Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Doing some research lately on the new certificate enrollment client API (that is, the CertEnroll COM interfaces) in Windows Vista. In the process, I found some bugs in the Windows SDK sample code, and I wanted to ensure that others don’t get stumped by these.

The code in question is actually referenced from multiple SDK sample projects. By default, you can find it in the “Samples\Security\X509 Certificate Enrollment\VC\enrollCommon” sub-directory of the v6.0 version of the SDK.

In that directory, see enrollCommon.cpp!findCertByKeyUsage in the “for” loop:


if (!CertGetIntendedKeyUsage(
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
pCert->pCertInfo,
&KeyUsage,
1))
{
break; <= Should be 'continue'
}

Otherwise, that loop, which is intended to search the user MY store for a cert with the indicated key usage, will fail prematurely if you happen to have a cert that doesn’t have a Key Usage property.  Such a cert is indeed valid, and allows all key usages.  In fact, such a cert is technically a trivial match for this function, regardless of what the caller requested!

The findCertByEKU function in the same file has the same bug.

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment