About the problem

PowerShell MVP, Adam Bertram with his recent tweet inspired me to write this blog post. I realized that I see a lot of articles which describe how to delete certificate from certificate store, but never saw article that would describe how to do it properly.

Let’s recall what is wrong here. Years ago I wrote a blog post: The case of accidentally deleted user certificates that describes steps how to restore deleted certificate with private key by having a backup certificate only with public key. I explained why you can use certificate with just public key to restore bindings to private key. The answer was: when you delete certificate by using standard means (certificate store management functions in CryptoAPI), the private key is not deleted! Standard tools includes: Certificates MMC snap-in, X509Store class in .NET, certutil, etc., all they use Certificate and Certificate Store Functions. Our goal now is to fill the gap and provide an ability to remove private key along with certificate when you work in PowerShell.

Today I want to present another useful CryptoAPI functions to use when working with PFX (PKCS#12) certificates.

1. Determine if the BLOB is PFX without having to pass a password;
2. Test PFX password.

Of course, you can try to use appropriate X509Certificate2 class constructor, but this approach is faster and do not require key import in cryptographic provider and other actions performed by X509Certificate2 constructor. This functionality is implemented in two CryptoAPI functions:

1. PFXIsPFXBlob
2. PFXVerifyPassword

And here is complete solution:

Point Of Interest

Yesterday I asked in Twitter, who can convert byte array to a formatted hex string in PowerShell in 5 minutes. I got one solution with the reference to Format-Hex function. Then I asked opposite question: can you convert formatted hex dump with address and ASCII panes back to byte array in PowerShell in 5 minutes? Didn’t get any response.

This subject is interesting and sometimes is necessary. Due to my specialization (cryptography), I have to deal with these formats often. And not only hex, Base64 with and without headers as well.

Common formatting examples

To make the subject clear, I provide some formatted examples:

In previous post I talked about weirdness in CNG support in .NET and showed an example how to fill the gaps in .NET. That was just an example. Today I will show how to perform basic cryptographic operations with CNG in PowerShell and other CLR languages (C#, VB.NET). PowerShell is built on top of CLR, so the techniques are almost identical, despite a bit different syntax.

So, today I will show how to sign the data with CNG certificate. The easiest way is to use NCrypt* unmanaged function family exposed by NCRYPT.DLL.

Foreword

Before I will discuss the subject, I want to share my thoughts about the Windows cryptography problems. You can skip this section if you need only solution for the subject.

Cryptography in general is not something new, it is actual for a long time, the problem appeared in very ancient ages. Julius Caesar was one of the notable modern persons who created the problem. It is cryptography. Caesar created so-called Caesar cipher which was enough secure during his life. However, people enough quickly figured out how to decrypt this cipher. Cipher method become more complex to break. For example, middle ages Vigenère cipher was much better than Caesar cipher. There were a lot, but all of them were relatively easy to break. Arthur Scherbius in 20th century invented famous Enigma machine. Americans invented SIGABA which was supposed to fix Enigma’s vulnerability. Time goes forward, cryptography become more complex, stronger against attacks.