How to get certificate informations using CryptoAPI or CAPICOM ...
Vincent Marie
How can I determine, using CryptoAPI or CAPICOM, for which uses is a
certificate intended to ?
In other words, I would like to get programmatically the uses list
that I can see in the General Tab when I open a Certificate in the
'Certificates' MMC snap-in below "The certificate is intended to:"
Thank in advance,
Regards,
Vincent
Nilesh Padbidri
Use the CertGetEnhancedKeyUsage and CertGetIntendedKeyUsage Cert APIs.
Nilesh Padbidri
Michel Gallant
or, in Win32/CryptoAPI, it can ALSO be an extended property of the cert,
as described in CertGetEnhancedKeyUsage() docs:
If neither is found, then the certificate is considered valid for all key usages
(although some applications using the cert might demand specific extensions be present).
With CAPICOM, it is very easy to get the ExtendedKeyUsage cert exension info.
Here is simple vbscript, extracted from excellent CAPICOM 2 sample CView.vbs:
----------- snippet from CView.vbs -----------------------------
If Certificate.ExtendedKeyUsage.IsPresent Then
If Certificate.ExtendedKeyUsage.EKUs.Count > 0 Then
Dim OID
Set OID = CreateObject("CAPICOM.OID")
Wscript.Stdout.Writeline "Extended Key Usage:"
Wscript.Stdout.Writeline " Critical = " & Certificate.ExtendedKeyUsage.IsCritical
Dim EKU
For Each EKU In Certificate.ExtendedKeyUsage.EKUs
OID.Value = EKU.OID
Wscript.Stdout.Writeline " " & OID.FriendlyName & " (" & OID.Value & ")"
Next
Set OID = Nothing
Else
Wscript.Stdout.Writeline "Extended Key Usage: Not valid for any usage."
Wscript.Stdout.Writeline " Critical = " & Certificate.ExtendedKeyUsage.IsCritical
End If
Else
Wscript.Stdout.Writeline "Extended Key Usage: Not present (valid for all usages)."
End If
-------------------------------------------------------------------------
- Michel Gallant
Visual Security MVP
"Nilesh Padbidri" <nil...@cybage.com> wrote in message
news:unA8kXeq...@TK2MSFTNGP10.phx.gbl...
Vincent Marie
I tried these APIs and it seems that they cannot be used to get certificates
intended usage (such as Protects e-mail messages or Proves your identity to
remote computer, etc.)
CertGetEnhancedKeyUsage returns TRUE but the rgpszUsageIdentifier is empty
...
and CertGetIntendedKeyUsage returns FALSE.
Is there another API that can give me these informations.
Thanks in advance,
Regards,
Vincent
"Nilesh Padbidri" <nil...@cybage.com> wrote in message
news:unA8kXeq...@TK2MSFTNGP10.phx.gbl...
Vincent Marie
However I have another question:
I have a certificate that is intended to
- Proves your identity to a remote computer
- Protects e-mail messages
In the certificate properties, I check 'Enable all purposes for this
certificate'. So I can understand that the CertGetEnhancedKeyUsage() returns
an empty array. But when I open the certificate using the Certificates
snap-in, I can see the certificate original intended purposes (Proves your
identity to a remote computer, Protects e-mail messages) !!
How does the snap-in do to get these informations ?!?
Thank you in advance,
Regards,
Vincent
"Michel Gallant" <neu...@NOSPAMistar.ca> wrote in message
news:#DTMYQfq...@TK2MSFTNGP09.phx.gbl...
Michel Gallant
> Thank you very much,
> However I have another question:
>
> I have a certificate that is intended to
> - Proves your identity to a remote computer
> - Protects e-mail messages
>
> In the certificate properties, I check 'Enable all purposes for this
> certificate'. So I can understand that the CertGetEnhancedKeyUsage() returns
> an empty array. But when I open the certificate using the Certificates
> snap-in, I can see the certificate original intended purposes (Proves your
> identity to a remote computer, Protects e-mail messages) !!
> How does the snap-in do to get these informations ?!?
The "Enable all purposes .." checkbox is really an "Enable all AVAILABLE purposes "
functionality. By AVAILABLE, it means ALL purposes if none are explicitly
specified in the Enhanced Key Usage cert extension.
So, if the certificate contains NO Enhanced Key Usage (which is really used to LIMIT
what the cert should be able to do), then that GUI will show ALL purposes listed.
For a typical Personal cert (used for secure email, and client SSL authentication), the
cert often has NO Enhanced Key Usage specified.
But there are other extensions ... sure sure if this determines what the cert shows as
valid usages, but look at the Basic Contraints:
Extension #3: Basic Constraints(2.5.29.19)
Subject Type=End Entity
- Mitch Gallant
Michel Gallant
CryptoAPI propogates that issuer usage down to the issued
client cert, and CryptoAPI enforces that issuer constraint.
- Mitch Gallant
"Vincent Marie" <vin...@nospam.com> wrote in message news:ekt$NugqDH...@TK2MSFTNGP12.phx.gbl...
Ryan M. Hurst
S/MIME, etc? If so the CAPICOM.Certificates.ExtendedKeyUsage collection has
this detail in it.
Ryan
Ryan
"Vincent Marie" <v.m...@bigfoot.com> wrote in message
news:8dc34143.03111...@posting.google.com...
Vincent Marie
I still have few questions ...
- In the MSDN, microsoft talk about only two certificate types (CA and End
Entity), can I assume that there are only these two certificate types in the
'Real world' ?
- If a certificate is an End Entity certificate without key usage or
enhanced key usage, can I assume that the certificate is only intended to
proves identity to a remote computer and protects e-mail messages ?
- If a certificate is a CA certificate without any key usage or enhanced key
usage, can I assume that all the purposes (defined in the 'real world') are
available for this certificate.
Thank you very much in advance,
Sorry for boring you,
Regards,
Vincent
"Michel Gallant" <neu...@NOSPAMistar.ca> wrote in message
news:Ob6vjLhq...@TK2MSFTNGP11.phx.gbl...
Michel Gallant
> Thank you very much michel,
>
> I still have few questions ...
>
> enhanced key usage, can I assume that the certificate is only intended to
> proves identity to a remote computer and protects e-mail messages ?
If the certificate does not have any of these extensions, that by itself, it
would be valid for ANY usage. However, if the issuing cert has Enhanced Key
Usage specifier, then this will automatically limit what the issued cert can do.
For example, VeriSign root CA for issuing Personal smime certs DOES have EKU specified.
> - If a certificate is a CA certificate without any key usage or enhanced key
> usage, can I assume that all the purposes (defined in the 'real world') are
> available for this certificate.
Yes, assuming that the security software does not enforce other limitation, or
that the user doesn't add restrictions (which are CryptoAPI "Extended Properties").
- Michel Gallant
Nilesh Padbidri
Sorry for the delayed response. But the APIs do work. I am enclosing
some code may this could help you.
NOTE - The szOID_PKIX_KP_SERVER_AUTH and other macros are defined in
the
WINCRYPT.H header file.
******************************************************************************
Code Sample
******************************************************************************
DWORD dwBuffSize = 0;
CertGetEnhancedKeyUsage(g_pCertificateContext, 0, NULL, &dwBuffSize);
PCERT_ENHKEY_USAGE pCertEnhUsage = _alloca(dwBuffSize);
CertGetEnhancedKeyUsage(pCertificateContext, 0, pCertEnhUsage,
&dwBuffSize);
for(DWORD i = 0; i < pCertEnhUsage->cUsageIdentifier; i++)
{
if(!lstrcmp(pCertEnhUsage->rgpszUsageIdentifier[i],
szOID_PKIX_KP_SERVER_AUTH))
OutputDebugString("For Remote Server Auth");
} // End of For loop
Hope this helps.
Nilesh Padbidri