CertGetIntendedKeyUsage

The CertGetIntendedKeyUsage function gets the intended key usage bytes from the certificate. The intended key usage may be in either the szOID_KEY_USAGE ("2.5.29.15") or szOID_KEY_ATTRIBUTES ("2.5.29.2") extension.

#include <wincrypt.h>
BOOL WINAPI CertGetIntendedKeyUsage(
  DWORD dwCertEncodingType,  // in
  PCERT_INFO pCertInfo,      // in
  BYTE *pbKeyUsage,          // out
  DWORD cbKeyUsage           // in
);
 

Parameters

dwCertEncodingType
The type of encoding used on the certificate. Currently defined certificate encoding types are shown in the following table:
Encoding type Value
X509_ASN_ENCODING 0x00000001

pCertInfo
A pointer to the specified certificate.
pbKeyUsage
A pointer to the intended key usage. Bit values are shown in a table for IntendedKeyUsage in CERT_KEY_ATTRIBUTES_INFO.
cbKeyUsage
The size, in bytes, of the intended key usage. Currently, the intended key usage occupies only 1 byte of data.

Return Values

If the certificate doesn't have any intended key usage bytes, FALSE is returned and *pbKeyUsage is zeroed. Otherwise, TRUE is returned and up to cbKeyUsage number of bytes are copied into *pbKeyUsage. Any remaining bytes not copied are zeroed.

Call GetLastError to see the reason for any failures. This function has the following error codes.

Error code Description
CRYPT_E_OSS_ERROR ASN.1 decoding error. Note to get the OSS error, subtract CRYPT_E_OSS_ERROR from the returned error and see asn1code.h for details on the error.
ERROR_FILE_NOT_FOUND Invalid certificate encoding type. Currently only X509_ASN_ENCODING is supported.

Example

// EXAMPLE CODE FOR USING CertGetIntendedKeyUsage() to get and print
// the intended key usage bytes from a certificate.

// Assume that a pointer to the certificate (pCertInfo) for which 
// the intended key usage bytes are being retrieved is already known, 
// that a pointer to the buffer (pbKeyUsage) to copy the intended 
// key usage bytes to is already known, and that the type of encoding 
// used on the certificate is X509_ASN_ENCODING. 

// Set up the variables.
PCERT_INFO pCertInfo;  // Initialized elsewhere
BYTE  KeyUsageBits;    // Intended key usage bits copied to here.
DWORD cbKeyUsageByteCount = 1; // 1 byte will be copied to *pbKeyUsage
BOOL Return;

Return = CertGetIntendedKeyUsage(
            X509_ASN_ENCODING, pCertInfo, 
            &KeyUsageBits, cbKeyUsageByteCount);

if (Return == TRUE) {

    // Print the intended key usages for the certificate.

    if (KeyUsageBits & CERT_DATA_ENCIPHERMENT_KEY_USAGE == 
                       CERT_DATA_ENCIPHERMENT_KEY_USAGE)
    printf("CERT_DATA_ENCIPHERMENT_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_DIGITAL_SIGNATURE_KEY_USAGE ==
                       CERT_DIGITAL_SIGNATURE_KEY_USAGE)
    printf("CERT_DIGITAL_SIGNATURE_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_KEY_AGREEMENT_KEY_USAGE ==
                       CERT_KEY_AGREEMENT_KEY_USAGE)
    printf("CERT_KEY_AGREEMENT_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_KEY_CERT_SIGN_KEY_USAGE ==
                       CERT_KEY_CERT_SIGN_KEY_USAGE)
    printf("CERT_KEY_CERT_SIGN_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_KEY_ENCIPHERMENT_KEY_USAGE ==
                       CERT_KEY_ENCIPHERMENT_KEY_USAGE)
    printf("CERT_KEY_ENCIPHERMENT_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_NON_REPUDIATION_KEY_USAGE ==
                       CERT_NON_REPUDIATION_KEY_USAGE)
    printf("CERT_NON_REPUDIATION_KEY_USAGE allowed\n");

    if (KeyUsageBits & CERT_OFFLINE_CRL_SIGN_KEY_USAGE ==
                       CERT_OFFLINE_CRL_SIGN_KEY_USAGE)
    printf("CERT_OFFLINE_CRL_SIGN_KEY_USAGE allowed\n");

}
 

QuickInfo

  Windows NT: Requires version 4.0 SP3 or later. Available also in IE 3.02 and later.
  Windows: Requires Windows 98 (or Windows 95 with IE 3.02 or later).
  Windows CE: Unsupported.
  Header: Declared in wincrypt.h.
  Import Library: Use crypt32.lib.