KeyPal: A CryptoAPI Key Container Utility
KeyPal.exe is a .NET 2 CryptoAPI console utility which will be of interest
to developers creating and troubleshooting crypto-enabled Windows applications.
KeyPal demonstrates several techniques for accessing Windows CryptoAPI functionality,
including:
- Lists all key containers for Current User or Machine locations and the PROV_RSA_FULL provider type
- For each key container, lists the key types it contains (Signature or Exchange)
- For each key pair, shows the key size
- Indicates if there is a matching certificate(s) in the Current User or Machine MY certificate store
- Exports or displays PUBLICKEYBLOB and XML public key from any key container by number
- Exports X509 SubjectPublicKeyInfo in binary and PEM-encoded form (for Java, OpenSSL etc..)
- Exports unencrypted PRIVATEKEYBLOB, XML private key and PKCS #8 PrivateKeyInfo from any key container by number
- Displays all private key components as hex-encoded byte arrays
- Exports PKCS #12 password-protected keypairs for either a Signature or Exchange keypair in any keycontainer
- Deletes any key container listed
- Displays linked-certificate(s) properties sheet
KeyPal can accept two optional arguments. The first argument specifies the keystore type
which defaults to Current User (CU) . Specifying "M" or "m" uses the Machine keystore.
The second argument, which can be anything, specifies byte display dumps in C# array format,
convenient for cut/pasting into source code.
When the application starts, a numbered listing of all key containers is displayed along
with the keypair types, key (modulus) size and if the key has a linked certificate(s) in the MY system
certificate store, the certificate SubjectName field is displayed for convenient reference.
Following the listing, a loop is entered with the following commands:
- CU - uses Current User keystore; LM or M uses Machine keystore
- P - prompts for container number and exports to PUBLICKEYBLOB and XML public key files
- P n - exports PUBLICKEYBLOB and XML public key files for key container number n
- J - prompts for container number and exports to SubjectPublicKeyInfo and PEM files
- J n - exports SubjectPublicKeyInfo and PEM files for key container number n
- D - prompts for container number and displays PUBLICKEYBLOB details
- D n - displays PUBLICKEYBLOB details for key container number n
- DV - prompts for container number and displays private key components
- DV n - displays private key components for key container number n
- PV - prompts for container number and exports to unencrypted PRIVATEKEYBLOB files
- PV n - exports PRIVATEKEYBLOB files for key container number n
- P8 - prompts for container number and exports to unencrypted PKCS #8 PrivateKeyInfo files
- P8 n - exports PKCS #8 PrivateKeyInfo files for key container number n
- P12S/E n - exports a Signature (S) or Exchange (E) keypair to a pkcs #12 password protected file
- C - prompts for container number and displays any certificate(s) matching the key container
- C n - displays any certificate(s) matching the key container number n
- A - displays the certificate stores UI.
- An - displays certificate dialog for store n
- U - prompts for container number and displays unique container name for the key container
- U n - displays unique container name for the key container number n
- DEL - prompts for container number to delete
- DEL n - deletes key container number n (with warning dialog)
- R or L - refreshes display of key containers
- CLS - clears display
- <return> or Q - exits
Windows CryptoAPI key containers are used by CSP (Cryptographic Service Providers) to
securely store and retrieve asymmetric public/private key pairs, typically RSA keys. It is important for developers
using CryptoAPI, or other related technologies like CAPICOM and .NET Cryptography classes
which encapsulate CryptoAPI, to ensure that the keys they are using are sufficiently
strong for the intended application, such as digital signatures or encryption of secret
symmetric keys. This is particularly true in using CAPICOM and .NET where the key size may not be obvious.
KeyPal.exe provides a simple console .NET application which displays all Current User
or Local Machine key containers, the asymmetric key types they contain and the key size. The application uses
P/Invoke to enumerate and access key containers, enumerate certificates in the MY certificate
store to determine if a certificate is linked to the key-container keys, and to export either the public keys
in a variety of common formats, or the private keys in the unencrypted PRIVATEKEYBLOB format, or the PKCS #12 format, from the key containers.
If the key container was marked as nonexportable (during the key creation or import process), PRIVATEKEYBLOB
and PKCS #12 exporting will fail.
For exporting to PKCS #12, if the keycontainer does not have an associated key in the MY certificate store, a dummy
unsigned certificate is created with SubjectName "CN=KeyPal Unsigned Certificate" and is exported with the keypair.
The user is prompted for a password to protect the exported PKCS #12 keys.
If the key container has extra user password protection, a native CryptoAPI password-prompt dialog will appear during
exporting.
Download KeyPal.exe v 2.1.2.0 (52,384 bytes) (.NET 2, Digitally Signed)
C# Source
Related References: