How can I check whether a certificate is CA or end entity?

Vishnu Gopalakrishnan 126 Reputation points
2020-08-05T06:08:09.78+00:00

Want to confirm the cert type CA or End Entity, before it is imported to the certificate store. Is there any utility function available for this.
I have written the below function. But it returns always return the cert as CA. Is this have a bug or is this a standard approach to check the CA cert.

//to check whether a certificate is CA or not.
bool IsCACert(PCCERT_CONTEXT pCertContext_i)
{

    CERT_CHAIN_ENGINE_CONFIG    EngineConfig = { 0 };
    EngineConfig.cbSize = sizeof(EngineConfig);
    EngineConfig.dwUrlRetrievalTimeout = 0;
    HCERTCHAINENGINE            hChainEngine = NULL;
    if(!CertCreateCertificateChainEngine(&EngineConfig, &hChainEngine))
    {
        std::cout << "Failed:CertCreateCertificateChainEngine\n";
        return false;
    }

    CERT_CHAIN_PARA             ChainPara = { 0 };
    ChainPara.cbSize = sizeof(ChainPara);
    PCCERT_CHAIN_CONTEXT  pChainContext;
    if (FALSE == CertGetCertificateChain(hChainEngine, pCertContext_i, NULL, NULL, &ChainPara, NULL, NULL, &pChainContext))
    {
        std::cout << "Failed:CertGetCertificateChain\n";
        return false;
    }

    CERT_CHAIN_POLICY_PARA PolicyParam;
    PolicyParam.cbSize = sizeof(CERT_CHAIN_POLICY_PARA);
    PolicyParam.dwFlags = BASIC_CONSTRAINTS_CERT_CHAIN_POLICY_CA_FLAG;
    CERT_CHAIN_POLICY_STATUS PolicyStatus;
    if (FALSE == CertVerifyCertificateChainPolicy(CERT_CHAIN_POLICY_BASIC_CONSTRAINTS, pChainContext, &PolicyParam, &PolicyStatus))
    {
        std::cout << "Failed:CertVerifyCertificateChainPolicy\n";
        return false;
    }
    if (S_OK == PolicyStatus.dwError)
    {
        //std::cout << "CA certs.....\n";
        return true;
    }
    std::cout << "End certs.....\n";
    return false;
}
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,718 questions
Windows API - Win32
Windows API - Win32
A core set of Windows application programming interfaces (APIs) for desktop and server applications. Previously known as Win32 API.
2,653 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,930 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,853 questions
0 comments No comments
{count} votes

Accepted answer
  1. Vadims Podāns 9,121 Reputation points MVP
    2020-08-05T06:17:25.897+00:00

    You need to:

    1. acquire a CERT_CONTEXT of the certificate
    2. navigate to pCertInfo of the CERT_CONTEXT structure.
    3. Iterate over extensions in rgExtension field of CERT_INFO extension
    4. Find extension with pszObjId equals to "2.5.29.19"
    5. if found, read extension value to CERT_BASIC_CONSTRAINTS2_INFO and read fCA field. If fCA is set to True, it is CA certificate. In all other cases it is end entity certificate.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.