Resolving X509 certificates using the Windows Crypt API

First, version number

The field dwversion in the struct Cert_info is the certificate version, which can be obtained directly from the following code:

DWORD dwcertver = m_pcertcontext->pcertinfo->dwversion;

The version values are defined as follows:

#define CERT_V1 0#define CERT_V2 1#define CERT_V3 2

That is, V1 has a value of 0;v3 of 2, and most of the time the certificate is V3 version.

Second, serial number

The serial number corresponds to the field serialnumber in the struct cert_info, but it is ASN.1 a large number of encoded objects that need to be decoded to be converted to the hexadecimal sequence number we normally see. The function to get the serial number is as follows:

ULONG ccspcertificate::get_sn (LPSTR lptcsn,ulong *pullen) {CHAR scsn[512] = {0};if (!m_pcertcontext) {return cert_err_ Invilidcall;} if (!pullen) {return cert_err_invalidparam;} Pcrypt_integer_blob pSn = & (M_pcertcontext->pcertinfo->serialnumber); for (int n = (int) (psn->cbdata-1); n >= 0; n--) {CHAR szhex[5] = {0};sprintf_s (Szhex, "%02x", (Psn->pbdata) [n]); strcat_s (SCSN, +, Szhex);} if (!LPTCSN) {*pullen = strlen (SCSN) + 1;return CERT_ERR_OK;} if (*pullen <= strlen (SCSN) + 1) {return cert_err_buffer_too_small;} strcpy_s (LPTCSN, *pullen, SCSN); *pullen = strlen (SCSN); return CERT_ERR_OK;}

　　

Third, public key algorithm (certificate algorithm)

The public key algorithm in the certificate needs to be obtained through the field Subjectpublickeyinfo in the Cert_info. The specific functions are as follows:

ULONG Ccspcertificate::get_keytype (ulong* pultype) {if (!m_pcertcontext) {return cert_err_invilidcall;} if (!pultype) {return cert_err_invalidparam;} Pcert_public_key_info Ppubkey = & (M_pcertcontext->pcertinfo->subjectpublickeyinfo), if (PPubKey) {if (_ STRICMP (Ppubkey->algorithm.pszobjid, szoid_rsa_rsa) = = 0) {*pultype = Cert_key_alg_rsa;} else if (_stricmp (Ppubkey->algorithm.pszobjid, szoid_ecc_public_key) = = 0) {*pultype = CERT_KEY_ALG_ECC;} else {*pultype = 0;return Cert_err_alg_unknown;}} Else{return GetLastError ();} return CERT_ERR_OK;}

　　

Iv. Use of certificates

The certificate is divided into two categories: "Signing certificate" and "Encryption certificate". The public key of the signing certificate is used to verify the signature, and the public key of the encryption certificate is used to encrypt the data. We need to invoke the function certgetintendedkeyusage () to obtain the purpose of the certificate, the specific function is implemented as follows:

ULONG ccspcertificate::get_keyusage (ulong* lpusage) {BYTE btusage[2] = {0};if (!m_pcertcontext) {return cert_err_ Invilidcall;} if (!lpusage) {return cert_err_invalidparam;} if (Certgetintendedkeyusage (Global_encoding_type, M_pcertcontext->pcertinfo, Btusage, 2)) {if (BtUsage[0] & Cert_digital_signature_key_usage) {*lpusage = cert_usage_sign;} else if (Btusage[0] & cert_data_encipherment_key_usage) {*lpusage = Cert_usage_exch;} Else{*lpusage = 0;return Cert_err_usage_unknown;}} Else{return GetLastError ();} return CERT_ERR_OK;}

　　

Five, Signature algorithm

The signature algorithm of a certificate refers to the algorithm used to sign the certificate (including the hash algorithm). The signature algorithm is represented by the Signaturealgorithm field in the structure cert_info, and the OID of the signature algorithm can be returned Pszobjid by Signaturealgorithm's subfield, so that the OID can know the specific meaning of the signature algorithm. Pszobjid is commonly defined as follows:

#define CERT_SIGNATURE_ALG_RSA_RSA "1.2.840.113549.1.1.1"   //rsa Direct Signature # define CERT_SIGNATURE_ALG_MD2RSA " 1.2.840.113549.1.1.2 "   //md2 as hash, then RSA signature # define CERT_SIGNATURE_ALG_MD4RSA" 1.2.840.113549.1.1.3 "   // MD4 as hash, then RSA signature # define CERT_SIGNATURE_ALG_MD5RSA "1.2.840.113549.1.1.4"   //md5 as hash, then RSA signature # define Cert_ Signature_alg_sha1rsa "1.2.840.113549.1.1.5"   //sha1 as hash, then RSA signature # define CERT_SIGNATURE_ALG_SM3SM2 " 1.2.156.10197.1.501 "    //sm3 for hash, then SM2 signature

The above is http://blog.csdn.net/yyfzy/article/details/46790043 content

And then I realized it.

There is a need for source code to leave the mailbox

Resolving X509 certificates using the Windows Crypt API