Am 10.10.2013 13:58, schrieb Dr. Stephen Henson: >> I think you should be using CertGetCertificateContextProperty with a propid >> of >> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like >> these might be aliased as I think both have a value of 9): >> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx >> >> The returned data is ASN.1 encoded so you might have to decode it before >> you can use the OIDs returned. >> > > Thanks for the link. That is *VERY* interesting and I'll be looking into it as > soon and my (alas rather hectic) schedule permits.
It's even easier to get the enhanced key usage for a certificate in Windows' cert store. CertGetEnhancedKeyUsage() returns a CERT_ENHKEY_USAGE struct with the EKU OIDs as char*, e.g. 1.3.6.1.5.5.7.3.1. The flag controls if the functions returns the EKU OIDs from the properties (certmgr.msc settings) or X509v3 extension. I have some C as well as some Python+ctypes code here. Chrome Browser uses Windows' cert store to verify peer certs. IIRC Adam Langley and Ryan Sleevi have developed that feature. The code in CertVerifyProcWin::VerifyInternal() looks straight forward... Of course it's much easier to understand existing code than to come up with it in the first place. Christian ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
