15. Enter:
:q!
To exit vim.
16. Enter:
xxd -ps PK.esl PK.hex
To re-dump the file in postscript plain hexdump style.
17. Enter:
vim PK.hex
a159c0a5e494a74a87b5ab155c2bf072cd03000000000000b1030000ce4d
5670fc9ae34e85fc949649d7e45c3082039d30820285a003020102021050
a1bd858ae7b6bc402dca78cdd268a1300d06092a864886f70d01010b0500
3067310b3009060355040613025553310e300c06035504080c0554657861
733113301106035504070c0a526f756e6420526f636b3112301006035504
0a0c0944656c6c20496e632e311f301d06035504030c1644656c6c20496e
632e20506c6174666f726d204b6579301e170d3136303630313230323030
375a170d3331303630313230333030365a3067310b300906035504061302
5553310e300c06035504080c0554657861733113301106035504070c0a52
6f756e6420526f636b31123010060355040a0c0944656c6c20496e632e31
1f301d06035504030c1644656c6c20496e632e20506c6174666f726d204b
*** Remaining output omitted ***
Working with just the hex values we can now delete all bytes before 0x3082039:
3082039d30820285a003020102021050
a1bd858ae7b6bc402dca78cdd268a1300d06092a864886f70d01010b0500
3067310b3009060355040613025553310e300c06035504080c0554657861
733113301106035504070c0a526f756e6420526f636b3112301006035504
0a0c0944656c6c20496e632e311f301d06035504030c1644656c6c20496e
632e20506c6174666f726d204b6579301e170d3136303630313230323030
375a170d3331303630313230333030365a3067310b300906035504061302
5553310e300c06035504080c0554657861733113301106035504070c0a52
*** Remaining output omitted ***
18. Enter:
:x!
To save changes and exit vim.
19. Enter:
xxd -r -ps PK.hex PK.cer
To reverse our hex dump back into a binary file.
We now should be able to view the PK certificate information
with openssl:
20. Enter:
openssl x509 -in PK.cer -inform der -noout -text
To view the certificate.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
50:a1:bd:85:8a:e7:b6:bc:40:2d:ca:78:cd:d2:68:a1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Texas, L = Round Rock, O = Dell Inc., CN = Dell Inc. Platform Key
Validity
Not Before: Jun 1 20:20:07 2016 GMT
Not After : Jun 1 20:30:06 2031 GMT
Subject: C = US, ST = Texas, L = Round Rock, O = Dell Inc., CN = Dell Inc. Platform Key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b1:20:3a:40:88:eb:67:58:23:12:44:0c:20:ed:
*** OUTPUT TRUNCATED ***
ab:ff:6f:82:a1:bb:64:f2:b0:5e:b7:a9:63:a4:71:
94:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Subject Key Identifier:
46:6F:90:1C:10:20:52:99:56:15:EF:39:FD:48:18:48:CF:75:E6:A4
Signature Algorithm: sha256WithRSAEncryption
52:f6:b6:79:e4:c9:72:b0:a1:49:69:25:ce:17:5c:6a:c6:32:
*** OUTPUT TRUNCATED ***:
97:82:21:fc
From the output we can see that:
Serial Number:
50:a1:bd:85:8a:e7:b6:bc:40:2d:ca:78:cd:d2:68:a1
Issuer: C = US, ST = Texas, L = Round Rock, O = Dell Inc., CN = Dell Inc. Platform Key
Subject: C = US, ST = Texas, L = Round Rock, O = Dell Inc., CN = Dell Inc. Platform Key
The serial number uniquely identifying the PK is:
50:a1:bd:85:8a:e7:b6:bc:40:2d:ca:78:cd:d2:68:a1
The common name for this key is: Dell Inc. Platform Key
The certificate was issue by itself, since it is self signed.
Next we will extract the Key Exchange Key certificates.
Repeat the previous procedure to create a hex dump of the
KEK.esl file and open it in vim:
00000000: a159 c0a5 e494 a74a 87b5 ab15 5c2b f072 .Y.....J....\+.r
00000010: f203 0000 0000 0000 d603 0000 ce4d 5670 .............MVp
00000020: fc9a e34e 85fc 9496 49d7 e45c 3082 03c2 ...N....I..\0...
00000030: 3082 02aa a003 0201 0202 1027 9bad 52bf 0..........'..R.
00000040: 5dab b24c 3677 42f4 ebac cd30 0d06 092a ]..L6wB....0...*
00000050: 8648 86f7 0d01 010b 0500 3067 310b 3009 .H........0g1.0.
00000060: 0603 5504 0613 0255 5331 0e30 0c06 0355 ..U....US1.0...U
00000070: 0408 0c05 5465 7861 7331 1330 1106 0355 ....Texas1.0...U
*** Remaining output omitted ***
Again we see that this file begins with the x509 signature list GUID:
a159 c0a5 e494 a74a 87b5 ab15 5c2b f072 . The next 4 bytes are the
UINT32 SignatureListSize, which is f203 0000, Little Endian,
which is 0000 03f2 Big Endian. If we scroll down to byte 03f2
we see that this is definitely not the end of the file, so there
is likely multiple KEK certs stored in it:
*** Remaining output omitted ***
000003b0: e8e8 ed41 45ac 5eaf d2eb b57a 6f74 cedf ...AE.^....zot..
000003c0: f64e b062 0994 9dcc 09dd f568 a318 c432 .N.b.......h...2
000003d0: 9f13 4065 cf67 6d98 f3d5 c311 afb4 8a4b ..@e.gm........K
000003e0: 9549 0642 0e86 5748 7beb aaae 2c07 5496 .I.B..WH{...,.T.
000003f0: 6b36 a159 c0a5 e494 a74a 87b5 ab15 5c2b k6.Y.....J....\+
00000400: f072 1806 0000 0000 0000 fc05 0000 bd9a .r..............
00000410: fa77 5903 324d bd60 28f4 e78f 784b 3082 .wY.2M.`(...xK0.
00000420: 05e8 3082 03d0 a003 0201 0202 0a61 0ad1 ..0..........a..
00000430: 8800 0000 0000 0330 0d06 092a 8648 86f7 .......0...*.H..
*** Remaining output omitted ***
Note that on byte 0x03f3, another x509 GUID starts with: a159 c0a5.
We need to separate the certificate entries into separate files.
Exit vim and dump the file in to postscript format so it can be edited.
Open the ps formatted file in vim:
a159c0a5e494a74a87b5ab155c2bf072f203000000000000d6030000ce4d
5670fc9ae34e85fc949649d7e45c308203c2308202aaa003020102021027
9bad52bf5dabb24c367742f4ebaccd300d06092a864886f70d01010b0500
3067310b3009060355040613025553310e300c06035504080c0554657861
733113301106035504070c0a526f756e6420526f636b3112301006035504
0a0c0944656c6c20496e632e311f301d06035504030c1644656c6c20496e
632e20506c6174666f726d204b6579301e170d3136303630313230323234
*** Remaining output omitted ***
21. Enter:
/a159c0a5
To find the start of the second x509 GUID.
22. Type:
v
To switch to visual selection mode.
23. Type:
G$
To select to the end of the file.
24. Type:
y
To copy (yank) the text.
25. Enter:
:e KEK-1.hex
To create a new file with the filename KEK-1.hex.
26. Type:
p
To paste the copied lines.
We know from the the PK.esl file that the first 44 bytes are header and
owner information which are not included in the certificate file,
so we need to delete the first 88 characters from the file:
308205e8308203d0a003020102020a610ad18800000000000330
0d06092a864886f70d01010b0500308191310b3009060355040613025553
311330110603550408130a57617368696e67746f6e3110300e0603550407
13075265646d6f6e64311e301c060355040a13154d6963726f736f667420
436f72706f726174696f6e313b3039060355040313324d6963726f736f66
*** Remaining output omitted ***
27.&nbps Enter:
:x!
To write changes and quit>.
Convert our hex dump back to binary:
28. Enter:
xxd -r -ps KEK-1.hex KEK-1.cer
29. Enter:
openssl x509 -in KEK-1.cer -inform der -noout -text
to view the certificate information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
61:0a:d1:88:00:00:00:00:00:03
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Corporation Third Party Marketplace Root
Validity
Not Before: Jun 24 20:41:29 2011 GMT
Not After : Jun 24 20:51:29 2026 GMT
Subject: C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = Microsoft Corporation KEK CA 2011
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:e8:b5:8a:bf:ad:57:26:b0:26:c3:ea:e7:fb:
*** OUTPUT TRUNCATED ***
af:79:40:84:79:87:7f:e3:52:a8:e8:9d:7b:07:69:
8f:15
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.1:
...
X509v3 Subject Key Identifier:
62:FC:43:CD:A0:3E:A4:CB:67:12:D2:5B:D9:55:AC:7B:CC:B6:8A:5F
1.3.6.1.4.1.311.20.2:
.
.S.u.b.C.A
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl
Authority Information Access:
CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
Signature Algorithm: sha256WithRSAEncryption
d4:84:88:f5:14:94:18:02:ca:2a:3c:fb:2a:92:1c:0c:d7:a0:
*** OUTPUT TRUNCATED ***
57:4e:36:d2:32:84:bf:9e
Repeat this process for any remaining KEK certificates.
After extracting the KEK certificates, extract the certificates
from the db ESL.