How to recover RSA from file?

Question

I want to recover a public key from a file. Here is the Java code that works:

PublicKey readPubKeyFromFile(AssetFileDescriptor cle) throws IOException {
    // read RSA public key
    byte[] encodedKey = new byte[(int) cle.getDeclaredLength()];
    cle.createInputStream().read(encodedKey);

    // create public key
    X509EncodedKeySpec publicKeySpec = new X509EncodedKeySpec(encodedKey);
    PublicKey pk = null;
    try {
        KeyFactory kf = KeyFactory.getInstance("RSA");
        pk = kf.generatePublic(publicKeySpec);
    } catch(Exception e) {
        Logger.getInstance().logError("KeyUtils", e.toString());
    }
    return pk;
}

And here is the iOS code that doesn't work:

-(SecKeyRef)readPublicKeyFromFile:(NSString*)filename andExtension:(NSString*)extension {

NSString*   filePath = [[NSBundle mainBundle] pathForResource:filename ofType:extension];
NSData*     encodedKey = [NSData dataWithContentsOfFile:filePath];

CFDataRef myCertData = (CFDataRef)encodedKey;

SecCertificateRef cert = SecCertificateCreateWithData (kCFAllocatorSystemDefault, myCertData);
CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **) &cert, 1, NULL);
SecPolicyRef policy = SecPolicyCreateBasicX509();

SecTrustRef trust;

OSStatus check =  SecTrustCreateWithCertificates(certs, policy, &trust);

if (check != noErr)
{
    NSLog(@"Problem extracting public key from file: %@", filename);
    return nil;
}

SecTrustResultType trustResult;
SecTrustEvaluate(trust, &trustResult);
SecKeyRef pub_key_leaf = SecTrustCopyPublicKey(trust);

return pub_key_leaf;
}

Any idea of what is wrong in my iOS code?

Answer 1

I've tested your code and there is nothing wrong with it. The problem seems to be related with the format of the certificates that you are trying to get the public key.

The function SecCertificateCreateWithData() assumes that the certificate that you are providing is in DER format. Most certificates that you find are encoded in base64 like the famous .pem format. I've tested your code with a correctly formatted DER certificate (the certificate form developer.apple.com converted to DER with openssl) and the public key is correctly extracted.

To convert a .pem certificate to DER simply use openssl in terminal:

openssl x509 -in developer.apple.com.pem  -outform der -out cert.der

After that the output certificate file should work with no problems with your code.

But you can convert the certificate on the application itself, you only need to grab de x509 base64 encoded certificate (assuming that you are using .pem encoded certificates) and convert it to binary.

There is an example how you can do it:

This code will assume that the certificate is encoded in the following standard:

-----BEGIN CERTIFICATE-----
< your base64 encoded certificate goes here >
-----END CERTIFICATE-----

The code to convert this certificate to binary DER is:

-(NSData *)getBinaryCertificateFromPemEncodedFile:(NSString *)filename andExtension:(NSString *)extension
{
    NSString* filePath = [[NSBundle mainBundle] pathForResource:filename ofType:extension];
    NSString *pemCert = [NSString stringWithContentsOfFile:filePath encoding:NSUTF8StringEncoding error:nil];
    //The header and footer conforms to .pem specificatio
    NSString *header = @"-----BEGIN CERTIFICATE-----";
    NSString *footer = @"-----END CERTIFICATE-----";

    NSString *base64Cert;
    NSScanner *scanner = [NSScanner scannerWithString:pemCert];
    //First we ignore the header part
    [scanner scanString:header intoString:nil];
    //Then we copy the base64 string excluding the footer
    [scanner scanUpToString:footer intoString:&base64Cert];

    //The reason I'm using NSDataBase64DecodingIgnoreUnknownCharacters is to exclude possible line breaks in the encoding
    NSData *binaryCertificate = [[NSData alloc] initWithBase64EncodedString:base64Cert options:NSDataBase64DecodingIgnoreUnknownCharacters];

    return binaryCertificate;
}

Then a small adaptation in your perfectly functional code does the trick:

-(SecKeyRef)readPublicKeyFromCertificate:(NSData *)binaryCertificate {

    NSData *encodedKey = binaryCertificate;

    CFDataRef myCertData = (CFDataRef)CFBridgingRetain(encodedKey);

    SecCertificateRef cert = SecCertificateCreateWithData(kCFAllocatorSystemDefault, myCertData);
    SecPolicyRef policy = SecPolicyCreateBasicX509();

    SecTrustRef trust;
    //If you only have one certificate you don't need to put it inside an array
    OSStatus check =  SecTrustCreateWithCertificates(cert, policy, &trust);

    if (check != noErr)
    {
        NSLog(@"Problem extracting public key from certificate");
        return nil;
    }

    SecTrustResultType trustResult;
    SecTrustEvaluate(trust, &trustResult);
    SecKeyRef pub_key_leaf = SecTrustCopyPublicKey(trust);

    return pub_key_leaf;
}

Then just call it:

NSData *data = [self getBinaryCertificateFromPemEncodedFile:@"developer" andExtension:@"pem"];
SecKeyRef key = [self readPublicKeyFromCertificate:data];
NSLog(@"%@", key);

And if your certificate is "valid" you should see:

2014-09-15 21:52:13.275 cert[15813:60b] <SecKeyRef algorithm id: 1,
key type: RSAPublicKey, version: 2, block size: 2048 bits, exponent: {hex: 10001, decimal: 65537},
modulus: BE19E30F47F2D31F27D576CF007B3E615F986D14AFD0D52B825E01E90BA3E1CBB6F3A472E6AECDC28BC13D0B6E58FC497ACF61D80F274E4799602DA4F819E54ADDE2FBFA89FC4EB2172501DDED8DE0FBDDBC5550CC018C73E1FD8152C905DE850862B8D57596025DE1908D8337E95637AF0F52C4A11DA178FF737DCE09471BC0A49DAD7DB39F1BA1B693D3A12F9CA50EF388B50292C73076BF1EEE412A5CFA940E99D4CF07F17FAC87F0D0E2FC8FA3ACDDEEFCCE8AFEC407B94536FCB1E4ACF34773728D189F85EAE4347E0BF868D25C7CE89F8A29B4E6865C68F4F915DFA540549EE9333007145D367FE2852622AAD776F3E5D505A02E5155CC8646A01C1031,
addr: 0x9a48200>

For testing I've used the certificate from developer.apple.com, you can check the public key in the log and compare it.