The CertGetIntendedKeyUsage function gets the intended key usage bytes from the certificate. The intended key usage may be in either the szOID_KEY_USAGE ("2.5.29.15") or szOID_KEY_ATTRIBUTES ("2.5.29.2") extension.
#include <wincrypt.h>
BOOL WINAPI CertGetIntendedKeyUsage(
DWORD dwCertEncodingType, // in
PCERT_INFO pCertInfo, // in
BYTE *pbKeyUsage, // out
DWORD cbKeyUsage // in
);
Encoding type | Value |
---|---|
X509_ASN_ENCODING | 0x00000001 |
If the certificate doesn't have any intended key usage bytes, FALSE is returned and *pbKeyUsage is zeroed. Otherwise, TRUE is returned and up to cbKeyUsage number of bytes are copied into *pbKeyUsage. Any remaining bytes not copied are zeroed.
Call GetLastError to see the reason for any failures. This function has the following error codes.
Error code | Description |
---|---|
CRYPT_E_OSS_ERROR | ASN.1 decoding error. Note to get the OSS error, subtract CRYPT_E_OSS_ERROR from the returned error and see asn1code.h for details on the error. |
ERROR_FILE_NOT_FOUND | Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported. |
// EXAMPLE CODE FOR USING CertGetIntendedKeyUsage() to get and print
// the intended key usage bytes from a certificate.
// Assume that a pointer to the certificate (pCertInfo) for which
// the intended key usage bytes are being retrieved is already known,
// that a pointer to the buffer (pbKeyUsage) to copy the intended
// key usage bytes to is already known, and that the type of encoding
// used on the certificate is X509_ASN_ENCODING.
// Set up the variables.
PCERT_INFO pCertInfo; // Initialized elsewhere
BYTE KeyUsageBits; // Intended key usage bits copied to here.
DWORD cbKeyUsageByteCount = 1; // 1 byte will be copied to *pbKeyUsage
BOOL Return;
Return = CertGetIntendedKeyUsage(
X509_ASN_ENCODING, pCertInfo,
&KeyUsageBits, cbKeyUsageByteCount);
if (Return == TRUE) {
// Print the intended key usages for the certificate.
if (KeyUsageBits & CERT_DATA_ENCIPHERMENT_KEY_USAGE ==
CERT_DATA_ENCIPHERMENT_KEY_USAGE)
printf("CERT_DATA_ENCIPHERMENT_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_DIGITAL_SIGNATURE_KEY_USAGE ==
CERT_DIGITAL_SIGNATURE_KEY_USAGE)
printf("CERT_DIGITAL_SIGNATURE_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_KEY_AGREEMENT_KEY_USAGE ==
CERT_KEY_AGREEMENT_KEY_USAGE)
printf("CERT_KEY_AGREEMENT_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_KEY_CERT_SIGN_KEY_USAGE ==
CERT_KEY_CERT_SIGN_KEY_USAGE)
printf("CERT_KEY_CERT_SIGN_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_KEY_ENCIPHERMENT_KEY_USAGE ==
CERT_KEY_ENCIPHERMENT_KEY_USAGE)
printf("CERT_KEY_ENCIPHERMENT_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE ==
CERT_NON_REPUDIATION_KEY_USAGE)
printf("CERT_NON_REPUDIATION_KEY_USAGE allowed\n");
if (KeyUsageBits & CERT_OFFLINE_CRL_SIGN_KEY_USAGE ==
CERT_OFFLINE_CRL_SIGN_KEY_USAGE)
printf("CERT_OFFLINE_CRL_SIGN_KEY_USAGE allowed\n");
}
Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
Windows: Requires Windows 98 (or Windows 95 with IE 3.02 or later).
Windows CE: Unsupported.
Header: Declared in wincrypt.h.
Import Library: Use crypt32.lib.