Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

AT_KEYEXCHANGE vs. AT_SIGNATURE

530 views
Skip to first unread message

Miki Peric

unread,
Jul 10, 2004, 9:08:49 AM7/10/04
to

How can I know if my key is of AT_SIGNATURE type or AT_KEYEXCHANGE? When
I double click my certificate in Windows Explorer, and certificate details
shows up, where can I see it?


tlviewer

unread,
Jul 10, 2004, 2:28:40 PM7/10/04
to

"Miki Peric" <bl...@ccc.com> wrote in message news:ePIjK8nZ...@TK2MSFTNGP11.phx.gbl...

>
> How can I know if my key is of AT_SIGNATURE type or AT_KEYEXCHANGE? When
> I double click my certificate in Windows Explorer, and certificate details
> shows up, where can I see it?
>
>
This property of the private key is called KeySpec.
When you import a P12 or Pfx certificate which contains
a private key, the import manager will always mark
the KeySpec as AT_KEYEXCHANGE (in my experience with
Win95 and Win2k).

You can verify this with Capicom:

'/* begin KeySpecCheck.vbs */

set oStore = createobject("CAPICOM.Store")
oStore.open CAPICOM_CURRENT_USER_STORE, _
CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY

oStore.Certificates.select()

set ct = oStore.Certificates(1)

if ct.PrivateKey.KeySpec= CAPICOM_KEY_SPEC_KEYEXCHANGE then
wscript.echo "keyspec=AT_EXCHANGE"
else
wscript.echo "keyspec=AT_SIGNATURE"
end if
' /* end VBS */

hth,
tlviewer

tlviewer

unread,
Jul 10, 2004, 2:39:33 PM7/10/04
to
(script correction below)
"tlviewer" <tlview...@yahoo.CHENEY.com> wrote in message news:#TlyCvqZ...@TK2MSFTNGP12.phx.gbl...

"Miki Peric" <bl...@ccc.com> wrote in message news:ePIjK8nZ...@TK2MSFTNGP11.phx.gbl...
>
> How can I know if my key is of AT_SIGNATURE type or AT_KEYEXCHANGE? When
> I double click my certificate in Windows Explorer, and certificate details
> shows up, where can I see it?
>
>
This property of the private key is called KeySpec.
When you import a P12 or Pfx certificate which contains
a private key, the import manager will always mark
the KeySpec as AT_KEYEXCHANGE (in my experience with
Win95 and Win2k).

You can verify this with Capicom:

'/* begin KeySpecCheck.vbs */

set oStore = createobject("CAPICOM.Store")
oStore.open CAPICOM_CURRENT_USER_STORE, _
CAPICOM_MY_STORE, CAPICOM_STORE_OPEN_READ_ONLY

set ct = oStore.Certificates.select().item(1)

Michel Gallant

unread,
Jul 10, 2004, 4:08:52 PM7/10/04
to
Miki,

The standard certificate panel for viewing cert-store certs does not display the
associated keycontainer keytype or keycontainer name, if there is an associated
private key (although it COULD have been designed that way). In fact, you can
use the MS tool "signcode.exe" and in the "custom" pane, you will be able to
see exactly the keyspec and keycontainer names.

Here is a web-based tool which displays all certs in all stores for CU and
shows the cert keycontainer names, keysize, and keyspec:
http://www.jensign.com/JavaScience/KeyContainerTool
(requires MS JVM and CAPICOM 2.0.0.3).
Alternatively, here is a somewhat different .NET tool, which allows you to
export public or (unencrypted) privatekeyblobs from similar stores:
http://www.jensign.com/JavaScience/dotnet/keypal

The basic CryptoAPI functionality is available via:
CertGetCertificateContextProperty() with CERT_KEY_PROV_INFO_PROP_ID
which returns a CRYPT_KEY_PROV_INFO struct (assuming the cert has an associated
private key) containing a keyspec member.

- Mitch Gallant
MVP Security

"Miki Peric" <bl...@ccc.com> wrote in message news:ePIjK8nZ...@TK2MSFTNGP11.phx.gbl...
>

0 new messages