Hello trid users,
some days ago just for interest i inspect files on my efi partition by
running TrID utility. Inside boot sub directory in Microsoft directory
i found a file named boot.stl. That file is described by
cat-der.trid.xml as "Microsoft Security Catalog (DER encoded)", by
der.trid.xml as "DER encoded X509 Certificate" and by p7s.trid.xml as
"PKCS 7 Signature". I also found such a file in EFI and WinSxS sub
directory in Windows directory. On some systems i also found a file
driver.stl inside in System32 and WinSxS sub directory in Windows
directory.
On web site ctldl.windowsupdate.com you can download Microsoft Cabinet
Archives *stl.cab which contain such stl files like authroot.stl,
disallowedcert.stl, pinrules.stl ( See appended output/trid-v.txt).
According to web site filext.com such STL files are Certificate Trust
List with special mime type. That is expressed by lines like:
<RefURL>
https://filext.com/file-extension/STL</RefURL>
<Mime>application/vnd.ms-pki.stl</Mime>
There exist other file format with extension stl. Especially Stereo
Lithography becomes very popular today. Such samples variants starting
with ASCII string solid are identified by stl-ascii.trid.xml.
On a Windows 7 system STL files are registered with mentioned ID
STLFile and friendly name @cryptext.dll,-6109 and are viewed by a
command like:
rundll32.exe cryptext.dll,CryptExtOpenCTL %1
So i mentioned this in remark line. Astonishingly on a Windows 8.1
system these relationship vanish. Even worse on a Windows 10 system
stl files are now only registered for Microsoft 3D Print although
certificate trust list examples like boot.stl and driver.stl still
exist on such a system. I found no official documentation or
explanation from Microsoft about that Certificate format. What an
annoyance from Microsoft. For me this behavior is like Trump. Focusing
on one hot shit point and neglecting other facts which are are also
important.
Luckily on web site unmitigatedrisk.com i found an article about
Understanding Windows Automatic Root Update. Especially another
command to display file content is mentioned like:
openssl asn1parse -i -inform DER -in sample.stl
So i mention this command also in remark line. Furthermore with the
help of header file WinCrypt.h it is possible to display special
attributes in human readable format. So i choose as file description
text by line like:
<FileType>Certificate Trust List (DER encoded)</FileType>
So i run tridscan on these samples and i get a trid definition file
stl-ms.trid.xml. All my samples start with typical phrase that is also
found in other trid definitions concerning other certificate formats
like cat-der.trid.xml. That is expressed by XML pattern blocks like:
<Pattern>
<Bytes>30</Bytes>
<ASCII> 0</ASCII>
<Pos>0</Pos>
</Pattern>
<Pattern>
<Bytes>02</Bytes>
<Pos>23</Pos>
</Pattern>
My first inspected STL samples are from Microsoft. So i get in global
strings section URL strings and text string pointing to Microsoft
like:
<String>MICROSOFT ROOT CERTIFICATE AUTHORITY 20100</String>
<String>WWW.MICROSOFT.COM</String>
<String>CRL.MICROSOFT.COM</String>
<String>MICROOCERAUT_2010-06-23.CRL0Z</String>
<String>AHTTP</String>
Later i found also examples belonging to ESET antivirus solution NOD32
like 1da9e81bd01e86b03586f7210decb82cb3fef455.stl. So many lines in
global string section vanish and above mentioned strings now becomes
like:
<String>ROOT CERTIFICATE AUTHORITY</String>
<String>.CRL0</String>
<String>HTTP</String>
Because i found no official documentation about such STL files i do
not know if such key words are required or only optional.
With the new definition the mis-described Certificate Trust List
examples are now described correctly (see appended
output/trid-new-v.txt). TrID definition, some examples and output are
stored in archive stl.zip. I hope that my XML file can be used in
future version of triddefs.
With best wishes
Jörg Jenderek
