I would like to check if in corda version 3 we have support for Support for PKCS1 RSA signatures "1.2.840.113549.1.1.1".
We reported an issue in below thread and looks like should be included in this version.
Corda RSA issue using createKeystoreForCordaNode
Thanks!!
Javier
According to Corda release-V3, there is indeed support for PKCS1 RSA, see below:
/**
* RSA PKCS#1 signature scheme using SHA256 for message hashing.
* The actual algorithm id is 1.2.840.113549.1.1.1
* Note: Recommended key size >= 3072 bits.
*/
#JvmField
val RSA_SHA256 = SignatureScheme(
1,
"RSA_SHA256",
AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, null),
listOf(AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, null)),
BouncyCastleProvider.PROVIDER_NAME,
"RSA",
"SHA256WITHRSA",
null,
3072,
"RSA_SHA256 signature scheme using SHA256 as hash algorithm."
)
Related
I'm trying to generate a GPG Key following this tutorial: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key but I'm getting the following End of file error:
% gpg --full-generate-key
gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: name
Email address: email
Comment: comment
You selected this USER-ID:
"name (comment) <email>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: End of file
Key generation failed: End of file
Versions:
gpg (GnuPG) 2.3.6
libgcrypt 1.10.1
Do you know how can I solve this End of file issue?
Thank you in advance!
Are you using MacOS? I've had the same problem with the currently latest GnuPG OSX version (2.3.6) which didn't work for me either. Try using LTS version (2.2.35). It worked fine for me.
Link: https://sourceforge.net/p/gpgosx/docu/Download/
I'm using spring cloud stream alongside Aiven's schema registry which uses confluent's schema registry. Aiven's schema registry is secured with a password. Based on these instructions, these two config parameters need to be set to successfully access the schema registry server.
props.put("basic.auth.credentials.source", "USER_INFO");
props.put("basic.auth.user.info", "avnadmin:schema-reg-password");
Everything is fine when I only use vanilla java's kafka drivers, but if I use Spring cloud stream, I don't know how to inject these two parameters. At the moment, I'm putting "basic.auth.user.info" and "basic.auth.credentials.source" under "spring.cloud.stream.kafka.binder.configuration" in the application.yml file.
Doing this, I'm getting "401 Unauthorized" on the line where the schema wants to get registered.
Update 1:
Based on 'Ali n's suggestion, I updated the way SchemaRegistryClient's bean was configured so that it becomes aware of the SSL context.
#Bean
public SchemaRegistryClient schemaRegistryClient(
#Value("${spring.cloud.stream.schemaRegistryClient.endpoint}") String endpoint) {
try {
final KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream(
new File("path/to/client.keystore.p12")),
"secret".toCharArray());
final KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(
new File("path/to/client.truststore.jks")),
"secret".toCharArray());
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(keyStore, "secret".toCharArray())
.loadTrustMaterial(trustStore, acceptingTrustStrategy)
.build();
HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
ClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(
httpClient);
ConfluentSchemaRegistryClient schemaRegistryClient = new ConfluentSchemaRegistryClient(
new RestTemplate(requestFactory));
schemaRegistryClient.setEndpoint(endpoint);
return schemaRegistryClient;
} catch (Exception ex) {
ex.printStackTrace();
return null;
}
}
This helped getting rid of the error on app's startup and registered the schema. However, whenever the app wanted to push a message to Kafka, a new error was thrown again. Finally this was also fixed by mmelsen's answer.
I ran into the same problem as the situation I was in was to connect to a secured schema registry hosted by aiven and secured by basic auth. In order for me to make it work I had to configure the following properties:
spring.kafka.properties.schema.registry.url=https://***.aiven***.com:port
spring.kafka.properties.basic.auth.credentials.source=USER_INFO
spring.kafka.properties.basic.auth.user.info=username:password
the other properties for my binder are:
spring.cloud.stream.binders.input.type=kafka
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.brokers=https://***.aiven***.com:port <-- different from the before mentioned port
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.security.protocol=SSL
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.truststore.location=truststore.jks
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.truststore.password=secret
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.keystore.type=PKCS12
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.keystore.location=clientkeystore.p12
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.keystore.password=secret
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.ssl.key.password=secret
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.binder.configuration.value.deserializer=io.confluent.kafka.serializers.KafkaAvroDeserializer
spring.cloud.stream.binders.input.environment.spring.cloud.stream.kafka.streams.binder.autoCreateTopics=false
what actually happens is that Spring cloud stream will add the spring.kafka.properties.basic* to the DefaultKafkaConsumerFactory and that will add the config to the KafkaConsumer. At some point during the initialization of the spring kafka, a CachedSchemaRegistryClient is created that is provisioned with these properties. This Client contains a method called configureRestService that will check if a map of properties contains "basic.auth.credentials.source". As we provide this through the spring.kafka.properties it will find this property and will take care of creating the appropriate headers when accessing the schema registry's endpoint.
hope this works out for you as well.
I'm using spring cloud version Greenwich.SR1, spring-boot-starter 2.1.4.RELEASE, avro-version 1.8.2 and confluent.version 5.2.1
The binder configuration only handles well-known consumer and producer properties.
You can set arbitrary properties at the binding level.
spring.cloud.stream.kafka.binding.<binding>.consumer.configuration.basic.auth...
Since Aiven uses SSL for Kafka security protocol, it is required to use certificates for the authentication.
You can follow this page to understand how it works. In the nutshell, you need to run the following command to generate certificates and import them:
openssl pkcs12 -export -inkey service.key -in service.cert -out client.keystore.p12 -name service_key
keytool -import -file ca.pem -alias CA -keystore client.truststore.jks
Then you can use the following properties to make use of the certificates:
spring.cloud.stream.kafka.streams.binder:
configuration:
security.protocol: SSL
ssl.truststore.location: client.truststore.jks
ssl.truststore.password: secret
ssl.keystore.type: PKCS12
ssl.keystore.location: client.keystore.p12
ssl.keystore.password: secret
ssl.key.password: secret
key.serializer: org.apache.kafka.common.serialization.StringSerializer
value.serializer: org.apache.kafka.common.serialization.StringSerializer
I am writing a program to sign a pdf using certificate (pfx file). For few of the certificates I am getting below exception.
java.security.InvalidAlgorithmParameterException: Salt must be at least 8 bytes long
This happens when I execute the below code.
Keystore ks = KeyStore.getInstance("pkcs12");
I am getting an exception in the below java file at line number 123.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/crypto/provider/HmacPKCS12PBESHA1.java?av=h
Your keystore has one or more certificate(s) that has a salt length which is less than 8. The crypto program requires atleast 8 bytes.
I would recommend creating a new keystore with just the one certificate that you need and try signing with that.
I resolved the exception using pkcs12-DEF keystore. I have added my code lines below.
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
KeyStore ks = KeyStore.getInstance("pkcs12-DEF");
Earlier I had not added BountyCastleProvider to Security, because of which I was not able to get instance of pkcs12-DEF keystore.
Apart from this I have also downloaded jar files from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html location and replaced it with jar files present in Java\Jdk1.7\jre\lib\security. These are JCE 7 Unlimited strength policy files.
When used under JKD8, the signature of PDF files using iText and beID (with RSA key 2048 bits) will throws an exception: RSA key must be at most 1024 bits
26/09/2014 10:48:36 [exitApplication] [SEVERE] - exitApplication with status 1
java.security.InvalidKeyException: RSA key must be at most 1024 bits
at sun.security.pkcs11.P11Signature.checkKeySize(P11Signature.java:363) at sun...
at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java::427)
at java.security.Signature$Delegate.engineInitSign (Signature.java:1129)
at java.security.Signature.initSign (Signature;java:512)
at com.itextpdf.pdf.security.PrivateKeySignature.sign(PrivateKeySignature.java:115)
at com.itextpdf.pdf.security.MakeSignature.signDetached(MakeSignature.java:152)
Use an updated version of the middleware that fixes this bug:
Reported Issue
This issue should be fixed in the future release build (v410), which you can find on http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/windows/
Is there a reference that maps OIDs to terms used in Microsoft documentation like "Server Authentication" or "Secure Email"?
Server Authentication: 1.3.6.1.5.5.7.3.1
Client Authentication: 1.3.6.1.5.5.7.3.2
Secure Email: 1.3.6.1.5.5.7.3.4
Data Encipherment: 1.3.6.1.4.1.311.10.3.4
Key Encipherment: ?
Digital Signature: ?
I am using these OIDs to generate test certificates with makecert.exe.
There is a support document in the Microsoft knowledge base: https://web.archive.org/web/20180608195005/https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography
As MSFT keeps flipping URLs and dropping information here is a scrap:
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 => add certificate, 1 => remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Outlook Express 1.3.6.1.4.1.311.16.4
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure..............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure.................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
Windows updates and service packs...............1.3.6.1.4.1.311.31
szOID_PRODUCT_UPDATE 1.3.6.1.4.1.311.31.1
Fonts...........................................1.3.6.1.4.1.311.40
Microsoft Licensing and Registration............1.3.6.1.4.1.311.41
Microsoft Corporate PKI (ITG)...................1.3.6.1.4.1.311.42
CAPICOM.........................................1.3.6.1.4.1.311.88
szOID_CAPICOM 1.3.6.1.4.1.311.88 Reserved for CAPICOM.
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1 CAPICOM version
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2 CAPICOM attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1 Document type attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2 Document description attribute
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3 CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1 CAPICOM content of encrypted data.
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Limits the valid lifetime of the signature to the lifetime of the certificate.
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
szOID_KP_MOBILE_DEVICE_SOFTWARE 1.3.6.1.4.1.311.10.3.14
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 => add certificate, 1 => remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
szOID_OS_VERSION 1.3.6.1.4.1.311.13.2.3
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
szOID_MICROSOFT_Encryption_Key_Preference 1.3.6.1.4.1.311.16.4
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
License Info root
szOID_PKIX_LICENSE_INFO 1.3.6.1.4.1.311.18.1
Manufacturer value
szOID_PKIX_MANUFACTURER 1.3.6.1.4.1.311.18.2
Manufacturer Specfic Data
szOID_PKIX_MANUFACTURER_MS_SPECIFIC 1.3.6.1.4.1.311.18.3
OID for Certificate Version Stamp
szOID_PKIX_HYDRA_CERT_VERSION 1.3.6.1.4.1.311.18.4
OID for License Server to identify licensed product.
szOID_PKIX_LICENSED_PRODUCT_INFO 1.3.6.1.4.1.311.18.5
OID for License Server specific info.
szOID_PKIX_MS_LICENSE_SERVER_INFO 1.3.6.1.4.1.311.18.6
Extension OID reserved for product policy module - only one is allowed.
szOID_PKIS_PRODUCT_SPECIFIC_OID 1.3.6.1.4.1.311.18.7
szOID_PKIS_TLSERVER_SPK_OID 1.3.6.1.4.1.311.18.8
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure.............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Contains the sha1 hash of the previous version of the CA certificate.
szOID_CERTSRV_PREVIOUS_CERT_HASH 1.3.6.1.4.1.311.21.2
Delta CRLs only. Contains the base CRL Number of the corresponding base CRL.
szOID_CRL_VIRTUAL_BASE 1.3.6.1.4.1.311.21.3
Contains the time when the next CRL is expected to be published. This may be sooner than the CRL's NextUpdate field.
szOID_CRL_NEXT_PUBLISH 1.3.6.1.4.1.311.21.4
Enhanced Key Usage for CA encryption certificate
szOID_KP_CA_EXCHANGE 1.3.6.1.4.1.311.21.5
Enhanced Key Usage for key recovery agent certificate
szOID_KP_KEY_RECOVERY_AGENT 1.3.6.1.4.1.311.21.6
Certificate template extension (v2)
szOID_CERTIFICATE_TEMPLATE 1.3.6.1.4.1.311.21.7
The root oid for all enterprise specific oids
szOID_ENTERPRISE_OID_ROOT 1.3.6.1.4.1.311.21.8
Dummy signing Subject RDN
szOID_RDN_DUMMY_SIGNER 1.3.6.1.4.1.311.21.9
Application Policies extension -- same encoding as szOID_CERT_POLICIES
szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10
Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
szOID_APPLICATION_POLICY_MAPPINGS 1.3.6.1.4.1.311.21.11
Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
szOID_APPLICATION_POLICY_CONSTRAINTS 1.3.6.1.4.1.311.21.12
szOID_ARCHIVED_KEY_ATTR 1.3.6.1.4.1.311.21.13
szOID_CRL_SELF_CDP 1.3.6.1.4.1.311.21.14
Requires all certificates below the root to have a non-empty intersecting issuance certificate policy usage.
szOID_REQUIRE_CERT_CHAIN_POLICY 1.3.6.1.4.1.311.21.15
szOID_ARCHIVED_KEY_CERT_HASH 1.3.6.1.4.1.311.21.16
szOID_ISSUED_CERT_HASH 1.3.6.1.4.1.311.21.17
Enhanced key usage for DS email replication
szOID_DS_EMAIL_REPLICATION 1.3.6.1.4.1.311.21.19
szOID_REQUEST_CLIENT_INFO 1.3.6.1.4.1.311.21.20
szOID_ENCRYPTED_KEY_HASH 1.3.6.1.4.1.311.21.21
szOID_CERTSRV_CROSSCA_VERSION 1.3.6.1.4.1.311.21.22
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
szOID_IIS_VIRTUAL_SERVER 1.3.6.1.4.1.311.30.1
Microsoft WWOps BizExt..........................1.3.6.1.4.1.311.43
Microsoft Peer Networking.......................1.3.6.1.4.1.311.44
Subtrees for genaral use including pnrp, IM, and grouping
szOID_PEERNET_GENERAL
szOID_PEERNET_PNRP 1.3.6.1.4.1.311.44.1
szOID_PEERNET_IDENTITY 1.3.6.1.4.1.311.44.2
szOID_PEERNET_GROUPING 1.3.6.1.4.1.311.44.3
Property that contains the type of the certificate (GMC, GRC, etc.)
szOID_PEERNET_CERT_TYPE 1.3.6.1.4.1.311.44.0.1
Type of the value in the 'other' name: peer name
szOID_PEERNET_PEERNAME 1.3.6.1.4.1.311.44.0.2
Type : classifier
szOID_PEERNET_CLASSIFIER 1.3.6.1.4.1.311.44.0.3
Property containing the version of the certificate
szOID_PEERNET_CERT_VERSION 1.3.6.1.4.1.311.44.0.4
PNRP specific properties
szOID_PEERNET_PNRP_ADDRESS 1.3.6.1.4.1.311.44.1.1
szOID_PEERNET_PNRP_FLAGS 1.3.6.1.4.1.311.44.1.2
szOID_PEERNET_PNRP_PAYLOAD 1.3.6.1.4.1.311.44.1.3
szOID_PEERNET_PNRP_ID 1.3.6.1.4.1.311.44.1.4
Identity flags, placeholder
szOID_PEERNET_IDENTITY_FLAGS 1.3.6.1.4.1.311.44.2.2
Peer name of the group
szOID_PEERNET_GROUPING_PEERNAME 1.3.6.1.4.1.311.44.3.1
Group flags: placeholder
szOID_PEERNET_GROUPING_FLAGS 1.3.6.1.4.1.311.44.3.2
List of roles in the GMC
szOID_PEERNET_GROUPING_ROLES 1.3.6.1.4.1.311.44.3.3
List of classifiers in the GMC
szOID_PEERNET_GROUPING_CLASSIFIERS 1.3.6.1.4.1.311.44.3.5
Mobile Devices Code Signing.....................1.3.6.1.4.1.311.45
CAPICOM.........................................1.3.6.1.4.1.311.88
Reserved for CAPICOM.
szOID_CAPICOM 1.3.6.1.4.1.311.88
CAPICOM version
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1
CAPICOM attribute
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2
Document type attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1
Document description attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2
CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3
CAPICOM content of encrypted data.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1