On Sat, Nov 09, 2013, Christian Heimes wrote: > Am 10.10.2013 13:58, schrieb Dr. Stephen Henson: > >> I think you should be using CertGetCertificateContextProperty with a > >> propid of > >> CERT_CTL_USAGE_PROP_ID (or is it CERT_ENHKEY_USAGE_PROP_ID? ... seems like > >> these might be aliased as I think both have a value of 9): > >> http://msdn.microsoft.com/en-us/library/aa376079%28v=vs.85%29.aspx > >> > >> The returned data is ASN.1 encoded so you might have to decode it before > >> you can use the OIDs returned. > >> > > > > Thanks for the link. That is *VERY* interesting and I'll be looking into it > > as > > soon and my (alas rather hectic) schedule permits. > > It's even easier to get the enhanced key usage for a certificate in > Windows' cert store. CertGetEnhancedKeyUsage() returns a > CERT_ENHKEY_USAGE struct with the EKU OIDs as char*, e.g. > 1.3.6.1.5.5.7.3.1. The flag controls if the functions returns the EKU > OIDs from the properties (certmgr.msc settings) or X509v3 extension. I > have some C as well as some Python+ctypes code here. >
I've finally had a chance to check out some of these suggested methods of retrieving the trust settings. Everything I've tried so far just returns a copy of the certificate's extended key usage extension in various forms. This is useless and I can get that from the certificate anyway. To double check I try setting or clearing a value in the UI and it makes no difference :-( If anyone has any other ideas (and please double check that they really reflect the UI settings by changing them) I'd be interested to know the details. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org