Download user manual

232
Certificates in Detail
in terms of managing the certification process and in the cost of obtaining and
renewing huge numbers of certificates each year.
Working with Trust Settings
You can get and set a certificate’s trusted usage using CRYPT_CERTINFO_TRUSTED_USAGE, which takes as value the key usage(s) for which the certificate
is trusted. To mark a certificate as trusted only for encryption you would use:
cryptSetAttribute( certificate, CRYPT_CERTINFO_TRUSTED_USAGE,
CRYPT_KEYUSAGE_KEYENCIPHERMENT );
This setting will now be applied automatically to the certificate’s usage permissions,
so that even if its CRYPT_CERTINFO_KEYUSAGE attribute allowed signing and
encryption, the CRYPT_CERTINFO_TRUSTED_USAGE attribute would restrict
this to only allow encryption.
To remove any restrictions and allow all usages specified by CRYPT_CERTINFO_KEYUSAGE, delete the CRYPT_CERTINFO_TRUSTED_USAGE attribute, which
allows the full range of usage types that are present in CRYPT_CERTINFO_KEYUSAGE:
cryptDeleteAttribute( cryptCertificate,
CRYPT_CERTINFO_TRUSTED_USAGE );
You can get and set a certificate’s implicitly trusted status using the CRYPT_CERTINFO_TRUSTED_IMPLICIT attribute, which takes as value a boolean flag
that indicates whether the certificate is implicitly trusted or not. To mark a certificate
as trusted you would use:
cryptSetAttribute( certificate, CRYPT_CERTINFO_TRUSTED_IMPLICIT, 1 );
Be careful when marking certificate chains (rather than individual certificates) as
implicitly trusted. Since a chain usually contains multiple certificates, setting the
CRYPT_CERTINFO_TRUSTED_IMPLICIT attribute affects the currently selected
certificate in the chain. Typically you want to trust the root CA, while the certificate
which is normally active when the chain is used is the end-user/leaf certificate. In
order to select the root CA certificate, you should move the certificate cursor to it
using the CRYPT_CURSOR_LAST movement code before marking the chain as
trusted. This will explicitly make the top-level CA certificate trusted, rather than
some arbitrary certificate in the chain.
To check whether a certificate is trusted you would use:
int isTrusted;
cryptGetAttribute( certificate, CRYPT_CERTINFO_TRUSTED_IMPLICIT,
&isTrusted );
Since the trust of a CA propagates down to the certificates it issues, the trust setting in
this case applies to the whole chain rather than just one certificate in it. In other
words if the chain is signed by a trusted CA, the entire chain beyond that point will be
regarded as trusted.
If the result is set to true (a nonzero value) then the certificate is implicitly trusted by
cryptlib. In practice you won’t need to bother with this checking, since cryptlib will
do it for you when it verifies certificate chains.
The certificate trust settings are part of cryptlib’s configuration options, which are
explained in more detail in “Working with Configuration Options” on page 280. Like
all configuration options, changes to the trust settings only remain in effect during the
current session with cryptlib unless you explicitly force them to be committed to
permanent storage by resetting the configuration changed flag. For example if you
change the trust settings for various certificates and want the new trust values to be
applied when you use cryptlib in the future you would use code like: