How To Extract Public Key - code-signing

I used the following answer (https://stackoverflow.com/a/201277/99344) to generate a certificate and sign my exe.
I need to give the public key to a third party.
I have .pvk and .cer files. How do I extract the public key?
Thanks.

OK so I found some documentation that says that the .cer file only contains the public key so it is what I wanted.

Related

Store and retreive RSA private key in Windows

I have a pretty simple scenario/requirement:
Generate RSA private/public key pair through OpenSSL or any online RSA key pair generator
Save the private key to the windows internal store (so it does not lay around as just a file somewhere
Create a PowerShell script, that looks into the store, locates the key, and uses it.
(basically, I will have a PS script, to which I send a 3rd party tool already encrypted password, and I expect that PS script to decrypt that password using a locally stored private key and use it on-the-fly)
This so far showed an unreachable goal, because:
I haven't found a way, how to import .pem file with the key
.cer file apparently does not contain the key
the only way (so far what I have found) how to import the key is conversion to .pfx file, which can be imported, BUT
.pfx file cannot be read as plain text - there seems to be no reasonable way from Powershell to locate the key and read it for usage in decryption
there is a module PSPKI, but it seems to accept the file and not the stored/installed certificate/key.
So anyone has any idea, how can I import a simple private key to Windows for later read-out from PowerShell for further usage?
Thank you!
Have a look at this class to load the PFX: https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2?view=net-7.0
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\my.pfx", "password");
Next step is to open the store. After you checked which one fits best (machine or user) you can use X509Store to read and write there. Do not forget the Open method. When a certificate with private key (off) is added the key ist stored and the file can be deleted.

Private key is not installed in MAC

I am trying to validate my app after archive in xcode. But it throughs error like
I am using mac for first time and dont know what is happening.
CAn somebody please ans the question. (I have searched a lot but no ans)
It is exactly saying 'distribution' private key is missing.
for the red marked certificate. Whoever created the distribution certificate will be having the private key in their key chain. get the certificate and private key (both selected)export as .p12 file. remove the current public certificate and import the exported file into keychain

Transferring public and private key on mac

How do I transfer both private / public keys from one mac to the other?
I know how to export the private key to .p12 with Keychain Access, and then when I double click it in the destination mac, it's added to Keychain Access.
However, when I export the public key to .pem file, double clicking it in the destination mac just spits out:
An error has occurred. Unable to import an item. The contents of this item cannot be retrieved.
When I tried the solution of security import pub.pem -k login.keychain, it said 1 key imported., but it doesn't show on Keychain Access.
Am I missing anything?
Should I not bother with transferring the public key?
Is importing just that private key enough?
Is the only way just recovering the public key from the private key?
Thanks
According to this, it looks like when running the security import... command, it's added to the keychain with the generic name Imported Public Key.
Now you just need to rename it to the relevant one (e.g. like the private key name).

Get the issuing CA for a given certificate

I have a variable of type PCCERT_CONTEXT which contains a certificate (this is actually the certificate of the digital signer of a given executable file.) I need to get the certificate or at least the name of the issuing CA. I've tried using CertOpenStore and WTHelperCertFindIssuerCertificate, but have had no success. I would appreciate any help.
Regards,
Alireza
Maybe CertGetIssuerCertificateFromStore()?
You probably want CertGetCertificateChain http://msdn.microsoft.com/en-us/library/aa376078(VS.85).aspx
The CERT_CONTEXT contains the CERT_INFO structure.
The CERT_INFO structure contains a pointer to the Issuer as a CERT_NAME_BLOB.

How to validate a signed DLL has been signed by me?

I have created a self generated certificate to sign a DLL. When I load this DLL into my C++ application I am able to validate if the code signing certificate is valid or not by using the WinVerifyTrust api.
But I am not able to find a way to detect that the DLL has been signed by one of my certificates. Even by using the CryptQueryObject api I do not find any useful information.
Does anyone have a idea on how to do this? Or is it event possible?
Thank you
CryptVerifyCertificateSignature isn't what you want?
If you sign a certificate using your private key, it can only be verified with your public key. That's how public-key cryptography works. If you can use a public key to verify the signature, then you know that the corresponding private key must have been used to sign it.
In case you need a version that also works on earlier versions of Windows than the one Bill Zeller showed you, you can use the following:
Use CryptQueryObject with CERT_QUERY_OBJECT_FILE
Use CryptMsgGetParam with CMSG_SIGNER_CERT_INFO_PARAM on the HCRYPTMSG you received from the previous call
Now use CertCompareIntegerBlob to compare your known (certificate) serial number (or numbers, in a loop) against the one in the file
If any of the known serial numbers matches, you're done. If all comparisons fail, it's not your cert.
Note: when looking at the serial number of the certificate in the file properties dialog, the bytes shown there appear in the reverse order when compared with the contents of the PCERT_INFO (CERT_INFO::SerialNumber) you get from the CryptMsgGetParam. So make sure that you store your own serial numbers reversed or reverse them before comparison.
Also note: you'll still need to have the certificate installed as trusted, in order for WinVerifyTrust (not mentioned above) to consider the code signature trusted at all. I just described the part about how to find out it's your own certificate that was used.

Resources