Digital signature with iText and beID (using 2048 RSA key) on JDK8 - itext

When used under JKD8, the signature of PDF files using iText and beID (with RSA key 2048 bits) will throws an exception: RSA key must be at most 1024 bits
26/09/2014 10:48:36 [exitApplication] [SEVERE] - exitApplication with status 1
java.security.InvalidKeyException: RSA key must be at most 1024 bits
at sun.security.pkcs11.P11Signature.checkKeySize(P11Signature.java:363) at sun...
at sun.security.pkcs11.P11Signature.engineInitSign(P11Signature.java::427)
at java.security.Signature$Delegate.engineInitSign (Signature.java:1129)
at java.security.Signature.initSign (Signature;java:512)
at com.itextpdf.pdf.security.PrivateKeySignature.sign(PrivateKeySignature.java:115)
at com.itextpdf.pdf.security.MakeSignature.signDetached(MakeSignature.java:152)


Use an updated version of the middleware that fixes this bug:
Reported Issue
This issue should be fixed in the future release build (v410), which you can find on http://eid.belgium.be/en/using_your_eid/installing_the_eid_software/windows/

Related

GPG Key generation failed: End of file

I'm trying to generate a GPG Key following this tutorial: https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key but I'm getting the following End of file error:
% gpg --full-generate-key
gpg (GnuPG) 2.3.6; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: name
Email address: email
Comment: comment
You selected this USER-ID:
"name (comment) <email>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: agent_genkey failed: End of file
Key generation failed: End of file
Versions:
gpg (GnuPG) 2.3.6
libgcrypt 1.10.1
Do you know how can I solve this End of file issue?
Thank you in advance!

Are you using MacOS? I've had the same problem with the currently latest GnuPG OSX version (2.3.6) which didn't work for me either. Try using LTS version (2.2.35). It worked fine for me.
Link: https://sourceforge.net/p/gpgosx/docu/Download/

How to use GPG to verify ASC signature of PgAdmin binary?

How do I use GPG to verify the ASC signature of a PgAdmin binary?
This is the binary I am verifying: https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v3.3/macos/pgadmin4-3.3.dmg
This is the signature I am using:
https://ftp.postgresql.org/pub/pgadmin/pgadmin4/v3.3/macos/pgadmin4-3.3.dmg.asc
Steps I followed from this serverfault answer:
Download binary to ~/Downloads
Import signature
$ gpg --import pgadmin4-3.3.dmg.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
That didn't work so I tried to verify using the ASC
gpg --verify pgadmin4-3.3.dmg.asc pgadmin4-3.3.dmg
gpg: Signature made Mon Sep 3 03:27:56 2018 MDT
gpg: using RSA key E8697E2EEF76C02D3A6332778881B2A8210976F2
gpg: Can't check signature: No public key
That didn't work either. Do I need an additional file?

After emailing the mailing list (should have started there) I was sent the following URL: https://pgp.mit.edu/pks/lookup?op=get&search=0x8881B2A8210976F2
This contained the following text, which imported successfully:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mQINBFtyz58BEACgKbtY59R0mxs8rWJNAn1BWNXwhuTvELNCV6gZkMRGFP14tMopd9VcUx5U
WiulT5wysji63xhkNljmE90jJdlxZwZ+XtnmLzIqp6i29EkAIUt1AoxMw2ipMhfuwE6WA6VY
xQihu5z2IDOR1PdDUHF5cX/GZgBon/2A33rG5IKTcaNZzL0Oc3rS5VzOzwnp1FHPlR7PY7BR
DNe8q1MrQq14tlgMTaYziNg2t2YwjuhNV6G33qGEh390aUnO/eMWIPJzKoi4mE5mhEbh4L/7
sFlcRUC6Vs1xa5Ab+L5y2xoDe2grraKDu+XpGJaDPLunlhDSTUsp0HsoLVU4ne/HNbCAm2b2
5tKFcFTUwDH4Ekge1/bQLCvxkB63MMLa/FgsJ0XAr8zKEQFrc89qJU4JuvadL4hAIqZ1ywFl
wTOBaNfZHbW2Pt5fprktIL5d5jIHAdQrFPvLqhhjhM03de6O6dS5lDeP8dTdqzMcqBkwFMmj
ZMeRAcoJvs0jJNc0fYwL3h2JSWQnIhsvcSe6gk8GFVRbCCy9UplK1K/5TWw+y3mtfWwUCUSW
nBIuUTV+5iG21o3rdZgfEjXJtBAWW/hKoVwBTe5Ir9yIqaomG5ul0Sn2EgOravnsAWe2nk4l
9cno5CPhGunEtiOD8YQJHskk7/NMtnPegB5j4tprXGS/cK/5hQARAQABtDxQYWNrYWdlIE1h
bmFnZXIgKFBhY2thZ2UgU2lnbmluZyBLZXkpIDxwYWNrYWdlc0BwZ2FkbWluLm9yZz6JAk4E
EwEKADgWIQToaX4u73bALTpjMneIgbKoIQl28gUCW3LPnwIbAwULCQgHAgYVCgkICwIEFgID
AQIeAQIXgAAKCRCIgbKoIQl28ukfD/4y3gGysVSJU1964mpi/4NtSTruQ+fx8rN1vY/cctdQ
Vr1ltuJsDRyPgGpXIh9zeK0/bkCreCcuGezm2WOUFR6Kf54zMWWbIrAPpbib7rYi8n50jz7S
kCfSyJZgqO2bAPBUMP6Y09mdLaB4jib9Y6nDhFgm2V0rO64yX/bznVjBzNXFjCTgbPoABU0G
uy4yHGUFHkQ7Hdg1QLhupMWlphlMJbeSxZJx0T6ApNvr2Qg+uFykSXbXjP2e/tXGb9NeHveT
tw/hD2yMPzXJZ4uQbk8mJWDfD87fHY4ZUVqLJtKiS3omePJ5FWMPnLl0PLICkvmhmhoxyKFG
jB+62/PpYwclZLR8iB7wn9tIA/q6BqP/BBhgmzpuh7ZOAU/zUZ5D+tHuQ9X0e29iFs4nxewm
SM1uCq++l+gGMFRMn0FPH8nyQS/EcB/qXXRc0J3Ja7VVfH5BdjmVvqTeJmwY+xGdLZAh/WZ9
raWd/qbRGNIcYOyhHnvp719EQxYSiiJbIQcRLDbcIBiUG322ubSiR4+saYfx4ixrHvx8QYbt
agien0kkXtoouhhIuLxq/EADRb979ZvQ1hnlUkSGHRN6mDNyLztRqy/iibZrSgX+iKR9lQYI
5MnhchihgoN7jyFUiGTV/VSG6oH2KHiTgUQawli9OirnBB1oekf2+QZfZUvnM+b+SokCMwQQ
AQoAHRYhBODEzuuCax/aT7Ro4CSt+q9pjxUZBQJbcs/+AAoJECSt+q9pjxUZ4fAP/iQpwcrU
ZrPp3WI3hi3wHAe+L6E6LiWlhMEMlqfy/2/xOpDEniwy6IEbMV7+H8WSbFYnTBM6EJAWPCMK
ZAfkduuB6xqHllEuPuFY9O13+fV5bJMrW/ej3MbX2yz+wfa6LLORRBB/e4R34suzmlSzQzRt
tPHejmpNicn0S2kA07kqdl/2I3KcsWM1a5GeRZAukDSMLI6orZAGR+r4xKpdEiEMHfoxYYxu
jmQR9+jqYYPsuViHc3LtIwaKMjTiWBx7wUDF+qIl7bNkT7P94VudNU9hhzCcYSAt4qiDykTo
jbSlXSx/ltqoTRhVQlk1kFk2g1O1zHyVpuAkolje5ZmRGa/ZFQWuSOd01n1QqiRLrQDXHKDB
h+sUOqaF4Hby/pwZwcsXGLEzSI9uC5HeWAn/yomDJInpyYwGmT9FyD9YSd9QjpM1y2/w2+KM
j1KRq7GvmZUONYaWp1+A0eCLyhdsZ+bqdS6DVnh0qKT/8ulWUKe+sxiRyAaKBF0QacuuRiRF
AfgWbQbsrEQGcDqLq7lmtmOKa0GrBQJAvTMUkxrpMG6SIe+HsJJ3/u+pmTWg77oiQqTByQPP
JF0/EgMVg/JzstHdI+FA7Q/4DKJZ5NrPBpUUQC0h+Iex426C7gBtnGXQHYB2Nx6xCtwmpPZv
w5THrRb07Y59nZEZLEdcL8bbH/CZuQINBFtyz58BEACt0Hcb8t24ZXsGcOlVnElocMMo17Id
yDvs1j2jJxrNTT6jkxlgwG+ojStsRvllRrG85Wq/FNI6LuBY3Ux+YmdaNm+p8CJiEDE/Gql4
GPSNZ7fCiiopRyyFXg61VM72lWokAT9o9GaSU0/sM5WDeXvMA5QIlAg6+jQ7+R0MMLHeH0GT
MnF58KAFmE7T72+H1zPtvH3qeQlOt+PBMJVNhjiO2MwU7NlUIKVz4Vn1JmxA1kCWEIxZyFS8
2XXKc9BXgPqwnk27lqBxdZzDWFki8SBnDdvwTT/s0chtwekWN4t2RofK0w33TF7+MSQLxpWL
r8igrQQvBq6LBfMqm8tQWHL2VDORDg5kKIpZv4pNxxIFmu1VX+W01Oj2GV6AOJgX6jadMiRl
Hptkz7D/dmnqsCyfDRCmLcwB3y2/behbV1+iW2bViUaFoQIt/XXm2Jo1YtskxZ7LDngDin88
pU6jId1NdxjP2rKUjm/dyH5jMn1engv71w16TH+GVr42ho+yOwOTYo8qKDAvQgI8I8e+MlkM
LRLpgmFiECmWCovJOQ2JHizqFOmr+eSbeg7o5VpWA+cb0sCdbGUX8Kv6i8zP/ayhVnWg1oU5
Q0HTgH9gQ0rzkR+Re2O5xSKuNYnqVOJv4eRzt1NPFgZZOw+PFMJlvEz4ujGwA/OsdJNLQK/H
EK75GwARAQABiQI2BBgBCgAgFiEE6Gl+Lu92wC06YzJ3iIGyqCEJdvIFAltyz58CGwwACgkQ
iIGyqCEJdvKPUg//f2YJGHX9FaNkCpoEk51QW5svpqITO24Ig65mEVVyx1GPOR9BQnCJoXZr
nhEv2d/BpijFE/cR/fHv9bmqc434waeZPyDyflWTn6+MQYMJJfszKdJFaaY4qPeaCcoh7GC2
qw4I5MINfNVTcinOU52XZzt6F+ENm4h8u6vbS+55sKXjRRxNMHbBlNMr0yylukdGrs3PTGEY
tXEPBhms4Plz5uHjwkvf+rti84z2qqdX6y0YWxtRBy0cGeo15NYA8kHJLIQeUYbkV20PC7Uo
oj29DpIsRxDv7F2qZ3KIse8oiJTIubdM+O7zNhzMo+XSUY2HM6aWDLCjV5SuJVJUsPxA3aEK
ijn/PjmGkr4DKhiant0nIB/pzyKelNQJHO5fgCFuV72R9GIR7yBRG2AU5OwgHQdy5F0/4/6L
tNVWZMKy2lEYuyW8fm0rbC7G5Qbz0KhYZWxp3F20rO6679ViMuNQTwQfHI9akdtFqFEFPuoH
yT3VAMxzeUAcMXwBaPcHw1EOlX1kibaM5dbDVOfKEr6JNj4VN00CeuM++rHJSTeM/gcxO+BW
pzaNFF9MMrCBL74wiY+WJ7rogRf5Du7H2e0+w/XOpuIx3rGSO9VhVrVcoTHimJPuWH7j56wy
bLS/TCh6HI8soMjYLzxWbqvSyV0b4xfbczb/7fY4Fah80eE59/M=
=E6/L
-----END PGP PUBLIC KEY BLOCK-----
I then executed the following commands (showing output) to import the key and verify the signature:
$ gpg --import postgres-pub-key.txt
gpg: key 8881B2A8210976F2: 1 signature not checked due to a missing key
gpg: key 8881B2A8210976F2: public key "Package Manager (Package Signing Key) <packages#pgadmin.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found
$ gpg --verify pgadmin4-3.3.dmg.asc pgadmin4-3.3.dmg
gpg: Signature made Mon Sep 3 03:27:56 2018 MDT
gpg: using RSA key E8697E2EEF76C02D3A6332778881B2A8210976F2
gpg: Good signature from "Package Manager (Package Signing Key) <packages#pgadmin.org>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: E869 7E2E EF76 C02D 3A63 3277 8881 B2A8 2109 76F2

Support for PKCS1 RSA added in Corda V3?

I would like to check if in corda version 3 we have support for Support for PKCS1 RSA signatures "1.2.840.113549.1.1.1".
We reported an issue in below thread and looks like should be included in this version.
Corda RSA issue using createKeystoreForCordaNode
Thanks!!
Javier

According to Corda release-V3, there is indeed support for PKCS1 RSA, see below:
/**
* RSA PKCS#1 signature scheme using SHA256 for message hashing.
* The actual algorithm id is 1.2.840.113549.1.1.1
* Note: Recommended key size >= 3072 bits.
*/
#JvmField
val RSA_SHA256 = SignatureScheme(
1,
"RSA_SHA256",
AlgorithmIdentifier(PKCSObjectIdentifiers.sha256WithRSAEncryption, null),
listOf(AlgorithmIdentifier(PKCSObjectIdentifiers.rsaEncryption, null)),
BouncyCastleProvider.PROVIDER_NAME,
"RSA",
"SHA256WITHRSA",
null,
3072,
"RSA_SHA256 signature scheme using SHA256 as hash algorithm."
)

How to resolve error Salt must be 8 bytes long

I am writing a program to sign a pdf using certificate (pfx file). For few of the certificates I am getting below exception.
java.security.InvalidAlgorithmParameterException: Salt must be at least 8 bytes long
This happens when I execute the below code.
Keystore ks = KeyStore.getInstance("pkcs12");
I am getting an exception in the below java file at line number 123.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/crypto/provider/HmacPKCS12PBESHA1.java?av=h

Your keystore has one or more certificate(s) that has a salt length which is less than 8. The crypto program requires atleast 8 bytes.
I would recommend creating a new keystore with just the one certificate that you need and try signing with that.

I resolved the exception using pkcs12-DEF keystore. I have added my code lines below.
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
KeyStore ks = KeyStore.getInstance("pkcs12-DEF");
Earlier I had not added BountyCastleProvider to Security, because of which I was not able to get instance of pkcs12-DEF keystore.
Apart from this I have also downloaded jar files from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html location and replaced it with jar files present in Java\Jdk1.7\jre\lib\security. These are JCE 7 Unlimited strength policy files.

Certificates: OID reference for extended key usages

Is there a reference that maps OIDs to terms used in Microsoft documentation like "Server Authentication" or "Secure Email"?
Server Authentication: 1.3.6.1.5.5.7.3.1
Client Authentication: 1.3.6.1.5.5.7.3.2
Secure Email: 1.3.6.1.5.5.7.3.4
Data Encipherment: 1.3.6.1.4.1.311.10.3.4
Key Encipherment: ?
Digital Signature: ?
I am using these OIDs to generate test certificates with makecert.exe.

There is a support document in the Microsoft knowledge base: https://web.archive.org/web/20180608195005/https://support.microsoft.com/en-us/help/287547/object-ids-associated-with-microsoft-cryptography
As MSFT keeps flipping URLs and dropping information here is a scrap:
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 =&gt; add certificate, 1 =&gt; remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Outlook Express 1.3.6.1.4.1.311.16.4
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure..............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure.................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
Windows updates and service packs...............1.3.6.1.4.1.311.31
szOID_PRODUCT_UPDATE 1.3.6.1.4.1.311.31.1
Fonts...........................................1.3.6.1.4.1.311.40
Microsoft Licensing and Registration............1.3.6.1.4.1.311.41
Microsoft Corporate PKI (ITG)...................1.3.6.1.4.1.311.42
CAPICOM.........................................1.3.6.1.4.1.311.88
szOID_CAPICOM 1.3.6.1.4.1.311.88 Reserved for CAPICOM.
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1 CAPICOM version
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2 CAPICOM attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1 Document type attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2 Document description attribute
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3 CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1 CAPICOM content of encrypted data.
Microsoft OID...................................1.3.6.1.4.1.311
Authenticode....................................1.3.6.1.4.1.311.2
Software Publishing (with associated encoders/decoders)
SPC_INDIRECT_DATA_OBJID 1.3.6.1.4.1.311.2.1.4
SPC_STATEMENT_TYPE_OBJID 1.3.6.1.4.1.311.2.1.11
SPC_SP_OPUS_INFO_OBJID 1.3.6.1.4.1.311.2.1.12
SPC_PE_IMAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.15
SPC_SP_AGENCY_INFO_OBJID 1.3.6.1.4.1.311.2.1.10
SPC_MINIMAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.26
SPC_FINANCIAL_CRITERIA_OBJID 1.3.6.1.4.1.311.2.1.27
SPC_LINK_OBJID 1.3.6.1.4.1.311.2.1.28
SPC_HASH_INFO_OBJID 1.3.6.1.4.1.311.2.1.29
SPC_SIPINFO_OBJID 1.3.6.1.4.1.311.2.1.30
Software Publishing (with NO associated encoders/decoders)
SPC_CERT_EXTENSIONS_OBJID 1.3.6.1.4.1.311.2.1.14
SPC_RAW_FILE_DATA_OBJID 1.3.6.1.4.1.311.2.1.18
SPC_STRUCTURED_STORAGE_DATA_OBJID 1.3.6.1.4.1.311.2.1.19
SPC_JAVA_CLASS_DATA_OBJID 1.3.6.1.4.1.311.2.1.20
SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.21
SPC_COMMERCIAL_SP_KEY_PURPOSE_OBJID 1.3.6.1.4.1.311.2.1.22
SPC_CAB_DATA_OBJID 1.3.6.1.4.1.311.2.1.25
SPC_GLUE_RDN_OBJID 1.3.6.1.4.1.311.2.1.25
CTL for Software Publishers Trusted CAs 1.3.6.1.4.1.311.2.2
(sub-subtree is defined for Software Publishing trusted CAs)
szOID_TRUSTED_CODESIGNING_CA_LIST 1.3.6.1.4.1.311.2.2.1
szOID_TRUSTED_CLIENT_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.2
szOID_TRUSTED_SERVER_AUTH_CA_LIST 1.3.6.1.4.1.311.2.2.3
Time Stamping...................................1.3.6.1.4.1.311.3
(with Associated encoder/decoders)
SPC_TIME_STAMP_REQUEST_OBJID 1.3.6.1.4.1.311.3.2.1
Permissions.....................................1.3.6.1.4.1.311.4
Crypto 2.0......................................1.3.6.1.4.1.311.10
PKCS #7 ContentType Object Identifier for Certificate Trust List (CTL)
szOID_CTL 1.3.6.1.4.1.311.10.1
Sorted CTL Extension
szOID_SORTED_CTL 1.3.6.1.4.1.311.10.1.1
Next Update Location extension or attribute. Value is an encoded GeneralNames
szOID_NEXT_UPDATE_LOCATION 1.3.6.1.4.1.311.10.2
Enhanced Key Usage (Purpose)
Signer of CTLs
szOID_KP_CTL_USAGE_SIGNING 1.3.6.1.4.1.311.10.3.1
Signer of TimeStamps
szOID_KP_TIME_STAMP_SIGNING 1.3.6.1.4.1.311.10.3.2
Can use strong encryption in export environment
szOID_SERVER_GATED_CRYPTO 1.3.6.1.4.1.311.10.3.3
szOID_SERIALIZED 1.3.6.1.4.1.311.10.3.3.1
Can use encrypted file systems (EFS)
szOID_EFS_CRYPTO 1.3.6.1.4.1.311.10.3.4
szOID_EFS_RECOVERY 1.3.6.1.4.1.311.10.3.4.1
Can use Windows Hardware Compatible (WHQL)
szOID_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.5
Signed by the NT5 build lab
szOID_NT5_CRYPTO 1.3.6.1.4.1.311.10.3.6
Signed by and OEM of WHQL
szOID_OEM_WHQL_CRYPTO 1.3.6.1.4.1.311.10.3.7
Signed by the Embedded NT
szOID_EMBEDDED_NT_CRYPTO 1.3.6.1.4.1.311.10.3.8
Signer of a CTL containing trusted roots
szOID_ROOT_LIST_SIGNER 1.3.6.1.4.1.311.10.3.9
Can sign cross-cert and subordinate CA requests with qualified
subordination (name constraints, policy mapping, etc.)
szOID_KP_QUALIFIED_SUBORDINATION 1.3.6.1.4.1.311.10.3.10
Can be used to encrypt/recover escrowed keys
szOID_KP_KEY_RECOVERY 1.3.6.1.4.1.311.10.3.11
Signer of documents
szOID_KP_DOCUMENT_SIGNING 1.3.6.1.4.1.311.10.3.12
Limits the valid lifetime of the signature to the lifetime of the certificate.
szOID_KP_LIFETIME_SIGNING 1.3.6.1.4.1.311.10.3.13
szOID_KP_MOBILE_DEVICE_SOFTWARE 1.3.6.1.4.1.311.10.3.14
Microsoft Attribute Object Identifiers
szOID_YESNO_TRUST_ATTR 1.3.6.1.4.1.311.10.4.1
Microsoft Music
szOID_DRM 1.3.6.1.4.1.311.10.5.1
Microsoft DRM EKU
szOID_DRM_INDIVIDUALIZATION 1.3.6.1.4.1.311.10.5.2
Microsoft Licenses
szOID_LICENSES 1.3.6.1.4.1.311.10.6.1
szOID_LICENSE_SERVER 1.3.6.1.4.1.311.10.6.2
Microsoft CERT_RDN attribute Object Identifiers
szOID_MICROSOFT_RDN_PREFIX 1.3.6.1.4.1.311.10.7
Special RDN containing the KEY_ID. Its value type is CERT_RDN_OCTET_STRING.
szOID_KEYID_RDN 1.3.6.1.4.1.311.10.7.1
Microsoft extension in a CTL to add or remove the certificates. The
extension type is an INTEGER. 0 => add certificate, 1 => remove certificate
szOID_REMOVE_CERTIFICATE 1.3.6.1.4.1.311.10.8.1
Microsoft certificate extension containing cross certificate distribution
points. ASN.1 encoded as follows:
CrossCertDistPoints ::= SEQUENCE {
syncDeltaTime INTEGER (0..4294967295) OPTIONAL,
crossCertDistPointNames CrossCertDistPointNames
} --#public--
CrossCertDistPointNames ::= SEQUENCE OF GeneralNames
szOID_CROSS_CERT_DIST_POINTS 1.3.6.1.4.1.311.10.9.1
Microsoft CMC OIDs 1.3.6.1.4.1.311.10.10
Similar to szOID_CMC_ADD_EXTENSIONS. Attributes replaces Extensions.
szOID_CMC_ADD_ATTRIBUTES 1.3.6.1.4.1.311.10.10.1
Microsoft certificate property OIDs 1.3.6.1.4.1.311.10.11
The OID component following the prefix contains the PROP_ID (decimal)
szOID_CERT_PROP_ID_PREFIX 1.3.6.1.4.1.311.10.11.
CryptUI 1.3.6.1.4.1.311.10.12
szOID_ANY_APPLICATION_POLICY 1.3.6.1.4.1.311.10.12.1
Catalog.........................................1.3.6.1.4.1.311.12
szOID_CATALOG_LIST 1.3.6.1.4.1.311.12.1.1
szOID_CATALOG_LIST_MEMBER 1.3.6.1.4.1.311.12.1.2
CAT_NAMEVALUE_OBJID 1.3.6.1.4.1.311.12.2.1
CAT_MEMBERINFO_OBJID 1.3.6.1.4.1.311.12.2.2
Microsoft PKCS10 OIDs...........................1.3.6.1.4.1.311.13
szOID_RENEWAL_CERTIFICATE 1.3.6.1.4.1.311.13.1
szOID_ENROLLMENT_NAME_VALUE_PAIR 1.3.6.1.4.1.311.13.2.1
szOID_ENROLLMENT_CSP_PROVIDER 1.3.6.1.4.1.311.13.2.2
szOID_OS_VERSION 1.3.6.1.4.1.311.13.2.3
Microsoft Java..................................1.3.6.1.4.1.311.15
Microsoft Outlook/Exchange......................1.3.6.1.4.1.311.16
Used by OL/OLEXP to identify which certificate signed the PKCS # 7 message
szOID_MICROSOFT_Encryption_Key_Preference 1.3.6.1.4.1.311.16.4
Microsoft PKCS12 attributes.....................1.3.6.1.4.1.311.17
szOID_LOCAL_MACHINE_KEYSET 1.3.6.1.4.1.311.17.1
Microsoft Hydra.................................1.3.6.1.4.1.311.18
License Info root
szOID_PKIX_LICENSE_INFO 1.3.6.1.4.1.311.18.1
Manufacturer value
szOID_PKIX_MANUFACTURER 1.3.6.1.4.1.311.18.2
Manufacturer Specfic Data
szOID_PKIX_MANUFACTURER_MS_SPECIFIC 1.3.6.1.4.1.311.18.3
OID for Certificate Version Stamp
szOID_PKIX_HYDRA_CERT_VERSION 1.3.6.1.4.1.311.18.4
OID for License Server to identify licensed product.
szOID_PKIX_LICENSED_PRODUCT_INFO 1.3.6.1.4.1.311.18.5
OID for License Server specific info.
szOID_PKIX_MS_LICENSE_SERVER_INFO 1.3.6.1.4.1.311.18.6
Extension OID reserved for product policy module - only one is allowed.
szOID_PKIS_PRODUCT_SPECIFIC_OID 1.3.6.1.4.1.311.18.7
szOID_PKIS_TLSERVER_SPK_OID 1.3.6.1.4.1.311.18.8
Microsoft ISPU Test.............................1.3.6.1.4.1.311.19
Microsoft Enrollment Infrastructure.............1.3.6.1.4.1.311.20
szOID_AUTO_ENROLL_CTL_USAGE 1.3.6.1.4.1.311.20.1
Extension contain certificate type
szOID_ENROLL_CERTTYPE_EXTENSION 1.3.6.1.4.1.311.20.2
szOID_ENROLLMENT_AGENT 1.3.6.1.4.1.311.20.2.1
szOID_KP_SMARTCARD_LOGON 1.3.6.1.4.1.311.20.2.2
szOID_NT_PRINCIPAL_NAME 1.3.6.1.4.1.311.20.2.3
szOID_CERT_MANIFOLD 1.3.6.1.4.1.311.20.3
Microsoft CertSrv Infrastructure................1.3.6.1.4.1.311.21
CertSrv (with associated encoders/decoders)
szOID_CERTSRV_CA_VERSION 1.3.6.1.4.1.311.21.1
Contains the sha1 hash of the previous version of the CA certificate.
szOID_CERTSRV_PREVIOUS_CERT_HASH 1.3.6.1.4.1.311.21.2
Delta CRLs only. Contains the base CRL Number of the corresponding base CRL.
szOID_CRL_VIRTUAL_BASE 1.3.6.1.4.1.311.21.3
Contains the time when the next CRL is expected to be published. This may be sooner than the CRL's NextUpdate field.
szOID_CRL_NEXT_PUBLISH 1.3.6.1.4.1.311.21.4
Enhanced Key Usage for CA encryption certificate
szOID_KP_CA_EXCHANGE 1.3.6.1.4.1.311.21.5
Enhanced Key Usage for key recovery agent certificate
szOID_KP_KEY_RECOVERY_AGENT 1.3.6.1.4.1.311.21.6
Certificate template extension (v2)
szOID_CERTIFICATE_TEMPLATE 1.3.6.1.4.1.311.21.7
The root oid for all enterprise specific oids
szOID_ENTERPRISE_OID_ROOT 1.3.6.1.4.1.311.21.8
Dummy signing Subject RDN
szOID_RDN_DUMMY_SIGNER 1.3.6.1.4.1.311.21.9
Application Policies extension -- same encoding as szOID_CERT_POLICIES
szOID_APPLICATION_CERT_POLICIES 1.3.6.1.4.1.311.21.10
Application Policy Mappings -- same encoding as szOID_POLICY_MAPPINGS
szOID_APPLICATION_POLICY_MAPPINGS 1.3.6.1.4.1.311.21.11
Application Policy Constraints -- same encoding as szOID_POLICY_CONSTRAINTS
szOID_APPLICATION_POLICY_CONSTRAINTS 1.3.6.1.4.1.311.21.12
szOID_ARCHIVED_KEY_ATTR 1.3.6.1.4.1.311.21.13
szOID_CRL_SELF_CDP 1.3.6.1.4.1.311.21.14
Requires all certificates below the root to have a non-empty intersecting issuance certificate policy usage.
szOID_REQUIRE_CERT_CHAIN_POLICY 1.3.6.1.4.1.311.21.15
szOID_ARCHIVED_KEY_CERT_HASH 1.3.6.1.4.1.311.21.16
szOID_ISSUED_CERT_HASH 1.3.6.1.4.1.311.21.17
Enhanced key usage for DS email replication
szOID_DS_EMAIL_REPLICATION 1.3.6.1.4.1.311.21.19
szOID_REQUEST_CLIENT_INFO 1.3.6.1.4.1.311.21.20
szOID_ENCRYPTED_KEY_HASH 1.3.6.1.4.1.311.21.21
szOID_CERTSRV_CROSSCA_VERSION 1.3.6.1.4.1.311.21.22
Microsoft Directory Service.....................1.3.6.1.4.1.311.25
szOID_NTDS_REPLICATION 1.3.6.1.4.1.311.25.1
IIS.............................................1.3.6.1.4.1.311.30
szOID_IIS_VIRTUAL_SERVER 1.3.6.1.4.1.311.30.1
Microsoft WWOps BizExt..........................1.3.6.1.4.1.311.43
Microsoft Peer Networking.......................1.3.6.1.4.1.311.44
Subtrees for genaral use including pnrp, IM, and grouping
szOID_PEERNET_GENERAL
szOID_PEERNET_PNRP 1.3.6.1.4.1.311.44.1
szOID_PEERNET_IDENTITY 1.3.6.1.4.1.311.44.2
szOID_PEERNET_GROUPING 1.3.6.1.4.1.311.44.3
Property that contains the type of the certificate (GMC, GRC, etc.)
szOID_PEERNET_CERT_TYPE 1.3.6.1.4.1.311.44.0.1
Type of the value in the 'other' name: peer name
szOID_PEERNET_PEERNAME 1.3.6.1.4.1.311.44.0.2
Type : classifier
szOID_PEERNET_CLASSIFIER 1.3.6.1.4.1.311.44.0.3
Property containing the version of the certificate
szOID_PEERNET_CERT_VERSION 1.3.6.1.4.1.311.44.0.4
PNRP specific properties
szOID_PEERNET_PNRP_ADDRESS 1.3.6.1.4.1.311.44.1.1
szOID_PEERNET_PNRP_FLAGS 1.3.6.1.4.1.311.44.1.2
szOID_PEERNET_PNRP_PAYLOAD 1.3.6.1.4.1.311.44.1.3
szOID_PEERNET_PNRP_ID 1.3.6.1.4.1.311.44.1.4
Identity flags, placeholder
szOID_PEERNET_IDENTITY_FLAGS 1.3.6.1.4.1.311.44.2.2
Peer name of the group
szOID_PEERNET_GROUPING_PEERNAME 1.3.6.1.4.1.311.44.3.1
Group flags: placeholder
szOID_PEERNET_GROUPING_FLAGS 1.3.6.1.4.1.311.44.3.2
List of roles in the GMC
szOID_PEERNET_GROUPING_ROLES 1.3.6.1.4.1.311.44.3.3
List of classifiers in the GMC
szOID_PEERNET_GROUPING_CLASSIFIERS 1.3.6.1.4.1.311.44.3.5
Mobile Devices Code Signing.....................1.3.6.1.4.1.311.45
CAPICOM.........................................1.3.6.1.4.1.311.88
Reserved for CAPICOM.
szOID_CAPICOM 1.3.6.1.4.1.311.88
CAPICOM version
szOID_CAPICOM_VERSION 1.3.6.1.4.1.311.88.1
CAPICOM attribute
szOID_CAPICOM_ATTRIBUTE 1.3.6.1.4.1.311.88.2
Document type attribute
szOID_CAPICOM_DOCUMENT_NAME 1.3.6.1.4.1.311.88.2.1
Document description attribute
szOID_CAPICOM_DOCUMENT_DESCRIPTION 1.3.6.1.4.1.311.88.2.2
CAPICOM encrypted data message.
szOID_CAPICOM_ENCRYPTED_DATA 1.3.6.1.4.1.311.88.3
CAPICOM content of encrypted data.
szOID_CAPICOM_ENCRYPTED_CONTENT 1.3.6.1.4.1.311.88.3.1