Certificate chain
| This is an old revision of this page, as edited by Marcan (talk | contribs) at 05:51, 19 February 2008. It may differ significantly from the current revision. |
Certificate chains are intensively used to sign stuff on the Wii. They are normally preceded by a TMD file or a Ticket and are used to verify their signature up to the root key. Most chains contain three certificates.
Child/Parent
Because each certificate is used to sign another certificate or the TMD/Ticket and also is signed by another certificate or the root key each certificate has a child and a parent certificate.
To get the parent issuer name of a certificate just cut off everything after the last "-" of the issuer name. If this issuer name is "Root" the root key is used to sign the certificate otherwise another certificate in the chain is used.
To get the child you have to append a "-" and the stored child identity to the issuer name. If the child is not in the certificate chain the certificate is used to sign the TMD/Ticket (which will contain the child's name in its issuer field).
The TMD/Ticket is therefore effectively signed by the root key because if any of the certificates is modified some signature check will fail and the IOS will know that you changed something.
Signature types
The following signature types may be used by a certificate:
| Type | Name | Signature Length (x) |
| 0x10000 | RSA-4096 | 0x200 |
| 0x10001 | RSA-2048 | 0x100 |
| 0x10002 | Elliptic Curve | 0x40 |
Certificate structure
Each certificate in the chain has the following structure. Because the offsets of the data varies depending on the signature length the letter "x" represents the signature length here:
| Start | Length | Description |
| 0x000 | 4 | Signature type |
| 0x004 | x | Signature of the data after the issuer by the parent's key |
| 0x040 + x | 64 | Issuer |
| 0x080 + x | 4 | Key type |
| 0x084 + x | 64 | Child Certificate Identity |
| 0x0c4 + x | variable | Public Key |