[MS-WCCE] ICertRequestD2::GetCAProperty incorrect description for CR_PROP_CAXCHGCERTCHAIN

Vadims Podāns 9,131 Reputation points MVP
2022-05-19T08:25:56.32+00:00

This applies to [MS-WCCE] §3.2.1.4.3.2.16 PropID = 0x00000010 (CR_PROP_CAXCHGCERTCHAIN) "CA Exchange Certificate Chain"

The documentation says that:

Contains CA's certificate stored in the Signing_Cert_Certificate datum and its parent certificates excluding the root certificate

The emphasized statement is not correct. Existing implementation of Microsoft CA indeed returns root certificate in PKCS#7 bag. Either, it is a doc bug, or implementation bug. Here is the PowerShell repro:

PS C:\> $req = New-Object -com certificateauthority.request  
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0xD,-1,3,1)  
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection  
PS C:\> $certs.Import([convert]::FromBase64String($c))  
PS C:\> $certs  
  
Thumbprint                                Subject  
----------                                -------  
5DF395AFFB9E6FB62F6EC58DF6790150954949AF  CN=Contoso CA, DC=contoso, DC=com  
47FA4766AC5B9B81DFE91FD3682670FD6AF64BB8  CN=contoso-DC2-CA, DC=contoso, DC=com  
  
  
PS C:\> $c = $req.GetCAProperty("dc2\contoso-dc2-ca",0x10,-1,3,1)  
PS C:\> $certs = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection  
PS C:\> $certs.Import([convert]::FromBase64String($c))  
PS C:\> $certs  
  
Thumbprint                                Subject  
----------                                -------  
765C34B3AC4E9B2D546685FEEA1655096215DE1F  CN=contoso-DC2-CA-Xchg, DC=contoso, DC=com  
5DF395AFFB9E6FB62F6EC58DF6790150954949AF  CN=Contoso CA, DC=contoso, DC=com  
BAECBFAE803F1F2E483839666791791AA461A5D0  CN=contoso-DC2-CA, DC=contoso, DC=com  
  
  
PS C:\>  

The first call requests the chain of the most recent CA certificate (CR_PROP_CASIGCERTCHAIN). It includes CA certificate itself (CN=contoso-DC2-CA, DC=contoso, DC=com) and root certificate (CN=Contoso CA, DC=contoso, DC=com). Then I'm calling CR_PROP_CAXCHGCERTCHAIN and dump certificates and the dump contains root certificate (CN=Contoso CA, DC=contoso, DC=com) as well.

Windows Open Specifications
Windows Open Specifications
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Open Specifications: Technical documents for protocols, computer languages, standards support, and data portability. The goal with Open Specifications is to help developers open new opportunities to interoperate with Windows, SQL, Office, and SharePoint.
45 questions
{count} votes

Accepted answer
  1. Jeff McCashland 476 Reputation points Microsoft Employee
    2022-06-21T17:11:59.81+00:00

    Hello @Vadims Podāns ,

    You are correct, that the root certificate will be included if possible (as per https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetcertificatechain). This is an issue with [MS-WCCE], not with the implementation.

    I have filed a request to update the document accordingly.

    Best Regards,
    Jeff McCashland
    Microsoft Open Specifications

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.