8

I have 2 types of certificates on my machine, one A1 and the other is A3, when loading one of them into a X509Certificate2 object, how can I programmatically detect if it's a A1 or A3?

I understand that if the A3 certificate is not plugged in, the private key is not accessible. Take into account that both certificates are valid/installed and plugged in.

Edit

I just discovered that the types A1 and A3 are defined by a specific country legislation (Brazil), so let's me explain what's the difference:

ICP-Brasil allows 8 types of digital certificates, divided into 2 series (A and S).

The A series (A1, A2, A3 and 4) consists of digital signature certificates, used for Web identity verification, e-mail, virtual private networks (VPNs), and electronic documents with verification of the integrity of their Information.
The S series (S1, S2, S3 and S4) includes the certificates of confidentiality, which are used in the codification of documents, databases, messages and other confidential electronic information. The eight types are differentiated by use, security level and validity.
(Gisele Ribeiro, Source)

Types of certificate

So, to update my question, I wish to detect if the certificate comes from a smart card with key generation capability.

Nicke Manarin
  • 3,026
  • 4
  • 37
  • 79

2 Answers2

11

Presumably your A1 and A3 nomenclature is about a Brazilian standard (e-CPF/e-CNPJ/something like that). As far as I can tell, those terms mean:

  • A1: Software private key
  • A3: Hardware private key

(I'm really curious as to what A2 was, but I digress).

Technically speaking, certificates don't know where their keys live. So a certificate doesn't know if its private key (wherever that may be) is hardware or software based. But, based on http://www.bcb.gov.br/sfn/ced/ManualdeSeguran%C7adaRSFN-v32.pdf and http://oid-info.com/get/2.16.76.1.2, it looks like you can do something along the lines of:

private static bool IsBrazilA1Certificate(X509Certificate2 cert)
{
    // End with the "." so it matches on children, but not that OID.
    return HasParentEku(cert, "2.16.76.1.2.1.");
}

private static bool IsBrazilA3Certificate(X509Certificate2 cert)
{
    // End with the "." so it matches on children, but not that OID.
    return HasParentEku(cert, "2.16.76.1.2.3.");
}

private static bool HasParentEku(X509Certificate2 cert, string oidFragment)
{
    var ekuExtension = (X509EnhancedKeyUsageExtension) cert.Extensions["2.5.29.37"];

    if (ekuExtension == null)
    {
        return false;
    }

    foreach (Oid eku in ekuExtension.EnhancedKeyUsages)
    {
        if (eku.Value.StartsWith(oidFragment))
        {
            return true;
        }
    }

    return false;
}

Since I don't have a Brazilian A1 or A3 certificate I can't really test this, but it's the best I can come up with from a description. Otherwise you're down to asking "does this have a private key?" (cert.HasPrivateKey) and "is the private key hardware-backed?" (a much harder question).

Edit: It's worth nothing that the above code doesn't follow the normal rules of EKU validation. Normally a certificate with no EKU extension at all is treated as if it has all EKUs. But since you're looking explicitly for something created under a Brazilian A1 or A3 policy, it matches what you were requesting. (Also, it's the only time I've ever seen anything have to be validated with a StartsWith based rule, usually a policy is a specific EKU OID)

Nicke Manarin
  • 3,026
  • 4
  • 37
  • 79
bartonjs
  • 30,352
  • 2
  • 71
  • 111
  • 1
    I was unaware that A1/A3 was a Brazilian-only standard. It's a common knowledge for Brazilians (and I thought it was globally known) that A1 means software based certificate and A3 means hardware based certificate. I'm sorry, I'll update my question. – Nicke Manarin Jan 06 '17 at 12:00
  • This code fragment returns false for both certificates. No `EnhancedKeyUsages` that starts with "2.16.76.1.2.3." :( – Nicke Manarin Jan 06 '17 at 12:42
  • 1
    @NickeManarin, maybe you should check OID codes [according to the standards defined by ICP-Brasil](http://www.iti.gov.br/images/repositorio/legislacao/adendos/ADE_ICP-04.01_-_v_4.4_Esquema_DE_OID.pdf) – VBobCat Sep 22 '17 at 12:15
  • @VBobCat Interesting. I'll test with some certificates... Thanks. – Nicke Manarin Sep 26 '17 at 12:42
  • 1
    @bartonjs, I hope you still are curious about the A2 certificate: **A1:** software keys. It is valid for one year. **A2:** software keys, but store in a portable media, like a thumbstick or compact-disk. It is valid for two years. **A3:** hardware keys, requires a specific device (called "token" in Brazil). It is valid for 3 years. **A4:** the same as A3, but with 2048 bits. [Source](https://blog.validcertificadora.com.br/letras-e-numeros-no-certificado-digital/). Personal note: I never saw anyone using the A2 type. – D.Kastier May 24 '23 at 12:16
1

We use this code to check if the certificate is A3, see:

public static bool IsA3(X509Certificate2 x509cert)
{
    if (x509cert == null)
    {
        return false;
    }

    var result = false;

    try
    {
        if (x509cert.PrivateKey is RSACryptoServiceProvider service)
        {
            if (service.CspKeyContainerInfo.Removable &&
            service.CspKeyContainerInfo.HardwareDevice)
            {
                result = true;
            }
        }
    }
    catch
    {
        result = false;
    }

    return result;
}
Wandrey Mundin Ferreira
  • 11
  • 1