Resources | developer.brewmp.com Resources | developer.brewmp.com

Developer

resources

Brew MP signing certificates

Signing authorities generate one or more signing key pairs, and use these keys to issue digital signatures. After generating a signing key pair, they request that a certificate authority issue a signing certificate under their root. Certificate authorities issue the resultant signing certificate by signing the signing authority's public signing key with the private root key.

This section provides an overview of the attributes of Brew MP Signing Certificates. Specific ASN.1 definitions and encoding requirements are detailed in a later chapter.

Signing certificate capabilities

As discussed previously, there are two types of signatures that a signing authority may issue, code signatures and developer enablement signatures. The difference is manifested in their Brew MP capabilities listed below.

  • No Signed Files - this capability allows for the creation of a digital signature that does not require a list of files that must be signed. Without this capability a list of signed files must be specified.
  • No Date - this capability allows for the creation of a digital signature that has no date restrictions. Without this capability, a date range must be specified.
  • No HW SN - this capability allows for the creation of a digital signature that has no binding to a particular set of hardware serial numbers. Without this capability, HW SNs must be specified.

As expressed in the following table, code signing certificates require a list of signed files but no date restrictions and no hardware serial numbers while developer enablement signing certificates require date restrictions and hardware serial numbers but no list of signed files.

Certificate List of Files Date Restriction HW SN
Code Signing

Yes

No

No

Developer Enablement

No

Yes

Yes

What capabilities are authorized?

As with privileges and TCGs, capabilities must be explicitly allowed in the signing certificate and any intermediate certificates that chain to a root configured on the device. For a capability to be permitted on a Brew MP device, every certificate in the chain up to the root certificate must explicitly allow that capability.

In Brew MP 1.0 the root by itself has no restrictions on what capabilities it can sign for. The ability for a device manufacturer to constrain a given root's capabilities through configuration may be added in future releases of Brew MP.

Required Brew MP signing certificate standard extensions

All Brew MP Signing Certificates require the following standard extensions:

  • basicConstraints (OID id-ce 19) where the only necessary field is the CA Boolean field, which should be set to FALSE
  • extKeyUsage (OID id-ce 37)
    • Where the only necessary field is apiOneCodeSigning (OID 1.3.6.1.4.1.1449.9.4.1.20) granting the ability to sign for Brew MP and BREW Client 4.x devices.

Required Brew MP signing certificate proprietary extensions

All Brew MP Signing Certificates require the following Qualcomm-defined extensions:

  • trustedCodeGroups (OID 1.3.6.1.4.1.1449.94.1.10)
    • With the value constrained to the TCGs for which the Signing Authority may authorize code.
  • capabilities (OID 1.3.6.1.4.1.1449.9.4.1.12) with the values:
    • For a code signing certificate: NoDate and NoHwSN
    • For a developer enablement certificate: NoSignedFiles

Optional Brew MP signing certificate proprietary extensions

Brew MP Signing Certificates may include the following Qualcomm defined extensions:

  • privileges (OID 1.3.6.1.4.1.1449.9.4.1.11)
    • With the value constrained to the privileges that the Signing Authority may authorize.
    • Not including this extension implies that the signing certificate may authorize any privilege.

Below is an example of both a code signing certificate and a developer enablement signing certificate. The primary difference between the two can be seen in their capabilities extension.

Example Brew MP code signing certificate

Below is an example of a Code Signing Certificate suitable for digitally signing code on a Brew MP device. It follows the structure of an X.509 v3 digital certificate.

Field Value
Version X
Serial Number XXXXXXXXXX
Signature Algorithm sha256WithRSAEncryption
Issuer o=CA_NAME, Inc. cn=CA_NAME Signing Root
Validity notBefore = XX/XX/XXXX notAfter = XX/XX/XXXX
Subject o=SA_NAME, Inc. cn=SA_NAME Code Signing
Public Key Info Algorithm = RSA Modulus = 1024 bits (or 2048 bits) Exponent = 3 (F0)
Extensions OID Criticality
basicConstraints {id-ce 19} TRUE cA = FALSE pathLenConstraint = n/a
extKeyUsage {id-ce 37} TRUE apiOneCodeSigning {1.3.6.1.4.1.1449.9.4.1.20}
trustedCodeGroups {1.3.6.1.4.1.1449.9.4.1.10} TRUE minTCG-maxTCG
capabilities {1.3.6.1.4.1.1449.9.4.1.12} TRUE No Date, No HW SNs

Example Brew MP developer enablement signing certificate

Below is an example of a signing certificate suitable for creating developer enablement signatures for a Brew MP device. It follows the structure of an X.509 v3 digital certificate.

Field Value
Version X
Serial Number XXXXXXXXXX
Signature Algorithm sha1WithRSAEncryption
Issuer o=CA_NAME, Inc. cn=CA_NAME Signing Root
Validity notBefore = XX/XX/XXXX notAfter = XX/XX/XXXX
Subject o=SA_NAME, Inc. cn=SA_NAME Developer Enablement Signing
Public Key Info Algorithm = RSA Modulus = 1024 bits Exponent = 3 (F0)
Extensions OID Criticality
basicConstraints {id-ce 19} TRUE cA = FALSE pathLenConstraint = n/a
extKeyUsage {id-ce 37} TRUE apiOneCodeSigning {1.3.6.1.4.1.1449.9.4.1.20}
trustedCodeGroups {1.3.6.1.4.1.1449.9.4.1.10} TRUE No TCGs
capabilities {1.3.6.1.4.1.1449.9.4.1.12} TRUE No File List