Allow selecting CryptoAPI logical store

namecoin / certinject

Inject certificates into Windows CryptoAPI trust store, with EKU and name constraints.

https://www.namecoin.org/

GNU General Public License v3.0

2 stars 5 forks source link

Allow selecting CryptoAPI logical store #2

Closed JeremyRand closed 4 years ago

JeremyRand commented 4 years ago

CryptoAPI has the concept of a "logical store"; changing the logical store of a cert impacts what privileges it has. The logical store is encoded in the path of the registry key where the cert blob is located. Right now, certinject always uses the Root logical store, which is used for OS-preinstalled trust anchors. Various other logical stores exist; as a non-complete list, some others are AuthRoot (trust anchors loaded from Microsoft's auto-updating trust list), CA (intermediate CA's), and Disallowed (prohibited certs).

It would be useful to allow the user to specify which logical store a cert is injected to.

JeremyRand commented 4 years ago

List of all the logical stores I could find on a Windows 7 machine that I had lying around:

ADDRESSBOOK
AuthRoot
CA
Disallowed
My
REQUEST
Root
SmartCardRoot
Trust
TrustedDevices
TrustedPeople
TrustedPublisher
UserDS

I don't know if maybe Windows 8 and higher add more.