Re: Certificates received from Windows CertStore: wrong public key (and incorrect modulus length)?

From: Michel Gallant (neutron_at_NOSPAMistar.ca)
Date: 01/20/04 

Date: Tue, 20 Jan 2004 08:06:56 -0500

Hi Johannes,
The Pinvoke to CryptoAPI should return the correct key size.
I just tried this for 1024, 2048 and 16,384 bit RSA keys and
they return the correct public key.

However, if you instantiate a .NET oRSA with only the
public key and exponent, the KeySize parameter is not properly
updated, but the oRSA can still be used for enveloping. I KeySize
parameter is available if you instantiate with a keycontainer specifier.

Note that the MSDN EncyrptTo.cs sample has a "Verbose" switch
to show the details of the key returned.

- Mitch Gallant

"Johannes Resch" <jr@xor.at> wrote in message
news:b341089e.0401200119.2dd589b3@posting.google.com...
> Hello,
>
> I'm currently writing an application in C# to support message
> integrity checks with signatures.
> For this, I need to use X.509-Certificates from files (CER encoded) as
> well as from the windows local machine certificate store.
>
> I modified the CryptoAPI P/Invoke-Examples from MSDN
>
(http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncapi/html/encryptdecrypt2a.asp?f
rame=true&hidetoc=true)
> to access the windows local machine certificate store from C#.
>
> This works, I can access both public and private keys of a chosen
> certificate.
>
> For getting RSA-PK-Parameters from a C# X509Certificate, I used the
> way described in
http://groups.google.at/groups?hl=de&lr=&ie=UTF-8&oe=UTF-8&selm=OLCJILvRDHA.2768%40tk2msftngp13.phx.gbl.
> (getting the Modulus and Exponent from raw data returned from
> GetPublicKey(); see code below).
>
>
> However, if I take a closer look at the public key I get from the
> Windows Certificate store, there are two problems:
>
> 1.) the modulus length is always 128 Byte, no matter if I use PKs with
> keylengths greater than 1024 Bit.
>
> 2.) the modulus-parameter of two public keys (one extracted from
> CER-File via X509Certificate and GetPublicKey(), the other one
> received from the same certificate in Windows CertStore) don't match
> at all (they one from windows certstore is not just truncated, it
> seems to be completely different).
>
> If I open MMC and take a look at the certificates public key in the
> windows certificate-management applet, I can see the correct public
> key (correct length, same modulus as the one being extracted from
> CER-File).
>
> As I'm not a CryptoAPI-insider: could it be possible, that I forgot to
> modify some parts of the CryptoAPI-MSDN examples, that could lead to
> this behaviour?
> Any other ideas?
>
>
> Best Regards,
> Johannes Resch
>
>
> Code for getting RSA-Exponent and Modulus from raw Public-Key-Data:
>
> byte[] pk = cert.GetPublicKey();
> byte[] exp = new byte[3];
> byte[] modulus = new byte[keyLen/8];
> Array.Copy(pk, pk.Length - exp.Length, exp, 0, exp.Length);
> Array.Copy(pk, pk.Length - exp.Length - 2 - modulus.Length, modulus,
> 0, modulus.Length);
> RSAParameters rsaParams = new RSAParameters();
> rsaParams.Modulus = modulus;
> rsaParams.Exponent = exp;

Relevant Pages

  • Re: Certificates received from Windows CertStore: wrong public key (and incorrect modulus length)?
    ... > well as from the windows local machine certificate store. ... > (getting the Modulus and Exponent from raw data returned from ... > If I open MMC and take a look at the certificates public key in the ...
    (microsoft.public.dotnet.security)
  • Certificates received from Windows CertStore: wrong public key (and incorrect modulus length)?
    ... well as from the windows local machine certificate store. ... (getting the Modulus and Exponent from raw data returned from ... If I open MMC and take a look at the certificates public key in the ...
    (microsoft.public.dotnet.security)
  • Re: Revoking certificate chain
    ... Removing the public key for the CA from the computer is not a good security ... I am using GPO to issue machine certificate to workstations joing ... > certificate, which adds the CA cert to his trusted root, and then the temp ... Windows XP Pro and Windows 2003 use Delta CRL which means that ...
    (microsoft.public.security)
  • Re: Windows 2003 Certificate server
    ... you could setup offline CA server -- CA server ... Once you enroll and issue certificate ) ... Here are some resources on how to setup Windows 2003 server CA. ... Best Practices for Implementing a Microsoft Windows Server2003 Public Key ...
    (microsoft.public.windows.server.general)
  • Re: Basic questions about CryptoAPI
    ... I have another question regarding the cost of using Microsoft Certificate ... I guess the use of the CryptoAPI for use in a standalone application to be ... Will the application work on Windows NT if I use CryptoAPI? ...
    (microsoft.public.security)