension is used as the value of the SubjectKeyId field.

  • Otherwise, the value of the SubjectKeyId field is calculated based on the certificate’s public key characteristics using a Symbian-specific algorithm.

The SubjectKeyId field value is stored in the certificate metadata and can be used by applications when querying the certificate store using a filter.

Setting IssuerKeyId set to auto

If the IssuerKeyId field is set to auto or if the field is omitted, the following algorithm is used for determining the value of the field:

  • If the store type is not SWI certificate store, and an X.509 AuthorityKeyId extension with length less than or equal to 20 bytes is present, then this extension is used as the value of the IssuerKeyId field. An authority key identifier specifies the public key that is used to sign the certificate.

  • If a single certificate is present in the certificate store with the subject matching the issuer of the original certificate (for which the IssuerKeyId is to be set), the IssuerKeyId is set to the SubjectKeyId of the matching certificate.

    Note:

    When generating IssuerKeyId values for SWI store certificates, all certificates within the SWI certificate store are considered. When generating values for file certificate store, all certificates in both the SWI certificate store and the file certificate store are considered.

  • Otherwise, the IssuerKeyId is set to an empty octet string.

The IssuerKeyId field value is stored in the certificate metadata and can be used by applications when querying the certificate store using a filter. To filter certificates by IssuerKeyId, set the field to auto, otherwise set it to an empty octet string (for example, ’’).

Note: In case of a certificate that is not of type X.509, if you do not set the IssuerKeyId or the SubjectKeyId values to auto or empty octet strings, you can set them to octet strings, as explained in the following sub-sections.

Setting SubjectKeyId and IssuerKeyId to octet strings

Consider the following example of an octet string value to which you can set the SubjectKeyId field:

SubjectKeyId ’01:02:43’

The SubjectKeyId field is set to an octet string consisting of the numbers 0x01, 0x02 and 0x03. The string can be 0 to 20 bytes long. The length limit is imposed by the certificate store metadata structure, but the usual values are SHA1 hash of certificate fields and hence 20 bytes long.

Related reference