Posts on this page:

Open Source Day

It was a long-waited decision, however, finally I did it. Today I released my two major .NET projects to GitHub:

  • ASN.1 Parser

This is my own ASN.1 binary parser. ASN.1 parser/reader is a mandatory component when you are dealing with cryptography and cryptographic messages, because all they use ASN.1. I’m using this library in ASN.1 Editor and PowerShell PKI module’s API library (it is now opensourced as well).

Read more →

Get X.500 distinguished name relative attributes in Powershell

I was silent recently, because the blog was down. SharePoint is a nightmare for me. Hopefully, I’m writing my own web site with ASP.NET MVC and have plans to move to a reliable hosting in near future.

Today I want to discuss the question about extracting relative distinguished name (RDN) attributes from X.500 full distinguished name (DN) in PowerShell.

Read more →

ASN.1 Editor, WPF Edition

Point Of Interest

When I started PowerShell PKI module project, I quickly realized that I will have to deal with abstract syntax notation one (ASN.1) with distinguished encoding rules (DER) encoding subset. This is because all transferrable cryptographic objects are encoded in ASN.1 and in DER encoding. X.509 certificates, revocation lists, trust lists, OCSP, etc., etc..

Read more →

Standard and alternate signature algorithms

Time by time I receive questions about alternate signature algorithms. What is the difference between them and what benefits are in an alternate signature algorithms.

As per TechNet article:

For certificates based on RSA algorithms, PKCS #1 v2.1 specifies separate object identifiers for the hash algorithm and for the asymmetric algorithm. (In PKCS #1 v.1.5, only one object identifier is used to identify both the hash and asymmetric algorithms.) In addition, if you select the alternate signature format for certificates based on RSA algorithms, an enhanced cryptographic formula is used to create the signature.

Generally speaking, alternate signature algorithm (signature format) just allows to specify additional details about how signature is constructed.

Read more →

How to convert PKCS#12/PFX to PEM format

Hello folks! If you are longing for CryptoAPI stuff here, then you are on the right page. Here you will see another bunch of CryptoAPI, PowerShell and p/invoke hardcore.

Today’s subject is to convert PFX file to PEM format. A time ago I wrote a function that does opposite — converts PEM to PFX: How to convert PEM file to a CryptoAPI compatible format. Read this post to get information about CryptoAPI structures and ASN modules for PKCS#1 and PKCS#8 structures.

The script below performs the following tasks:

  1. Reads certificate or certificate file. If the file is not valid PFX or certificate hasn’t associated private key, an exception will be thrown.
  2. Acquires private key (via unmanaged function calls) and attempts to export raw private key from CSP. If the private key is not marked as exportable or it is stored on smart card, an error will be thrown.
  3. Inspects CryptoAPI private key blob as described here: RSA/Schannel Key BLOBs, removes header, reads raw private key and splits it to components (modulus, primes, exponents, coefficient). Each component is stored in separate variable.
  4. Generates required ASN structures according to output type by using basic ASN encoder.
  5. composes certificate and private key and saves them to file.

Read more →