After looking into szOID_ENHANCED_KEY_USAGE
according to srbob's answer I managed to change the key usage field.
Here is the (simplified) code I'm using to create the extensions on the certificate, again, this is the code I'm using to prepare the pExtensions
parameter to the CertCreateSelfSignCertificate
call:
BYTE key_usage_value = CERT_DATA_ENCIPHERMENT_KEY_USAGE |
CERT_DIGITAL_SIGNATURE_KEY_USAGE;
CERT_KEY_USAGE_RESTRICTION_INFO key_usage = {
0, NULL,
{ sizeof(key_usage_value), &key_usage_value }
};
auto key_usage_data = EncodeObject(szOID_KEY_USAGE_RESTRICTION, &key_usage);
LPSTR enh_usage_value[] = { szOID_KP_DOCUMENT_SIGNING };
CERT_ENHKEY_USAGE enh_usage = {
elemsof(enh_usage_value),
enh_usage_value
};
auto enh_usage_data = EncodeObject(szOID_ENHANCED_KEY_USAGE, &enh_usage);
CERT_EXTENSION extension[] = {
{ szOID_KEY_USAGE_RESTRICTION, TRUE, {
key_usage_data.size(), key_usage_data.data() } },
{ szOID_ENHANCED_KEY_USAGE, TRUE, {
enh_usage_data.size(), enh_usage_data.data() } },
};
CERT_EXTENSIONS extensions = {
elemsof(extension),
extension
};
Note that the code above still adds the szOID_KEY_USAGE_RESTRICTION
extension as well.