none
[MS-CSRA] ICertAdminD::SetExtension RRS feed

  • Question

  • the following article describes this method

    http://msdn.microsoft.com/en-us/library/cc226686(PROT.13).aspx

    however I cannot figure out correct value format for this method. For example I want to add Server Autnetication OID. For that I use ICertAdmin COM interface (example in PowerShell) as described here: http://msdn.microsoft.com/en-us/library/aa383234(VS.85).aspx

    encoded Server Authentication OID is: 30 0a 06 08 2b 06 01 05 05 07 03 01 (each octet in hex)

    $certadmin = new-object -com certificateauthority.admin.1
    $certadmin.SetCertificateExtension("cacomputer\caname", $ReqNumber, "2.5.29.37",0x3,0,$value)

    how do I need to format binary data for $value? I have tried various methods, but still without success. Also I have tried to pass pure byte array, but the method returns ERROR_INVALID_PARAMETER (0x80070057).

    p.s. this works when I invoke this method via certutil.exe utility:

    certutil -setextension 111 2.5.29.37 0 0x300a06082b06010505070301

    can you explain about binary/string value formatting for this method? Or point me to either VBS or C# code example?

    thanks in advance!

    p.s. moderators: please move this topic to http://social.msdn.microsoft.com/Forums/en-US/os_windowsprotocols/threads.


    http://www.sysadmins.lv

    Thursday, April 29, 2010 11:00 AM

Answers

  • Hello Bill!

    This is not exactly what I have asked. My question was "how do I need to format Value variable". So the question is not suited with PowerShell or C# because value format for this method is the same for any language.

    Today I got it!

    The value must be reformated as a string in little-endian format. For example:

    Encoded OID string: 30 0a 06 08 2b 06 01 05 05 07 03 01

    split this string to octet pairs and place each pair in little-endian format:

    1st char = 0x0a30
    2nd char = 0x0806
    3rd char = 0x062b
    4th char = 0x0501
    5th char = 0x0705
    6th char = 0x0103

    join all chars to a string and pass to SetCertificateExtension method as pvarvalue.

    p.s. Bill, can you tell about differences between IcertAdmin COM interface and ICertAdmin MS-CSRA protocol? They are defined in the same library (certadm.dll) but usage is slightly different.


    http://www.sysadmins.lv
    Saturday, May 1, 2010 1:43 PM
  • Good morning, Vadims. Sorry I missed the target on your question.

    Don’t we all love OIDs! My favorites on this topic are “ASN.1 - Communication Between Heterogeneous Systems” and “ASN.1 Complete” available as free PDF download at OSS Nokalva - Books Overview (http://www.oss.com/asn1/booksintro.html).

    What you have there is an ASN.1 OID (a formatted octet array) stuffed into a wchar array. I might not be too far from the truth by saying all things that are not bit strings are octet arrays. <g>

    As you are no doubt aware, ICertAdminD and ICertAdminD2 are the [MS-DCOM] implementations of the ICertAdmin and ICertAdmin2 interfaces, respectively. There are buckets of methods on these, so I will attempt ‘just the one’ item (pertaining to SetExtension / SetCertificateExtension) – and must impeach myself a bit, since I am not a COM / DCOM expert (although I have had my head in RPC since way back).

    The differences between a given method signature for respective COM and DCOM implementations of an interface have much to do with parameter marshaling (see ‘Packaging Parameters and Objects: Marshaling’ at DCOM Architecture).

    For example, a COM method parameter of type ‘wchar_t const*’ will generally show up as ‘const BSTR’ on the equivalent DCOM method. BSTR, like UNICODE_STRING (an RPC staple type), indicates its own length. Needless to say, DCOM relies on RPC.

    Regards,

    Bill Wesse,

    Senior Escalation Engineer

    US-CSS DSC Protocol Team

     

    Monday, May 3, 2010 4:10 PM
  • You are completely welcome! It has been a pleasure serving you (and I certainly enjoyed the opportunity to load more DCOM info into my brain cell <g>).

    Regards,

    Bill Wesse

     

    • Marked as answer by Bill Wesse Tuesday, May 4, 2010 7:49 AM
    Tuesday, May 4, 2010 7:49 AM

All replies

  • Vadims Podans,

    Thank you for your post. Someone will follow-up with you shortly in regards to your questions.


    Dominic Michael Salemno
    Senior Support Escalation Engineer
    US-CSS DSC Protocols Team

    Thursday, April 29, 2010 2:51 PM
  • Hello Vadims! I will begin my investigation concerning this momentarily, and will update you my findings as soon as possible.

     


    Bill Wesse
    Senior Escalation Engineer
    US-CSS DSC Protocol Team

    Thursday, April 29, 2010 3:37 PM
  • Hello again Vadims.

     

    This forum is for support of the Open Protocol Specification documentation set, and your question is specific to programming to the ICertAdmin Interface, versus working with the ICertAdminD interface documentation in [MS-CSRA], so we would appreciate it if you could try the below forums instead to find the information you are looking for. Thanks!

     

    Windows PowerShell

    http://social.technet.microsoft.com/Forums/en-US/winserverpowershell/threads

     

    Visual C# Language

    http://social.msdn.microsoft.com/Forums/en-US/csharplanguage/threads

     

    Regardless of that, for C#, there is some helpful information at the following MSDN blog:

     

    Working with a Certificate Authority in C#

    http://blogs.msdn.com/jayat/archive/2008/02/29/working-with-a-certificate-authority-in-c.aspx

     

    Also, I coincidentally happen to be working on some unrelated C# COM Interop, so I repurposed some of my source, which is included as a sample below - untested, unwarranted and unsupported. It should offer a reasonable starting point. As in most cases, there is undoubtedly another (and possibly more elegant) way to do it.

     

    Regards,

    Bill Wesse

     

    References:

     

    VARIANT:

    1. Windows SDK OAIdl.h

    2. VARIANT and VARIANTARG: http://msdn.microsoft.com/en-us/library/ms221627(VS.80).aspx

    3. Component Automation prelease topic (with field comments): http://msdn.microsoft.com/en-us/library/ms221627.aspx

     

    =====================

    Sample C# (untested, unwarranted and unsupported)

    =====================

    using System;

    using System.Runtime.InteropServices;

     

    namespace ICertAdmin

    {

       /// <summary>

       /// References:

       /// Windows SDK CertSrv.h

       /// ICertAdmin2::SetCertificateExtension Method (same as ICertAdmin::SetCertificateExtension)

       /// http://msdn.microsoft.com/en-us/library/aa383257(v=VS.85).aspx

       /// </summary>

       public enum CertExtType : uint {

          PROPTYPE_LONG   = 0x00000001, // Signed long

          PROPTYPE_DATE   = 0x00000002, // Date+Time

          PROPTYPE_BINARY = 0x00000003, // Binary data

          PROPTYPE_STRING = 0x00000004  // Unicode String

       }

     

       /// <summary>

       /// Reference:

       /// ICertAdmin2::SetCertificateExtension Method

       /// http://msdn.microsoft.com/en-us/library/aa383257(v=VS.85).aspx

       /// </summary>

       [Flags]

       public enum CertExtFlags : uint {

          EXTENSION_CRITICAL_FLAG = 0x00000001,

          EXTENSION_DISABLE_FLAG  = 0x00000002

       }

     

       public class CertAdmin

       {

          public CertAdmin()

          {

             try {

                _IfICertAdmin = new CERTADMINLib.CCertAdmin();

             }

             catch { ; }

             _Valid = _IfICertAdmin != null ? true : false;

          }

     

          public bool Valid { get { return _Valid; } }

     

          public CERTADMINLib.CCertAdmin Interface { get { return _IfICertAdmin; } }

     

          public bool SetCertificateExtension(

             String       Config,

             int          RequestId,

             String       ExtensionName,

             CertExtType  ExtensionType,

             CertExtFlags ExtensionFlags,

             Object       Value)

          {

             bool Result = Valid &&

                IsValidOid(ExtensionName) &&

                (Value != null ? true : false) &&

                Enum.IsDefined(typeof(CertExtType), ExtensionType) &&

                (ExtensionFlags & ~(CertExtFlags.EXTENSION_CRITICAL_FLAG | CertExtFlags.EXTENSION_DISABLE_FLAG)) == 0

                ? true : false;

             if (Result) {

                try {

                   _IfICertAdmin.SetCertificateExtension(

                      Config,

                      RequestId,

                      ExtensionName,

                      (int)ExtensionType,

                      (int)ExtensionFlags,

                      ref Value);

                }

                catch { Result = false; }

             }

             return Result;

          }

     

          private bool IsValidOid(String OidString)

          {

             bool Result = String.IsNullOrEmpty(OidString) ? false : OidString.Length < MAX_OID_LEN;

             if (Result) {

                int      Index  = 0;

                String[] Tokens = OidString.Split('.');

                while (Result && Index < Tokens.Length) {

                   try {

                      ulong ul;

                      Result = UInt64.TryParse(Tokens[ Index ], out ul);

                      if (Result && Index == 0 && ul > 2) { Result = false; }

                   }

                   catch { Result = false; }

                   if (!Result) { break; }

                }

             }

             return Result;

          }

     

          private bool                    _Valid        = false;

          private CERTADMINLib.CCertAdmin _IfICertAdmin = null;

          private const int               MAX_OID_LEN   = 32;

       }

    }

     

    Regards,
    Bill Wesse
    Senior Escalation Engineer

    US-CSS DSC Protocol Team

     

    • Proposed as answer by Bill Wesse Friday, April 30, 2010 2:34 PM
    Friday, April 30, 2010 2:34 PM
  • Hello Bill!

    This is not exactly what I have asked. My question was "how do I need to format Value variable". So the question is not suited with PowerShell or C# because value format for this method is the same for any language.

    Today I got it!

    The value must be reformated as a string in little-endian format. For example:

    Encoded OID string: 30 0a 06 08 2b 06 01 05 05 07 03 01

    split this string to octet pairs and place each pair in little-endian format:

    1st char = 0x0a30
    2nd char = 0x0806
    3rd char = 0x062b
    4th char = 0x0501
    5th char = 0x0705
    6th char = 0x0103

    join all chars to a string and pass to SetCertificateExtension method as pvarvalue.

    p.s. Bill, can you tell about differences between IcertAdmin COM interface and ICertAdmin MS-CSRA protocol? They are defined in the same library (certadm.dll) but usage is slightly different.


    http://www.sysadmins.lv
    Saturday, May 1, 2010 1:43 PM
  • Good morning, Vadims. Sorry I missed the target on your question.

    Don’t we all love OIDs! My favorites on this topic are “ASN.1 - Communication Between Heterogeneous Systems” and “ASN.1 Complete” available as free PDF download at OSS Nokalva - Books Overview (http://www.oss.com/asn1/booksintro.html).

    What you have there is an ASN.1 OID (a formatted octet array) stuffed into a wchar array. I might not be too far from the truth by saying all things that are not bit strings are octet arrays. <g>

    As you are no doubt aware, ICertAdminD and ICertAdminD2 are the [MS-DCOM] implementations of the ICertAdmin and ICertAdmin2 interfaces, respectively. There are buckets of methods on these, so I will attempt ‘just the one’ item (pertaining to SetExtension / SetCertificateExtension) – and must impeach myself a bit, since I am not a COM / DCOM expert (although I have had my head in RPC since way back).

    The differences between a given method signature for respective COM and DCOM implementations of an interface have much to do with parameter marshaling (see ‘Packaging Parameters and Objects: Marshaling’ at DCOM Architecture).

    For example, a COM method parameter of type ‘wchar_t const*’ will generally show up as ‘const BSTR’ on the equivalent DCOM method. BSTR, like UNICODE_STRING (an RPC staple type), indicates its own length. Needless to say, DCOM relies on RPC.

    Regards,

    Bill Wesse,

    Senior Escalation Engineer

    US-CSS DSC Protocol Team

     

    Monday, May 3, 2010 4:10 PM
  • Hello Bill!

    thanks for helpful info! I believe I'm now clear on this topic.


    http://www.sysadmins.lv
    Monday, May 3, 2010 5:47 PM
  • You are completely welcome! It has been a pleasure serving you (and I certainly enjoyed the opportunity to load more DCOM info into my brain cell <g>).

    Regards,

    Bill Wesse

     

    • Marked as answer by Bill Wesse Tuesday, May 4, 2010 7:49 AM
    Tuesday, May 4, 2010 7:49 AM