Menu
I am pinning public key in my app as part of security measures, for that I have extracted public key from my PEM certificate which looks like
-----BEGIN PUBLIC KEY-----
MIIBIj....IDAQAB
-----END PUBLIC KEY-----
However in sample code of OWASP, we do see code to compare DER encoded public key,
// DER encoded public key
private static String PUB_KEY = "30820122300d06092a864886f70d0101"
+ "0105000382010f003082010a0282010100b35ea8adaf4cb6db86068a836f3c85"
+ "5a545b1f0cc8afb19e38213bac4d55c3f2f19df6dee82ead67f70a990131b6bc"
+ "ac1a9116acc883862f00593199df19ce027c8eaaae8e3121f7f329219464e657"
+ "2cbf66e8e229eac2992dd795c4f23df0fe72b6ceef457eba0b9029619e0395b8"
+ "609851849dd6214589a2ceba4f7a7dcceb7ab2a6b60c27c69317bd7ab2135f50"
+ "c6317e5dbfb9d1e55936e4109b7b911450c746fe0d5d07165b6b23ada7700b00"
+ "33238c858ad179a82459c4718019c111b4ef7be53e5972e06ca68a112406da38"
+ "cf60d2f4fda4d1cd52f1da9fd6104d91a34455cd7b328b02525320a35253147b"
+ "e0b7a5bc860966dc84f10d723ce7eed5430203010001";
I know DER is a binary format, however not sure how author converted or extracted above format? when I convert into DER it is having raw bytes not like above format. Do anyone has pointer around this?
Alternate approach can be, Sample code,
//Hack ahead: BigInteger and toString(). We know a DER encoded Public Key begins
//with 0x30 (ASN.1 SEQUENCE and CONSTRUCTED), so there is no leading 0x00 to drop.
RSAPublicKey pubkey = (RSAPublicKey) chain[0].getPublicKey();
String enc
oded = new BigInteger(1 /* positive */, pubkey.getEncoded()).toString(16);
If I convert "encoded" variable base64 PEM public key format. How to do it in Android?
Any help would be appreciated
969
Pinning is the process of associating a host with their expected X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is associated or 'pinned' to the host.
Public key pinning is used so that we can check if the public key of the cert that our server is issuing is changed or not. source. A certificate is valid if its public key SHA is the one which we have "pinned" in our application.
You can pin an app's screen to keep it in view until you unpin it. For example, you can pin an app and hand your phone to a friend. With the screen pinned, your friend can use only that app. To use your other apps again, you can unpin the screen.
Below line solved my problem:
String base64Encoded = Base64.encodeToString(pubkey.getEncoded(), Base64.DEFAULT).
replaceAll("\n", "");
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With