DecodeCertKey: X.509 Certificate Public Key Extractor

DecodeCertKey.exe is a .NET 2 CryptoAPI console application which uses a valid X.509 certificate to extract, display and optionally write files for the public key in common formats:

ASN.1 encoded RSA public key
ANS.1 encoded X509 (SubjectPublicKeyInfo) public key
Microsoft PUBLICKEYBLOB
XML PublicKey string

DecodeCertKey.exe takes one or two arguments:

    decodecertkey.exe  <certfile | cert-store name | SubjectName substring>  [M | m]

where the first argument can be:

an X.509 certificate file, in binary or b64-encoded format
a CurrentUser (default) or Machine certificate store name to search (e.g. MY, ADDRESSBOOK, ROOT etc..)
a match-string to search the SubjectName field of certificates in several CryptoAPI cert stores.

If a certificate file is not found in the current directory, an attempt is made to open a certificate store with the same name. Thet CurrentUser certificate store is searched by default, unless a second argument is specified as "M or "m" in which case only the Machine cert store is searched. If a certificate store is found and can be opened, a certificate select-file dialog is presented. If this fails, the certificate stores {"MY", "ADDRESSBOOK", "ROOT"} are searched sequentially for a certificate with a matching sub-string in the SubjectName field.
The first certificate match, in the order above, is used. If a valid certificate is found, the certificate is displayed using X509Certificate2UI.DisplayCertificate(X509Certificate2) .

Extracting the Public Key:
An X509Certificate object is created and X509Certificate.GetPublicKey() returns the encoded RSA public key. CryptEncodeObject() is P/Invoked on this RSA key to generate the X509 SubjectPublicKeyInfo (compatible with Java and OpenSSL public key formats). CryptDecodeObject() is then P/Invoked on the RSA public key to obtain the PUBLICKEYBLOB. The utility manually decodes the PUBLICKEYBLOB to extract the public key parameters and extracts and displays the public key exponent and modulus in BIG-endian byte array form. An RSACryptoServiceProvider object is created and initialized using the modulus and exponent. The XML b64 encoded public key is exported using RSA.ToXmlString(false) .

The user is then prompted to save the public key data to files. The output key files are named, e.g. for an input search string "devcert1":
"X509pubkey_devcert1" "RSApubkey_devcert1" "PUBLICKEYBLOB_devcert1" "XMLpubkey_devcert1.txt" If the files already exist, no files are saved.

Sample Output

Download DecodeCertKey.exe v1.1.0.0 ( 27,896 bytes .NET Framework 2, Digitally Signed)

C# Source

Michel I. Gallant
neutron@istar.ca