key usage, enhanced key usage, and EFS certs
From: Sam Wilson [Bentley] (sam.wilson_at_bentley.com)
Date: 05/19/04
- Previous message: David Cross [MS]: "Re: Authenticode Timestamp Protocol"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 May 2004 10:08:16 -0400
I want to identify the certificates in a store that represent keys that
can be used for key encipherment (not just for SSL but also for other
encryption purposes). To do that, I check for certificates that meet the
following requirements:
1) The stored key must have keyspec = AT_KEYEXCHANGE.
That is, calling CertGetCertificateContextProperty on the "original"
certificate must yield a CRYPT_KEY_PROV_INFO with this keyspec. Many
certs have no keyusage extensions. This is the only distinguishing mark
they have.
2) There must be no key usage restriction
That is, CertGetIntendedKeyUsage must either return FALSE or must return
a usage in which CERT_KEY_ENCIPHERMENT_KEY_USAGE is set. As stated in
the docs, "If no key usage is specified, the certificate can be used for
any purpose." (source: http://www.microsoft.com
/resources/documentation/WindowsServ
/2003/all/techref/en-us/Default.asp?url=/resources/documentation/windowsServ/2003/all/techref/en-us/w2k3tr_certs_how.asp)
In my experience, the key usage extension is rarely added to a
certificate.
Am I right so far?
Here's the problem:
******************************************************
*** GOTCHA: Watch out for Windows EFS Certificates! ***
******************************************************
If you initialize Windows Encrypting File System (EFS), you will get a
self-issued certificate in your personal store with keyspec=1 and no key
usage restriction. That is, the EFS certificate will pass both of the
tests listed above. But, I have found out the hard way that you cannot
use the public/private keypair issued for an EFS certificate to do key
encipherment in CryptExportKey (not that I want to).
The only distinguishing mark on the EFS certificate is a non-critical
Enhanced Key Usage (EKU) extension of 1.3.6.1.4.1.311.10.3.4
(szOID_KP_EFS). So, it seems that the only way I can screen out an EFS
certificate is to look for this EKU. That just doesn't seem right! There
are lots of strange EKUs out there -- do I have to look for all of
them?!
Thanks in advance for your advice.
Sam
-------------------------------------------------
Samuel W. Wilson Bentley Systems, Inc.
sam.wilson@bentley.com www.bentley.com
- Previous message: David Cross [MS]: "Re: Authenticode Timestamp Protocol"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
