[MS-WCCE] ICertRequestD2::GetCAProperty incorrect description for CR_PROP_CAXCHGCERTCHAIN

Question

[MS-WCCE] ICertRequestD2::GetCAProperty incorrect description for CR_PROP_CAXCHGCERTCHAIN

Vadims Podāns 9,266 MVP

This applies to [MS-WCCE] §3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"

The documentation says that:

Contains CA's certificate stored in the Signing_Cert_Certificate datum and its parent certificates excluding the root certificate

The emphasized statement is not correct. Existing implementation of Microsoft CA indeed returns root certificate in PKCS#7 bag. Either, it is a doc bug, or implementation bug. Here is the PowerShell repro:

PS C:\> $req = New-Object -com certificateauthority.request  
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0xD,-1,3,1)  
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection  
PS C:\> $certs.Import([convert]::FromBase64String($c))  
PS C:\> $certs  
  
Thumbprint                                Subject  
----------                                -------  
5DF395AFFB9E6FB62F6EC58DF6790150954949AF  CN=Contoso CA, DC=contoso, DC=com  
47FA4766AC5B9B81DFE91FD3682670FD6AF64BB8  CN=contoso-DC2-CA, DC=contoso, DC=com  
  
  
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0x10,-1,3,1)  
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection  
PS C:\> $certs.Import([convert]::FromBase64String($c))  
PS C:\> $certs  
  
Thumbprint                                Subject  
----------                                -------  
765C34B3AC4E9B2D546685FEEA1655096215DE1F  CN=contoso-DC2-CA-Xchg, DC=contoso, DC=com  
5DF395AFFB9E6FB62F6EC58DF6790150954949AF  CN=Contoso CA, DC=contoso, DC=com  
BAECBFAE803F1F2E483839666791791AA461A5D0  CN=contoso-DC2-CA, DC=contoso, DC=com  
  
  
PS C:\>

The first call requests the chain of the most recent CA certificate (CR_PROP_CASIGCERTCHAIN). It includes CA certificate itself (CN=contoso-DC2-CA, DC=contoso, DC=com) and root certificate (CN=Contoso CA, DC=contoso, DC=com). Then I'm calling CR_PROP_CAXCHGCERTCHAIN and dump certificates and the dump contains root certificate (CN=Contoso CA, DC=contoso, DC=com) as well.

Tom Jebo 2,436 Reputation points Microsoft Employee Moderator

2022-05-19T16:19:29.88+00:00

Hi @Vadims Podāns ,

Thank you for your question about [MS-WCCE]. One of the Open Specifications support team will respond shortly to assist you with this.

Best regards,
Tom Jebo
Sr Escalation Engineer
Microsoft Open Specifications Support
Anonymous

2022-05-19T22:39:28.357+00:00

Hi @Vadims Podāns ,

I will investigate this issue and let you know what I find.

Best Regards,
Jeff McCashland
Microsoft Open Specifications
Vadims Podāns 9,266 Reputation points MVP

2022-05-30T08:29:18.92+00:00

Any update?
Anonymous

2022-05-31T18:34:27.543+00:00

Hi @Vadims Podāns ,

I have identified where the Opcode is processed in the Windows source code, and I've taken a TTT trace of the CA process over the repro.

Now I can step through and see where the certificate is getting selected.

Are you primarily waiting for confirmation on the behavior and whether the document needs updating, or was there another outcome you're waiting for?

Thanks,
Jeff McCashland
Microsoft Open Specifications
Vadims Podāns 9,266 Reputation points MVP

2022-06-01T16:18:19.19+00:00

Are you primarily waiting for confirmation on the behavior and whether the document needs updating

yes, a confirmation on the behavior and indication whether the problem is in docs or in Microsoft products that implement the protocol.

Answer accepted by question author

0 additional answers

Your answer

Tom Jebo 2,436 Reputation points Microsoft Employee Moderator

2022-05-19T16:19:29.88+00:00

Hi @Vadims Podāns ,

Thank you for your question about [MS-WCCE]. One of the Open Specifications support team will respond shortly to assist you with this.

Best regards,
Tom Jebo
Sr Escalation Engineer
Microsoft Open Specifications Support
Anonymous

2022-05-19T22:39:28.357+00:00

Hi @Vadims Podāns ,

I will investigate this issue and let you know what I find.

Best Regards,
Jeff McCashland
Microsoft Open Specifications
Vadims Podāns 9,266 Reputation points MVP

2022-05-30T08:29:18.92+00:00

Any update?
Anonymous

2022-05-31T18:34:27.543+00:00

Hi @Vadims Podāns ,

I have identified where the Opcode is processed in the Windows source code, and I've taken a TTT trace of the CA process over the repro.

Now I can step through and see where the certificate is getting selected.

Are you primarily waiting for confirmation on the behavior and whether the document needs updating, or was there another outcome you're waiting for?

Thanks,
Jeff McCashland
Microsoft Open Specifications
Vadims Podāns 9,266 Reputation points MVP

2022-06-01T16:18:19.19+00:00

Are you primarily waiting for confirmation on the behavior and whether the document needs updating

yes, a confirmation on the behavior and indication whether the problem is in docs or in Microsoft products that implement the protocol.

Answer 1

Anonymous

Hello @Vadims Podāns ,

You are correct, that the root certificate will be included if possible (as per https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain). This is an issue with [MS-WCCE], not with the implementation.

I have filed a request to update the document accordingly.

Best Regards,
Jeff McCashland
Microsoft Open Specifications

0 comments

Share via

[MS-WCCE] ICertRequestD2::GetCAProperty incorrect description for CR_PROP_CAXCHGCERTCHAIN

0 additional answers

Your answer