I want to find all client authentication certificates from the X509Store(StoreLocation.CurrentUser)
Is there anyway to do this? Even by getting all then filtering by a certain property to get all Client Authentication certificates?
views:
34answers:
2
A:
You'd need to examine the Extensions of each certificate. So far as I can see, once you've got to the Key Usage extension, you should have all the info you need.
Edit Actually, for client authentication, you probably need the Enhanced Key Usage extension. I don't have a client authentication certificate lying around to test this with, but the following prints "Server Authentication" for a server certificate I've got:
var cert1 = new X509Certificate2(/* Path to certificate */);
foreach (var ext in cert1.Extensions)
{
var eku = ext as X509EnhancedKeyUsageExtension;
if (eku != null)
{
foreach (var oid in eku.EnhancedKeyUsages)
{
Console.WriteLine(oid.FriendlyName);
}
}
}
Damien_The_Unbeliever
2010-09-22 08:38:04
I've one user auth cert installed and for that I went through all .Extensions and non of them looks actually useful for this purpose. Also non of them in the X509EnhancedKeyUsageExtension type
dr. evil
2010-09-22 16:46:24
@dr. evil - I just generated a client auth certificate using our test CA (standard windows CA), and the code printed "Client Authentication". If your certificate doesn't have an EnhancedKeyUsage extension, what extensions does it have? (my Client Auth certificate also had the X509KeyUsageExtension, with DataEncipherment, KeyEncipherment, NonRepudiation, DigitalSignature)
Damien_The_Unbeliever
2010-09-23 06:31:15
It has 1-X509BasicConstraintsExtension, 3-X509Extension ("Netscape comment", "Subject Key Identifier","Auth Key")
dr. evil
2010-09-23 10:02:19
+1
A:
There are extensions that help identifying what can be used as client-certificate:
- The Extended Key Usage extension, which will be
id-kp-clientAuthif present. - The "legacy" Netscape Cert Type extension (not strictly standard, but widely adopted, even outside the world of Netscape/Mozilla tools).
Certificates without these extensions at all could also be used as client-certificate, provided it's compatible with the (non-extended) Key Usage extension (if present). What you need at least in the (non-extended) Key Usage extension is digitalSignature for a client-certificate. It's not really clear what happens if you get both the Netscape Cert Type and the Extended Key Usage extensions, although, in the spirit of RFC 5280, it would be worth considering usage for purposes compatible with all the extensions present:
If a certificate contains both a key usage extension and an extended key usage extension, then both extensions MUST be processed independently and the certificate MUST only be used for a purpose consistent with both extensions. If there is no purpose consistent with both extensions, then the certificate MUST NOT be used for any purpose.
The NSS Technical Note 3 (All About Certificate Extensions) should be of interest.
Bruno
2010-09-23 14:36:18
I forgot to add that you also need to check the extension value required in the CA certificates in the chain (see NSS tech note).
Bruno
2010-09-24 16:45:42