Recovering the password to my Blackberry code signing certificate

Have you or a loved one lost a.p12 / .pfx / blackberry code signing password? Read on for details on how I was able to recover my password...

Update: I have posted an article about the Certificate Password Recovery Tool. The source is available under an MIT license.

Notes:

• PKCS12 (wikipia.org)
• RSA info about PKCS12 (rsa.com)
• RIM Codesigning question wizard (bdsc.webapps.blackberry.com)
• Helpful if you are trying to debug code signing issues
• Issue with Upgrades after changing code siging certificates (supportforums.blackberry.com)

If you ever need to change your BB code signing key (say, if you forget the password) there are a few things you should be aware of:

• You will be unable to submit updates for any of your current apps using the new code signing key
   
• You have to create a new App instance in the "Manage Apps" section of the Blackberry ISV portal
• When customers try to 'upgrade' from your existing app, they can't. They have to get the new app (Which shows up side-by-side with the old one rather than overwriting).
   
• RIM "can't" delete old app entries after you have migrated to a new App instance. They also can't:
• Hide old or unwanted apps
• Associate multiple valid codesigning keys to a vendor so they can update any app with any valid organizational key

In my opinion, RIM should allow vendors with multiple valid code signing keys to be able to update any application with any valid key. It would make their world a better place

When you work on a small scale the new-app thing probably isn't going to be too problematic. But what if you used one signing key for ALL of your apps? You could end up having a lot of stale app entries on your "Manage Apps" page in the BlackBerry App World ISV portal. The support person I contacted recommended that I rename my old apps to OLD-Name or Name-OLD. While a naming convention helps work-around the problem, it is not a solution in and of itself.

I'm a small vendor right now with only 2 apps currently "Waiting on Test House" (jsRegex, RegexRaptor.net). So why did I spend my weekend writing a password recovery utility for p12 / pfx files? I'll tell you:

• I dislike clutter. "Dead" apps I can't ever delete? Really?!?
• I could ALMOST remember the password. I knew I was close!!
• When I looked online I couldn't find a free tool comparable to the one I put together (Internet is big: Maybe there's one out there?)

So, I got to work Saturday evening and by Monday morning I had a Certificate / keystore password cracker that was able to try 48 Million brute froce passwords a day. The final result was able to crack passwords 2,000 times more quickly than my first attempt on Saturday. Sure, there's room for optimization (Multithreading, Non MS library for keystore password attempts)- but in the end this was sufficient for my needs.

I was able to crack my password in about 2 days by applying the following concepts while using my recovery tool:

1. Use what you remember of the password
1. In my case I could remember the beginning and end of my password string. This reduced what I had to guess from 13 characters down to 6
   
   
2. Center the password recover tool's attempts around the most likely password "area"
1. For example, if you are trying to find a password like 'p@ssword!' DON'T just start the brute-force at 'a' and let it increment (b,c,d......aaab,aaac,aaad,etc...). Start the recovery utility at something like 'paaaaaaa'
   
   Note: Be sure to account for the fat finger! You may think you have a 13 character password but it could be only 12 characters or it could be 14 or 15 characters long. To play it safe, you might want to start it off one character shorter than you are expecting...
   
   
3. Reduce the character set
1. If you KNOW that certain symbols, letters or numbers are NOT present in the password be sure to remove them from the brute force character sequence
2. For example, I was able to cut my character set down from 76 to 23. This improved my cracking ability enough to make it worthwhile to use the cracker tool.

While it would techincally take more time than the universe has been around to crack a 13 character password that uses Upper/Lower/Numbers/Symbols, you can reduce that a LOT by using the 3 tricks above. They helped me solve the problem in only 2 days using a budget laptop.

I will be releasing the source code to my Password Recovery tool sometime in the next few days. Things have been kind of hectic lately and I need to get a full 6 hours sleep each night in order to function at my day job. ;)

Once I post the project (as a Visual Studio Solution), I'll link it here.

Around 3 days ago I lost the password to my Blackberry Codesiging key. When you set it up @ the CLI, it doesn't ask for confirmation and I fat-fingered it... Fortunately I was able to recover the codesigning certificate password using a Password recovery tool I wrote from scratch over the weekend. With a few assumptions about my password, a few lines of code and a few days I was able to decipher the password to my Blackberry author.p12 keystore.