I should have read the previous post more carefully: CertGetEnhancedKeyUsage() is definitely the function for returning the certificate usages reported by the system store manager (either the ones set in the cert itself, the ones in the "extended property" that can be set at will, or the effective combination of the two depending on the flags passed).
You may have been looking at a different version of IE than what I've got on my Windows 7 VM, but at least here IE doesn't allow you to set certificate purposes: it has a dialog that looks just like that (under the "Advanced" button in the certificate list), but that's only used to select the set of usages you want to display if you choose "<Advanced Purposes>" in the "Intended Purpose" dropdown at the top (it's effectively just a customizable display filter). I've been reading through OpenSSL's verification code a bit, and from what I'm seeing it looks like purposes could be set for an existing certificate by setting the appropriate bits in the ex_kusage or ex_xkusage fields, at least for standard usages. Is that right? -Matt Stickney On Wed, Jul 12, 2017 at 11:26 AM, Matthew Stickney <mtstick...@gmail.com> wrote: > On Wed, Jul 12, 2017 at 8:48 AM, Dr. Stephen Henson <st...@openssl.org> wrote: >> Yes they're external properties. The certificate encoding returned can't be >> modified of course because that would break the signature. > > That's a good point (I'm a little embarassed to have missed that). > > >> I think I did some experiments with CertGetEnhancedKeyUsage()[...] > > It looks like another good candidate might be > CertGetCertificateContextProperty() with the CERT_CTL_USAGE_PROP_ID > flag. At least in principle, that's pulling usage information from the > cert context, rather than the cert itself. I'll do some testing after > work tonight. > > -Matt Stickney -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
