2

I have no problem extracting the "SubjectKeyIdentifier" value from the x509certificates object, which I do by first setting the X509 object to variable $Cert and then executing the following line:

$Cert.Extensions.SubjectKeyIdentifier

That value corresponds to what I see in the MMC GUI.

However, there is no such value or option for 

$Cert.Extensions.AuthorityKeyIdentifier.

I can go further into the object via: 

$Cert.Extensions.Oid

And that produces two columns such as:

Value       FriendlyName
2.5.29.14   Subject Key Identifier
2.4.29.35   Authority Key Identifier

However, there is no way that I have found to get the actual or true value of the Authority Key Identifier like I did for the Subject Key Identifier and which corresponds to the value in the MMC GUI.
TO confirm, this is a leaf level certificate and the GUI does show a long stringed value for the Subject Key Identifier.

How can I extract that value in the object?

ukn
  • 1,723
  • 1
  • 14
  • 24
F.S.
  • 71
  • 1
  • 4
  • `$Cert.Extensions` should contain a list of `X509Extension` objects. Could you search through those for one that is for the `AuthorityKeyIdentifier` property? – Foxocube Nov 22 '19 at 18:03

2 Answers2

0

The framework doesn't have a built-in decoder for Authority Key Identifier. You'd have to use an ASN.1 DER reader, such as https://dotnet.myget.org/feed/dotnet-corefxlab/package/nuget/System.Security.Cryptography.Asn1.Experimental, Bouncy Castle, or other non-built-in pieces of technology (or hand-roll it) and decode the X509Extension.RawData value according to the encoding in https://www.rfc-editor.org/rfc/rfc5280#section-4.2.1.1.

Community
  • 1
  • 1
bartonjs
  • 30,352
  • 2
  • 71
  • 111
  • Hey, thank you both for your quick and knowledgeable answers. After reading them, I'm wondering about the "hand-roll it" comment made by bartonjs. Apparently, the Framework version 4.8 has a class named AsnEncodedData Class. Would I theoretically be able to use this class to decoode the AKI or am I misunderstanding that page? – F.S. Nov 23 '19 at 03:58
  • @F.S. Sorry, you’ve misinterpreted it. It just represents that the data is something that is ASN encoded data, but X509Extension already derived that type. Actual ASN data readers aren’t public API :(. – bartonjs Nov 23 '19 at 04:03
  • Thank you for the follow up. I just saw your Git Hub post from July 2017 requesting that the API should be made public. A year long conversation from that post . Looks like you yourself were working on it. So, how did it end? – F.S. Nov 23 '19 at 18:40
  • I hadn't finished that post yet. I mean to ask, is the API for the .Net and Core .Net Framework still in private development? Is there any ETA for it going public or ?/ What's the status? – F.S. Nov 23 '19 at 18:41
0

As bartonjs said, there is no built-in support for AKI extension in PowerShell or .NET. You have to use 3rd party libraries or tools. Though, if you are allowed to use PS modules, you can give a try to my PowerShell PKI (PSPKI) module. The module ships a library that contains classes for most X.509 extensions, including AKI.

After importing the module, you can call:

$cert.ResolvedExtensions

which returns an a collection of decoded extensions:

PS C:\> $cert.ResolvedExtensions | ?{$_.oid.value -eq "2.5.29.35"}

IncludedComponents : KeyIdentifier
KeyIdentifier      : 0159abe7dd3a0b59a66463d6cf200757d591e76a
IssuerNames        :
SerialNumber       :
Critical           : False
Oid                : 2.5.29.35 (Authority Key Identifier)
RawData            : {48, 22, 128, 20...}


PS C:\>
Crypt32
  • 12,850
  • 2
  • 41
  • 70