Because the attributes mentioned are only meaningful if covered by the
digital signature on the certificate, it cannot change in any format
conversion
that keeps the certificate valid.
The true format of certificates is binary BER encoded X.509.
A .cer file is simply that structure directly.
A P7b/PKCS#7 file is really a digitally signed message with zero or more
attached signatures to help the recipient to check the signature, each
certificate is the same X.509 BER structure, just placed inside a list
(SEQUENCE) inside a PKCS#7 structure (which is also BER encoded just
like the certificate). When using a P7b file to transport certificates,
the message and signature fields are just left blank.
A P12/PFX/PKCS#12 file is an encrypted file which stores various
certificates (the same X.509 BER structure as before), various
private keys and hints on where these items should be imported
into CryptoAPI and/or the old Netscape browser.
So whatever the format, after loading and unpacking, you are left
with an X.509 structure which contains a few mandatory fields
(such as Subject, Issuer, Public Key, Private Key, Serial Number),
and a lot of optional fields. One of those optional fields is a
list of "authenticated attributes". Each entry in that list has
a "type OID", a "critical" flag and some data. The entries may
be found in any order, your code needs to work whatever field
entry comes first, needs to ignore any entry whose "type OID"
you don't understand.
The optional "CA" occurs in this list as an entry with the "CA"
OID and a TRUE/FALSE value. So CA may be "not there", TRUE
or FALSE.
The optional "Key Usage" also occurs in this list as an entry
with the "Key Usage" OID and a value which is a list of OIDs
(one for each usage). So Key Usage mat be "not there",
"there" with the "certificate sign" OID listed in its value,
or "there" without the "certificate sign" OID in its value.
I don't remember the function names to look at the
"authenticated attribute" list in OpenSSL and/or CryptoAPI,
but there should be functions that will let you check if the
list is there at all, and if so loop over all the entries, looking
at each to see if it is one you care about today.
On 29-09-2011 17:33, Harshvir Sidhu wrote:
Thanks Jakob.
Is this key usage only available in P7b format, when i tried this on
CER and P12 format then its not working on them, Crypt API is not able
to read extended information about Key Usage. Is the process format
specific? I am trying to use CertFindExtension API for this.
// Harshvir
On Thu, Sep 29, 2011 at 9:42 AM, Jakob Bohm <jb-open...@wisemo.com
<mailto:jb-open...@wisemo.com>> wrote:
You forgot to also check the Key Usage attribute
IF (CA: TRUE OR Key Usage: Certificate Sign)
If Self Signed
ROOT
Else
Intermediary
Else
If Self Signed
Toy certificate
Else
End use (server / person / company / etc.)
On 9/29/2011 3:39 PM, Harshvir Sidhu wrote:
Hey,
I tried using this method following is the flow.
IF CA: TRUE
If Self Signed
ROOT
else
Intermediate
else
Personal
When i try parsing the PKCS7 (.p7b) files, then for
Intermediate CA Certifites I get that its a personal Certificate?
Is there something different that i need to do for p7b file
format?
Thanks.
// Harshvir
On Fri, Sep 16, 2011 at 2:33 PM, Jakob Bohm
<jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>>
> wrote:
On 9/16/2011 9:02 PM, Harshvir Sidhu wrote:
I already tried this command, but its not giving any
information showing wheter its a root certificate or a
client
certificate.
- Harshvir
On Fri, Sep 16, 2011 at 1:53 PM, Jakob Bohm
<jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>
<mailto:jb-open...@wisemo.com <mailto:jb-open...@wisemo.com>> >
> wrote:
On 9/16/2011 7:58 PM, Harshvir Sidhu wrote:
Hi,
In openssl is there some method using which i
can find
whether the cerficiate in a file a Client
Certificate or a
CA/Root Certificate?
- H S
Try the following command, at look for the CA
property and
also see
if the certificate lists itself or someone else as
issuer:
openssl x509 -in somecert.cer -noout -text >somecert.txt
(somecert.txt will then contain a nice human readable
printout of
the certificate)
Look for the following three things in somecert.txt:
1. Look at the "Issuer:" and "Subject:" lines.
If they are identical, this is a self-signed certificate
and thus
either a CA root or a useless test certificate.
If they are different this is either an end certificate
(client
or server)
or an intermediary CA.
2. Look under "X509v3 extensions:" for "X509v3 Basic
Constraints:".
If it is there and the next line says "CA:TRUE", it is a CA.
If it is there and the next line says "CA:FALSE", it is
an end certifcate (client or server).
If it is not there, and the next item below is not there
either, it is
an end certificate (client or server).
3. Look under "X509v3 extensions:" for "X509v3 Key Usage:".
If it is there and the next line includes the phrase
"Certificate Sign", it is a CA.
If it is there and the next line does not include the phrase
"Certificate Sign",
it is an end certificate (client or server).
If it is not there, and the item above is not there
either, it is
an end certificate (client of server).
______________________________ ______________________________
__________
OpenSSL Project http://www.openssl.org
<http://www.openssl.org/> <http://www.openssl.org/>
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
<mailto:openssl-users@openssl. org
<mailto:openssl-users@openssl.org>>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
<mailto:majord...@openssl.org <mailto:majord...@openssl.org>>
______________________________ ______________________________
__________
OpenSSL Project http://www.openssl.org <http://www.openssl.org/>
User Support Mailing List openssl-users@openssl.org
<mailto:openssl-users@openssl.org>
Automated List Manager majord...@openssl.org
<mailto:majord...@openssl.org>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
