Using BouncyCastle library and the code below it is possible to access the MS Windows certificate template information extension of a SSL certificate stored in MS Windows’ trust/certificate store.
final KeyStore keyStore = KeyStore.getInstance("Windows-My", "SunMSCAPI");
keyStore.load(null, null);
final X509Certificate certificate = (X509Certificate)keyStore.aliases().nextElement();
// see https://docs.microsoft.com/en-us/windows/win32/seccertenroll/supported-extensions#template
final String XCN_OID_CERTIFICATE_TEMPLATE = "1.3.6.1.4.1.311.21.7";
final byte[] extensionValue = certificate.getExtensionValue(XCN_OID_CERTIFICATE_TEMPLATE);
final ASN1InputStream aIn = new ASN1InputStream(extensionValue);
ASN1Primitive asn1obj = aIn.readObject();
if (asn1obj instanceof DEROctetString)
{
final DEROctetString octets = (DEROctetString) asn1obj;
asn1obj = ASN1Primitive.fromByteArray(octets.getOctets());
}
final ASN1Sequence asn1seq = ASN1Sequence.getInstance(asn1obj);
final ASN1Encodable obj1 = asn1seq.getObjectAt(0);
final ASN1Primitive certificateTemplateOID = obj1.toASN1Primitive();
System.out.println(certificateTemplateOID.toString());
It will print out something like 1.3.6.1.4.1.311.21.8…. which is the OID of the certificate template.
Now I would like to know if there is a Java method or Java library which provides a mapping of this OID to the certificate template name (as a user-friendly string) – like it is done when you click on details of a certificate in Windows certificiate store:
Certificate template information in MS Windows
Additional links:
- Windows certificate extension for certificate templates
- Windows certificate extension for certificate templates – data structure
- ObjectIdentifiers (OID) in PKI
Source: Windows Questions
