Difference between revisions of "CTCert"
Jump to navigation
Jump to search
(Created page with "=Summary= The console-unique CTCert is used for signing CTX files, the DeviceCert used by eShop, and presumably for DSiWare exports. This ECDSA signature, the ECDSA private k...") |
(Found while digging the Process9 binary executable, function generating a CTCert can be found using OTP registers.) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
=Summary= | =Summary= | ||
− | The console-unique CTCert is used for signing CTX files, the DeviceCert used by [[eShop]], and | + | The console-unique CTCert is used for signing [[Title Data Structure|CTX]] files, the DeviceCert used by [[eShop]], and for [[DSiWare_Exports|DSiWare]] exports. This ECDSA signature, the ECDSA private key for this cert, and the IssuerID is loaded from memory initialized by bootrom instead of NAND. This is the 3DS equivalent of the DSi TWCert. |
+ | |||
+ | The CTCert is signed with ECDSA by Nintendo. CTCerts can be verified via a DER stored in NATIVE_FIRM, separate DERs are used for retail and dev/debug. | ||
=Structure= | =Structure= | ||
Line 10: | Line 12: | ||
| 0x00 | | 0x00 | ||
| 0x04 | | 0x04 | ||
− | | Type | + | | [[Certificates|Signature]] Type, 0x010005. |
|- | |- | ||
| 0x04 | | 0x04 | ||
Line 33: | Line 35: | ||
|- | |- | ||
| 0x104 | | 0x104 | ||
+ | | 0x04 | ||
+ | | Expiration time as UNIX Timestamp in big endian. | ||
+ | |- | ||
+ | | 0x108 | ||
| 0x3C | | 0x3C | ||
− | | ECDSA Public Key | + | | ECDSA Public Key. This is two consecutive u8 arrays (each one of length 0x1E), where the first one corresponds to the ECDSA R coordinate, and the second to ECDSA S coordinate. These are in '''big''' endian. |
|- | |- | ||
− | | | + | | 0x144 |
− | | | + | | 0x3C |
| Padding | | Padding | ||
|} | |} | ||
− | The ECDSA private key is | + | The ECDSA public key for this cert is converted from the ECDSA private key initialized by bootrom. |
+ | The curve used for ECDSA is sect233r1. |
Revision as of 20:33, 6 August 2020
Summary
The console-unique CTCert is used for signing CTX files, the DeviceCert used by eShop, and for DSiWare exports. This ECDSA signature, the ECDSA private key for this cert, and the IssuerID is loaded from memory initialized by bootrom instead of NAND. This is the 3DS equivalent of the DSi TWCert.
The CTCert is signed with ECDSA by Nintendo. CTCerts can be verified via a DER stored in NATIVE_FIRM, separate DERs are used for retail and dev/debug.
Structure
Offset | Size | Description |
---|---|---|
0x00 | 0x04 | Signature Type, 0x010005. |
0x04 | 0x3C | ECDSA Signature |
0x40 | 0x40 | Padding |
0x80 | 0x40 | Cert Issuer ID, for retail this is "Nintendo CA - G3_NintendoCTR2prod", for dev "Nintendo CA - G3_NintendoCTR2dev" |
0xC0 | 0x04 | Key Type |
0xC4 | 0x40 | Key ID: "CT<DeviceId>-<ConsoleType>", where DeviceId is the hex DeviceId, and ConsoleType is 00 for retail, 01 for dev |
0x104 | 0x04 | Expiration time as UNIX Timestamp in big endian. |
0x108 | 0x3C | ECDSA Public Key. This is two consecutive u8 arrays (each one of length 0x1E), where the first one corresponds to the ECDSA R coordinate, and the second to ECDSA S coordinate. These are in big endian. |
0x144 | 0x3C | Padding |
The ECDSA public key for this cert is converted from the ECDSA private key initialized by bootrom. The curve used for ECDSA is sect233r1.