Pinning public key in my app

Question

I am pinning public key in my app as part of security measures, for that I have extracted public key from my PEM certificate which looks like

-----BEGIN PUBLIC KEY-----
MIIBIj....IDAQAB
-----END PUBLIC KEY-----

However in sample code of OWASP, we do see code to compare DER encoded public key,

// DER encoded public key
private static String PUB_KEY = "30820122300d06092a864886f70d0101"
+ "0105000382010f003082010a0282010100b35ea8adaf4cb6db86068a836f3c85"
+ "5a545b1f0cc8afb19e38213bac4d55c3f2f19df6dee82ead67f70a990131b6bc"
+ "ac1a9116acc883862f00593199df19ce027c8eaaae8e3121f7f329219464e657"
+ "2cbf66e8e229eac2992dd795c4f23df0fe72b6ceef457eba0b9029619e0395b8"
+ "609851849dd6214589a2ceba4f7a7dcceb7ab2a6b60c27c69317bd7ab2135f50"
+ "c6317e5dbfb9d1e55936e4109b7b911450c746fe0d5d07165b6b23ada7700b00"
+ "33238c858ad179a82459c4718019c111b4ef7be53e5972e06ca68a112406da38"
+ "cf60d2f4fda4d1cd52f1da9fd6104d91a34455cd7b328b02525320a35253147b"
+ "e0b7a5bc860966dc84f10d723ce7eed5430203010001";

I know DER is a binary format, however not sure how author converted or extracted above format? when I convert into DER it is having raw bytes not like above format. Do anyone has pointer around this?

Alternate approach can be, Sample code,

//Hack ahead: BigInteger and toString(). We know a DER encoded Public Key begins
//with 0x30 (ASN.1 SEQUENCE and CONSTRUCTED), so there is no leading 0x00 to drop.
RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey();
String enc

oded = new BigInteger(1 /* positive */, pubkey.getEncoded()).toString(16);

If I convert "encoded" variable base64 PEM public key format. How to do it in Android?

Any help would be appreciated

Ref. http://stackoverflow.com/questions/11787571/how-to-read-pem-file-to-get-private-and-public-key — tonys, Feb 23 '15 at 06:21
Hey Tony, I am trying to read public key of server at the time of SSL handshake. Code you referred says how to read public key from static PEM file (in case if I bundled in app). I have X509Certificate instance at the time of SSL handshake and I want to convert that to PEM public key base 64 format or I have PEM base64 public key in my app and want to convert that to ASN1 DER encoded. — Pankaj, Feb 23 '15 at 06:42
If you're just trying to implement pinning as a security measure then the way to do it is using a custom TrustManager - there are lots of questions about this already on Stackoverflow (e.g. http://stackoverflow.com/questions/5170279/httpclient-and-custom-trustmanager-on-android). If you actually need to read the server certificate then http://stackoverflow.com/questions/11143360/ssl-certificate-verification-in-java — tonys, Feb 23 '15 at 07:51
Tony, first link explains how to validate SSL cert is trusted one or not. If server ha any CA signed cert this code will work. Second link, yes it is what I want to do but as OWSP link explained. Not by including complete PEM cert and adding to truststore. If you read my question, I asked help for 2 approaches for which these two links don't help. BTW - I did enough research in stack flow and then raised this question and I did see lot of related threads but not answering for my requirement. — Pankaj, Feb 23 '15 at 08:31
@Pankaj i have also the same requirement i fetched my public key which looks like 00 01 10 00 00 00 00 E0 I0 00 00 00 00 00 00 00 00 00 so please let me know what should i do for the further process. i mean server communication. Please guide me. I refer https://github.com/riramar/pubkey-pin-android — Gyan Swaroop Awasthi, Oct 18 '19 at 07:48
@Gyan check this https://www.raywenderlich.com/1484288-preventing-man-in-the-middle-attacks-in-ios-with-ssl-pinning. — Pankaj, Oct 18 '19 at 10:56

score 10 · Accepted Answer · answered Feb 24 '15 at 07:41

10

Below line solved my problem:

String base64Encoded = Base64.encodeToString(pubkey.getEncoded(), Base64.DEFAULT).
    replaceAll("\n", "");

answered Feb 24 '15 at 07:41

Pankaj

833
12
35

Thanks for this solution. I was looking in Google all the day to find out how to decode correctly and this saved my day. As example I have modified the original app found and uploaded it to github. You can find it here: https://github.com/jiahaoliuliu/pubKeyPinningInAndroid/blob/master/app/src/main/java/org/owasp/pubkeypin/PubKeyManager.java – jiahao Aug 12 '15 at 13:13
This needs more + votes. It's needed if you use any Android 5.x device. The RSA check code should also check the authType string contains "RSA" instead of it being equal to it... – kenyee Jan 29 '16 at 17:29

Pinning public key in my app

1 Answers1

Linked