Human-Readable File Formats Reference

This section provides details of the fields in the various certificate store human-readable files.

File Certificate Store Field Details

The following table provide details of the file certificate store fields:

Name

Description

StartEntry

Specifies the certificate label. This label is in UTF-8 format and limited to 64 characters.

Deletable

The value of this field indicates whether the certificate can be deleted. True indicates that the certificate can be deleted. False indicates that the certificate must be protected from deletion.

Format

Specifies the certificate format. This is usually set to EX509Certificate.

CertificateOwnerType

Indicates the type of certificate owner. This field has the following legal values: ECACertificate, EUserCertificate and EPeerCertificate.

SubjectKeyId

Both these fields are used to build certificate chains by looking for certificates with SubjectKeyId values that match the IssuerKeyId value of the first certificate in the chain. While the SubjectKeyId enables identification of certificates containing a public key (in this case, the issuer key), the IssuerKeyId is the unique value that identifies the issued certificate.

These fields are optional. If omitted, their values are considered equivalent to auto. For x509 certificates, it is recommended that these fields be omitted or set to auto. For other certificate types, specify an octet string value.

IssuerKeyId

StartApplicationList

Indicates the start and end of the application list. An application list specifies the applications associated with a certificate. Applications can be specified by UID or by name (in which case they are looked up in certclients.dat).

EndApplicationList

Trusted

The value of this field is usually set to True. If set to False, the certificate does not act as a trust anchor and its capabilities are not used.

DataFileName

Specifies the name of the file from which the certificate is to be read.

If the certificate format is not x509, the contents are treated as a raw block of data. If the format is x509, the file can be either of the following:

  • A Privacy Enhanced Mail (PEM) encoded certificate in a UTF-8 file with or without a UTF-8 Byte Order Marker (BOM)

  • A binary file containing a Distinguished Encoding Rules (DER) encoded certificate.

SWI Certificate Store Field Details

The following table provides information on the SWI certificate store fields. Because the SWI certificate store is a superset of the file certificate store, the following table lists only fields specific to the SWI certificate store.

Name

Description

CapabilitySet

Defines a list of capabilities allowed in applications that have the certificate as their trust anchor. Standard capability names or numeric bit numbers can be specified.

Mandatory

The value of this field is usually be set to False so that it enables the installation of any package not signed by a certificate that resolves to a SWI certificate. A True value prevents normal installation of packages.

Note: If the certificate store is deployed in a device that does not support the feature of updating ROM files without using SIS stubs, the certificate gets interpreted as Mandatory. This prevents all normal applications from installing.

SystemUpgrade

The value of this field must usually be set to False to enable normal installation of applications. A True value of this field indicates that any application signed by a certificate which resolves to this certificate is treated as a System Upgrade, and consequently, a lot of security checks are disabled for that application.

Note: The field is set to True only when the certificate store is deployed in a device that supports the feature of updating ROM files without using SIS stubs.

Important: A SWI certificate store does not have a Deletable field because all the SWI certificates are protected from deletion.