Finding Out the Best-Before Date of a SIS File

There are a few Symbian software authors who occasionally write a piece of Symbian code, possibly with no intention of ever touching the code again, package it up as a SIS file, and then “fire and forget” that SIS file to some web site in case someone should find it useful. Or forget until such time that someone complains about the SIS file having been expired.

Some of the blame here falls to Symbian’s makekeys tool, which by default generates certificates with the validity period of only one year. In fact, apparently only more recent versions of the tool support generating longer-lived certificates. It is possible, though, to use “standard” tools such as openssl to generate certificates. For instance, to generate a key and self-signed certificate valid for 10 years, one can use a command such as

openssl genrsa 1024 > my.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key my.key > my.cer

Anyway, given how common the “expired software” is in the Symbian world, it would often be useful to find out when exactly it is that a SIS file expires. Either to find out by how much to turn back time on your device to allow a SIS file with an expired signature to install, or to determine if your own SIS files have expired or are about to expire soon. However, I’ve yet to come across any tool that will actually tell you the expiration date, given a SIS file.

When one has a certificate generated as above, it seems to be possible to see the date (in a somewhat readable form) with the command

openssl asn1parse -inform PEM -in my.cer

You will want to look for two entries called UTCTIME, which specify the start and end time of the validity period.

SIS files signed with a certificate do contain the signing certificate in them, albeit in the different DER (binary) format. To get the certificate extracted and the dates printed out, one might say hack the very nice SISInfo tool a bit.

In SISInfo, there is a bit of code that reads “blob” fields (see the SISBlobField class), and one of those fields contains the certificate. An ugly hack to extract the dates is as follows:

def readableStr(self):
        fp = open("/tmp/siscert", "w+b")
        try:
                fp.write(self.data)
        finally:
                fp.close()

        pipe = os.popen("openssl asn1parse -inform DER -in /tmp/siscert", "r")
        res = ""
        try:
                for line in pipe:
                        ix = line.find("UTCTIME")
                        if ix != -1:
                                res += line[ix:len(line)]
        finally:
                pipe.close()
                fp.close()
        return res