Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Find cert if subject key identifier is known

239 views
Skip to first unread message

Petar Popara

unread,
Dec 25, 2004, 7:55:59 AM12/25/04
to

Can I use CertFindCertificateInStore() or some other CAPI func to search
cert store when "subject key identifier" is known?


Petar Popara

unread,
Dec 28, 2004, 1:34:03 AM12/28/04
to

What is "subject key identifier"?


Sergio Dutra [MS]

unread,
Dec 28, 2004, 11:49:02 AM12/28/04
to
In response to your other question following this one, the subject key
identifier (SKI) is typically a hash of the public key of the certificate.
The algorithm used for such hashes is typically SHA1 or MD5.

So if you have the SKI, and it's in MD5 format, you can use
CertFindCertificateInStore and specify CERT_FIND_PUBKEY_MD5_HASH for the
dwFindType parameter. However, if the SKI is in any other format - such as
SHA1 - then you need to pretty much enumerate every certificate in the
store, get the SHA1 hash of the certificate's public key and compare it with
the SKI in question. I think you may be able to use CERT_FIND_KEY_IDENTIFIER
with CertFindCertificateInStore instead of the above method, but I haven't
tried it.

However, note that certificate authorities may use some other algorithm to
figure out the SKI. They could use any other algorithm or even include only
a part of a hash instead of the full hash. The only real requirement is that
the SKI matches the corresponding field in the AKI of certificates issued by
that certificate with the specific SKI.

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Petar Popara" <my....@mail.net> wrote in message
news:eDU$wCo6EH...@TK2MSFTNGP10.phx.gbl...

Petar Popara

unread,
Dec 29, 2004, 4:33:26 PM12/29/04
to

I'd like to try CertFindCertificateInStore() and
CERT_FIND_KEY_IDENTIFIER, but first: how can I get "subject key identifier"
(SKI) from (PCCERT_CONTEXT) certificate? Is it SubjectUniqueId member or it
is extension? I'd like to get SKI from some cert and save it, and then to
try to find cert in MY store if SKI is known using
CertFindCertificateInStore().

Thanky you.


Sergio Dutra [MS]

unread,
Jan 4, 2005, 11:12:37 AM1/4/05
to
The SKI is an extension on the certificate with OID
szOID_SUBJECT_KEY_IDENTIFIER ("2.5.29.14").

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Petar Popara" <my....@mail.net> wrote in message

news:uqD3c2e7...@TK2MSFTNGP09.phx.gbl...

Petar Popara

unread,
Jan 5, 2005, 7:15:04 AM1/5/05
to

Should I use CryptEncodeObject() or CryptDecodeObject() to extract
szOID_SUBJECT_KEY_IDENTIFIER from cert? I've tried both and I allways got
cbNameDecoded to be 0. Here is my code

DWORD cbNameDecoded = 0;
BYTE* pbNameDecoded = 0;

if (!CryptDecodeObject(MY_ENCODING_TYPE,
szOID_SUBJECT_KEY_IDENTIFIER,
(BYTE*)pCert->pCertInfo->rgExtension,
pCert->pCertInfo->cExtension,
0,
NULL,
&cbNameDecoded))
{
//error
}

if (cbNameDecoded < 1)
{
//error
}

pbNameDecoded = new BYTE[cbNameDecoded];

if (!CryptDecodeObject(MY_ENCODING_TYPE,
szOID_SUBJECT_KEY_IDENTIFIER,
(BYTE*)pCert->pCertInfo->rgExtension,
pCert->pCertInfo->cExtension,
0,
pbNameDecoded,
&cbNameDecoded))
{
//error
}


Petar Popara

unread,
Jan 11, 2005, 6:10:25 AM1/11/05
to

I have found solution.


0 new messages