diff --git a/src/headers/tomcrypt_private.h b/src/headers/tomcrypt_private.h
index e536d579e..0d4842e41 100644
--- a/src/headers/tomcrypt_private.h
+++ b/src/headers/tomcrypt_private.h
@@ -330,6 +330,13 @@ int der_teletex_value_decode(int v);
 
 int der_utf8_valid_char(const wchar_t c);
 
+typedef int (*public_key_decode_cb)(const unsigned char *in, unsigned long inlen, void *ctx);
+
+int x509_decode_public_key_from_certificate(const unsigned char *in, unsigned long inlen,
+                                            enum ltc_oid_id algorithm, ltc_asn1_type param_type,
+                                            ltc_asn1_list* parameters, unsigned long *parameters_len,
+                                            public_key_decode_cb callback, void *ctx);
+
 /* SUBJECT PUBLIC KEY INFO */
 int x509_encode_subject_public_key_info(unsigned char *out, unsigned long *outlen,
         unsigned int algorithm, const void* public_key, unsigned long public_key_len,
diff --git a/src/pk/asn1/x509/x509_decode_public_key_from_certificate.c b/src/pk/asn1/x509/x509_decode_public_key_from_certificate.c
new file mode 100644
index 000000000..381f87743
--- /dev/null
+++ b/src/pk/asn1/x509/x509_decode_public_key_from_certificate.c
@@ -0,0 +1,114 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+#include "tomcrypt_private.h"
+
+/**
+  @file x509_decode_public_key_from_certificate.c
+  ASN.1 DER/X.509, decode a certificate
+*/
+
+#ifdef LTC_DER
+
+/* Check if it looks like a SubjectPublicKeyInfo */
+#define LOOKS_LIKE_SPKI(l) (l)->type == LTC_ASN1_SEQUENCE                   \
+&& (l)->child                                       \
+&& (l)->child->type == LTC_ASN1_OBJECT_IDENTIFIER   \
+&& (l)->next                                        \
+&& (l)->next->type == LTC_ASN1_BIT_STRING
+
+/**
+  Try to decode the public key from a X.509 certificate
+   @param in               The input buffer
+   @param inlen            The length of the input buffer
+   @param algorithm        One out of the enum #public_key_algorithms
+   @param param_type       The parameters' type out of the enum ltc_asn1_type
+   @param parameters       The parameters to include
+   @param parameters_len   [in/out] The number of parameters to include
+   @param callback         The callback
+   @param ctx              The context passed to the callback
+   @return CRYPT_OK on success
+*/
+int x509_decode_public_key_from_certificate(const unsigned char *in, unsigned long inlen,
+                                            enum ltc_oid_id algorithm, ltc_asn1_type param_type,
+                                            ltc_asn1_list* parameters, unsigned long *parameters_len,
+                                            public_key_decode_cb callback, void *ctx)
+{
+   int err;
+   unsigned char *tmpbuf;
+   unsigned long tmpbuf_len, tmp_inlen;
+   ltc_asn1_list *decoded_list = NULL, *l;
+
+   LTC_ARGCHK(in    != NULL);
+   LTC_ARGCHK(inlen != 0);
+
+   tmpbuf_len = inlen;
+   tmpbuf = XCALLOC(1, tmpbuf_len);
+   if (tmpbuf == NULL) {
+       err = CRYPT_MEM;
+       goto LBL_OUT;
+   }
+
+   tmp_inlen = inlen;
+   if ((err = der_decode_sequence_flexi(in, &tmp_inlen, &decoded_list)) == CRYPT_OK) {
+      l = decoded_list;
+
+      err = CRYPT_INVALID_ARG;
+
+      /* Move 2 levels up in the tree
+         SEQUENCE
+             SEQUENCE
+                 ...
+       */
+      if (l->type == LTC_ASN1_SEQUENCE && l->child) {
+         l = l->child;
+         if (l->type == LTC_ASN1_SEQUENCE && l->child) {
+            l = l->child;
+
+            /* Move forward in the tree until we find this combination
+                 ...
+                 SEQUENCE
+                     SEQUENCE
+                         OBJECT IDENTIFIER <some PKA OID, e.g. 1.2.840.113549.1.1.1>
+                         NULL
+                     BIT STRING
+             */
+            do {
+               /* The additional check for l->data is there to make sure
+                * we won't try to decode a list that has been 'shrunk'
+                */
+               if (l->type == LTC_ASN1_SEQUENCE
+                     && l->data
+                     && l->child
+                     && LOOKS_LIKE_SPKI(l->child)) {
+                  err = x509_decode_subject_public_key_info(l->data, l->size,
+                                                            algorithm, tmpbuf, &tmpbuf_len,
+                                                            param_type, parameters, parameters_len);
+                  if (err == CRYPT_OK) {
+                     err = callback(tmpbuf, tmpbuf_len, ctx);
+                     goto LBL_OUT;
+                  }
+               }
+               l = l->next;
+            } while(l);
+         }
+      }
+   }
+
+LBL_OUT:
+   if (decoded_list) der_free_sequence_flexi(decoded_list);
+   if (tmpbuf != NULL) XFREE(tmpbuf);
+
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */
diff --git a/src/pk/asn1/x509/x509_decode_subject_public_key_info.c b/src/pk/asn1/x509/x509_decode_subject_public_key_info.c
index bd84e7c7e..2d851b567 100644
--- a/src/pk/asn1/x509/x509_decode_subject_public_key_info.c
+++ b/src/pk/asn1/x509/x509_decode_subject_public_key_info.c
@@ -34,7 +34,7 @@
    @param public_key_len        [in/out] The length of the public key buffer and the written length
    @param parameters_type       The parameters' type out of the enum ltc_asn1_type
    @param parameters            The parameters to include
-   @param parameters_len        [in/out]The number of parameters to include
+   @param parameters_len        [in/out] The number of parameters to include
    @return CRYPT_OK on success
 */
 int x509_decode_subject_public_key_info(const unsigned char *in, unsigned long inlen,
@@ -42,18 +42,25 @@ int x509_decode_subject_public_key_info(const unsigned char *in, unsigned long i
         ltc_asn1_type parameters_type, ltc_asn1_list* parameters, unsigned long *parameters_len)
 {
    int err;
-   unsigned long len, alg_id_num;
+   unsigned long len, alg_id_num, tmplen;
    const char* oid;
    unsigned char *tmpbuf;
    unsigned long  tmpoid[16];
+   unsigned long *_parameters_len;
    ltc_asn1_list alg_id[2];
    ltc_asn1_list subject_pubkey[2];
 
    LTC_ARGCHK(in    != NULL);
    LTC_ARGCHK(inlen != 0);
    LTC_ARGCHK(public_key_len != NULL);
+
    if (parameters_type != LTC_ASN1_EOL) {
-      LTC_ARGCHK(parameters_len != NULL);
+      if ((parameters == NULL) || (parameters_len == NULL)) {
+         tmplen = 0;
+         _parameters_len = &tmplen;
+      } else {
+         _parameters_len = parameters_len;
+      }
    }
 
    err = pk_get_oid(algorithm, &oid);
@@ -72,9 +79,8 @@ int x509_decode_subject_public_key_info(const unsigned char *in, unsigned long i
    LTC_SET_ASN1(alg_id, 0, LTC_ASN1_OBJECT_IDENTIFIER, tmpoid, sizeof(tmpoid)/sizeof(tmpoid[0]));
    if (parameters_type == LTC_ASN1_EOL) {
       alg_id_num = 1;
-   }
-   else {
-      LTC_SET_ASN1(alg_id, 1, parameters_type, parameters, *parameters_len);
+   } else {
+      LTC_SET_ASN1(alg_id, 1, parameters_type, parameters, *_parameters_len);
       alg_id_num = 2;
    }
 
@@ -89,7 +95,7 @@ int x509_decode_subject_public_key_info(const unsigned char *in, unsigned long i
            goto LBL_ERR;
    }
    if (parameters_type != LTC_ASN1_EOL) {
-      *parameters_len = alg_id[1].size;
+      *_parameters_len = alg_id[1].size;
    }
 
    if ((err = pk_oid_cmp_with_asn1(oid, &alg_id[0])) != CRYPT_OK) {