KeyPal: A CryptoAPI Key Container Utility

KeyPal.exe is a .NET 2 CryptoAPI console utility which will be of interest to developers creating and troubleshooting crypto-enabled Windows applications. KeyPal demonstrates several techniques for accessing Windows CryptoAPI functionality, including: KeyPal can accept two optional arguments. The first argument specifies the keystore type which defaults to Current User (CU) . Specifying "M" or "m" uses the Machine keystore. The second argument, which can be anything, specifies byte display dumps in C# array format, convenient for cut/pasting into source code. When the application starts, a numbered listing of all key containers is displayed along with the keypair types, key (modulus) size and if the key has a linked certificate(s) in the MY system certificate store, the certificate SubjectName field is displayed for convenient reference. Following the listing, a loop is entered with the following commands: Windows CryptoAPI key containers are used by CSP (Cryptographic Service Providers) to securely store and retrieve asymmetric public/private key pairs, typically RSA keys. It is important for developers using CryptoAPI, or other related technologies like CAPICOM and .NET Cryptography classes which encapsulate CryptoAPI, to ensure that the keys they are using are sufficiently strong for the intended application, such as digital signatures or encryption of secret symmetric keys. This is particularly true in using CAPICOM and .NET where the key size may not be obvious. KeyPal.exe provides a simple console .NET application which displays all Current User or Local Machine key containers, the asymmetric key types they contain and the key size. The application uses P/Invoke to enumerate and access key containers, enumerate certificates in the MY certificate store to determine if a certificate is linked to the key-container keys, and to export either the public keys in a variety of common formats, or the private keys in the unencrypted PRIVATEKEYBLOB format, or the PKCS #12 format, from the key containers. If the key container was marked as nonexportable (during the key creation or import process), PRIVATEKEYBLOB and PKCS #12 exporting will fail. For exporting to PKCS #12, if the keycontainer does not have an associated key in the MY certificate store, a dummy unsigned certificate is created with SubjectName "CN=KeyPal Unsigned Certificate" and is exported with the keypair. The user is prompted for a password to protect the exported PKCS #12 keys. If the key container has extra user password protection, a native CryptoAPI password-prompt dialog will appear during exporting.

Download KeyPal.exe v (52,384 bytes) (.NET 2, Digitally Signed)

C# Source
Related References: