Pergunta

I'm creating a self signed certificate using CertCreateSelfSignCertificate. This works and I can encrypt/sign/decrypt/verify data with it.

I would like to limit the intended purposes of the certificate, but I always end up with a certificate that has "<All>" intended purposes enabled. This is the code I'm using to prepare the pExtensions parameter to the CertCreateSelfSignCertificate call:

BYTE key_usage_value = CERT_DATA_ENCIPHERMENT_KEY_USAGE | 
    CERT_DIGITAL_SIGNATURE_KEY_USAGE;
CERT_KEY_USAGE_RESTRICTION_INFO key_usage = {
    0, NULL,
    { sizeof(key_usage_value), &key_usage_value }
};

auto key_usage_data = EncodeObject(szOID_KEY_USAGE_RESTRICTION, &key_usage);

CERT_EXTENSION extension[] = {
    { szOID_KEY_USAGE_RESTRICTION, TRUE, { 
        key_usage_data.size(), key_usage_data.data() 
    } }
};

CERT_EXTENSIONS extensions = {
    elemsof(extension),
    extension
};

EncodeObject simply calls CryptEncodeObject and returns the result as a std::vector.

I have not found much documentation on this so I'm not actually sure this is what I'm supposed to do. Can anyone point out to me what I'm doing wrong?

Foi útil?

Solução

I guess the Extended Key Usage of your certificate is beeing build empty, that means that all purposes are allowed, if you want to limit those, you will need to define them including the specific OIDs of each one, for instance, A certificate capable only for:

Smartcardlogon, Digital Signature and Non-Repudiation

will have Extended Key Usage field filled with

1.3.6.1.4.1.311.20.2.2
2.5.29.37.3
2.5.29.37

Hope it helps

Outras dicas

After looking into szOID_ENHANCED_KEY_USAGE according to srbob's answer I managed to change the key usage field.

Here is the (simplified) code I'm using to create the extensions on the certificate, again, this is the code I'm using to prepare the pExtensions parameter to the CertCreateSelfSignCertificate call:

BYTE key_usage_value = CERT_DATA_ENCIPHERMENT_KEY_USAGE |
       CERT_DIGITAL_SIGNATURE_KEY_USAGE;
CERT_KEY_USAGE_RESTRICTION_INFO key_usage = {
    0, NULL,
    { sizeof(key_usage_value), &key_usage_value }
};
auto key_usage_data = EncodeObject(szOID_KEY_USAGE_RESTRICTION, &key_usage);

LPSTR enh_usage_value[] = { szOID_KP_DOCUMENT_SIGNING };
CERT_ENHKEY_USAGE enh_usage = {
    elemsof(enh_usage_value),
    enh_usage_value
};
auto enh_usage_data = EncodeObject(szOID_ENHANCED_KEY_USAGE, &enh_usage);

CERT_EXTENSION extension[] = {
    { szOID_KEY_USAGE_RESTRICTION, TRUE, { 
        key_usage_data.size(), key_usage_data.data() } },
    { szOID_ENHANCED_KEY_USAGE, TRUE, { 
        enh_usage_data.size(), enh_usage_data.data() } },
};

CERT_EXTENSIONS extensions = {
    elemsof(extension),
    extension
};

Note that the code above still adds the szOID_KEY_USAGE_RESTRICTION extension as well.

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top