Archive for the ‘security’ Category

android: security: keystore, jks, and jkcs12

December 21, 2016

This post discusses keystore.

test environment
OS X El Captian Version 10.11.4

what is keystore
A file containing private keys and its certificates.

what is jks and jkcs12
Two different type of keystore. The default keystore type in jdk and android is jks.

how to create a keystore

  1. keytool -genkey creates a keystore and a private key within it. The name of the keystore is keystore.jks. The alias of the private key is mykey.
  2. $ keytool -genkey -keystore keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias mykey
    
  3. keytool -list shows that there is only one entry in this keystore. The entry is a private key with alias mykey.
  4. $ keytool -list -v -keystore keystore.jks 
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 1 entry
    
    Alias name: mykey
    Creation date: Dec 22, 2016
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: 26c53310
    Valid from: Thu Dec 22 01:01:58 CST 2016 until: Mon May 09 01:01:58 CST 2044
    Certificate fingerprints:
             MD5:  1F:EF:A8:1B:83:1A:B2:37:0E:AF:92:09:A0:F1:EF:72
             SHA1: B9:52:57:E9:6C:AE:F7:98:42:A9:7E:AD:2D:A6:19:F5:59:2B:E9:B6
             SHA256: CA:22:68:5A:6C:D9:3F:6E:E2:88:BC:62:B1:DE:BA:0A:D2:A9:4A:B5:D8:84:62:FC:00:65:DE:A1:12:2C:88:B3
             Signature algorithm name: SHA256withRSA
             Version: 3
    

how to add a existing private key into a jks keystore
I tried this when I wanted to add the android’s default platform key into my apk. It couldn’t be done directly. But it could be done indirectly as below.

  1. platform.pk8 is a private key in pkcs#8 format with der encoding. Transform it into a private key in pkcs#1 format with pem coding.
  2. $ openssl pkcs8 -nocrypt -in platform.pk8 -inform der -out platform.pem -outform pem
    $ cat platform.pem 
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEAnHgFkqwNXTgc3qpl7MimAG42SAxtcgexIBG+UIY6q+K1XQCa
    33FG1vIgIoDHzU172yYkO4qAbCazSxN1I6SSaCJJBNwBST58Cs8aBch09psDe2Aw
    nZB00kKA4WutKoc0NhlR6vcqSC0JsgSxh14SrJjBqnc9aAC56v3lbVi+2OjaFvmj
    YAmcN6g0pt/tt7a0SgSeB6Jp/M8sVJbyzzbWTfkKO42PNKO6q0z1M3GrJ3GbO6WH
    VK0MU/wU4dtF1R4jT7vpPJuk7fnOVCYTUOxTVge/aaL/SqB9tffqIA0JpsG0niFA
    L4ntEZCJOqtakYDxUugvhaRXU89fwZBxxe7IJwIBAwKCAQBoUAO3HV4+JWiUcZlI
    hcQASXmFXZ5MBSDAC9Q1rtHH7HjoqxHqS4SPTBVsVdqI3lKSGW19BwBIGczct6Nt
    GGGawYYDPVYw1FKx32auhaNPEgJSQCBpCviMLFXrnR4cWiLOu4vx+hwwHgZ2rcuv
    lAxzEIEcT35FVdFHU+5I5dSQmjE03IV8a/qBrB+XeRBwjwXxFOL/AajgUhIJFBSd
    WOmOQEKm0ntp0memymaRPGGNuyKb6ga2RDdI+0inByriQ5vNQxny64d7zplulNGV
    su6Par+yDWFzQ77SlDEIoF2GADSlKSr73lEoCifosXxT/GHvdo/Jqfnf/teouFmu
    1rubAoGBAMgnd8LuMLEQLv/KtWmy9eP1fDPefnZX4SQZdx/VcFG7B/gj9lUUPSmJ
    GmHT8Dm/Ic9YfIKq++AEmxL8/osTB8yOs3pdO1QwnsPujlGTgYjsRnPKe0qWbgng
    7C/hhGcZDjEOz11KQyP6fJ8fOHhCVGax3NpL9VXKXQFy4ba6YonFAoGBAMggNxg3
    NvNk9wV49Otb6kdq6RWqoXZUcu0tgbQNwSY9kK4dW4EBqvWoAvmFpt8Ttxf5SfqY
    Stlh6BTqUfpusO0NI8fy/wWDpSQ/uIdc3mSSoSwUE6KHTNWZLXCxmBZEszSXlCJr
    eU9bBK4+aKfRMfe52X2LMAq5dBrRmjSFSiT7AoGBAIVvpSyeyyC1dKqHI5vMo+1O
    Us0+/vmP621mT2qOSuEnWqVtTuNi03EGEZaNStEqFoo6/axx/UADEgyoqbIMr920
    d6bo0jggadf0XuENAQXy2aKG/NxkSVvrSB/rrZoQtCC0ij4xghf8UxS/evrW4u8h
    PebdTjkxk1ZMlnnRlwaDAoGBAIVqz2V6JKJDT1j7TfI9RtpHRg5xwPmNofNzq81e
    gMQpCx6+PQCrx05wAfuubz9ieg/7hqcQMeZBRWNG4VGfIJ4IwoVMqgOtGMLVJa+T
    Pu23Fh1it8GviI5mHkshEA7Yd3hlDWxHpjTnWHQpmxqLdqUmkP5cyrHQ+BHhEXhY
    3BinAoGAPiXjreVhRDab+C0/uz/o9ZN8bzmfbCRrl0V5PR187Cb0Qp3OaEnMKpLu
    ouR48xvIMjVWYNbEBm1W1lpnDbWkvCN12pWAB2EMm/EhsZUD+HLSgDeI9h25NThw
    DFvOHXwEGEMBXAXWiU7TF0JW21+UYcfdMBOKhbiGqceiCjpg8Uc=
    -----END RSA PRIVATE KEY-----
    
  3. The private key in pem encoding can be used to create a new keystore. The keystore, platform.pk12, contains the private key platform.pem.
  4. $ openssl pkcs12 -export -in platform.x509.pem -inkey platform.pem -out platform.pk12 -name platform
    
  5. Import the private key in platform.pk12 into keystore.jks
  6. $ keytool -importkeystore -srckeystore platform.pk12 -destkeystore keystore.jks 
    Entry for alias platform successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    
  7. keytool -list shows that the android default platform key, platform.pk8 has already been imported into keystore.jks successfully.
  8. $ keytool -list -v -keystore keystore.jks
    
    Keystore type: JKS
    Keystore provider: SUN
    
    Your keystore contains 2 entries
    
    Alias name: platform
    Creation date: Dec 22, 2016
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
    Issuer: EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US
    Serial number: b3998086d056cffa
    Valid from: Wed Apr 16 06:40:50 CST 2008 until: Sun Sep 02 06:40:50 CST 2035
    Certificate fingerprints:
    	 MD5:  8D:DB:34:2F:2D:A5:40:84:02:D7:56:8A:F2:1E:29:F9
    	 SHA1: 27:19:6E:38:6B:87:5E:76:AD:F7:00:E7:EA:84:E4:C6:EE:E3:3D:FA
    	 SHA256: C8:A2:E9:BC:CF:59:7C:2F:B6:DC:66:BE:E2:93:FC:13:F2:FC:47:EC:77:BC:6B:2B:0D:52:C1:1F:51:19:2A:B8
    	 Signature algorithm name: MD5withRSA
    	 Version: 3
    
    Extensions: 
    
    #1: ObjectId: 2.5.29.35 Criticality=false
    AuthorityKeyIdentifier [
    KeyIdentifier [
    0000: 4F E4 A0 B3 DD 9C BA 29   F7 1D 72 87 C4 E7 C3 8F  O......)..r.....
    0010: 20 86 C2 99                                         ...
    ]
    [EMAILADDRESS=android@android.com, CN=Android, OU=Android, O=Android, L=Mountain View, ST=California, C=US]
    SerialNumber: [    b3998086 d056cffa]
    ]
    
    #2: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    
    #3: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 4F E4 A0 B3 DD 9C BA 29   F7 1D 72 87 C4 E7 C3 8F  O......)..r.....
    0010: 20 86 C2 99                                         ...
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    
    
    Alias name: mykey
    Creation date: Dec 22, 2016
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: 26c53310
    Valid from: Thu Dec 22 01:01:58 CST 2016 until: Mon May 09 01:01:58 CST 2044
    Certificate fingerprints:
    	 MD5:  1F:EF:A8:1B:83:1A:B2:37:0E:AF:92:09:A0:F1:EF:72
    	 SHA1: B9:52:57:E9:6C:AE:F7:98:42:A9:7E:AD:2D:A6:19:F5:59:2B:E9:B6
    	 SHA256: CA:22:68:5A:6C:D9:3F:6E:E2:88:BC:62:B1:DE:BA:0A:D2:A9:4A:B5:D8:84:62:FC:00:65:DE:A1:12:2C:88:B3
    	 Signature algorithm name: SHA256withRSA
    	 Version: 3
    
    Extensions: 
    
    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: 14 2B FA 9F D1 8B D4 7E   CF 4E 00 AF 83 D0 FD 78  .+.......N.....x
    0010: 13 0F 8A 48                                        ...H
    ]
    ]
    
    
    
    *******************************************
    *******************************************
    
    
    
    

conclusion
This post discusses what is keystore and how to add an existing private key into a keystore.

Advertisements

android: security: sign apk with android default platform key

December 19, 2016

This post discusses how to sign apk with android default platform key.

preliminary

build apk and sign it with android default platform key
Use signapk to sign platform key into the apk. Certificate and private key of platform key are needed.

$ ./gradlew assembleRelease
$ java -jar signapk.jar ${ANDROID_SOURCE}/build/target/product/security/platform.x509.pem ${ANDROID_SOURCE}/build/target/product/security/platform.pk8 ./app/build/outputs/apk/app-release.apk ./app/build/outputs/apk/platform-key-release.apk
./app/build/outputs/apk/platform-key-release.apk

conclusion
This post shows how to sign apk with android default platform key.

android: security: private key formats and encodings

December 19, 2016

This post discusses private key formats and encodings.

what is private key
Public key and private key are essential in asymmetric encryption.

  • A pair of public key and private key could be generated efficiently.
  • Given a public key, there exists no efficient algorithm to get its private key.
  • Given a private key, there exists efficient algorithms to get its public key.
  • Private key and public key could verify each other.
  • Private key and public key could verify the signatures created by each other.

private key formats
The post discusses two private key formats.

  • pkcs#1 format
  • pkcs#8 format

android default platform key
We use android default platform key as an example since it’s a pkcs#8 format private key. Below shows how to get android default platform private key in android 5.1.1. The file name of this private key is platform.pk8.

$ git clone https://android.googlesource.com/platform/build
$ git reset --hard android-5.1.1_r1
$ cd build/target/product/security 
$ ls 
Android.mk              media.pk8               platform.pk8            shared.pk8              testkey.pk8             verity.pk8              verity_key
README                  media.x509.pem          platform.x509.pem       shared.x509.pem         testkey.x509.pem        verity.x509.pem

private key encodings
A private key could be represented in two encodings.

  • pem encoding: Base64 ASCII text.
  • der encoding: binary data

For example, android default platform key, platform.pk8, is a private key in pkcs#8 format with der encoding.

$ openssl pkcs8 -in platform.pk8 -inform der -nocrypt 
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAnHgFkqwNXTgc3qpl7MimAG42SAxtcgexIBG+UIY6q+K1XQCa
33FG1vIgIoDHzU172yYkO4qAbCazSxN1I6SSaCJJBNwBST58Cs8aBch09psDe2Aw
nZB00kKA4WutKoc0NhlR6vcqSC0JsgSxh14SrJjBqnc9aAC56v3lbVi+2OjaFvmj
YAmcN6g0pt/tt7a0SgSeB6Jp/M8sVJbyzzbWTfkKO42PNKO6q0z1M3GrJ3GbO6WH
VK0MU/wU4dtF1R4jT7vpPJuk7fnOVCYTUOxTVge/aaL/SqB9tffqIA0JpsG0niFA
L4ntEZCJOqtakYDxUugvhaRXU89fwZBxxe7IJwIBAwKCAQBoUAO3HV4+JWiUcZlI
hcQASXmFXZ5MBSDAC9Q1rtHH7HjoqxHqS4SPTBVsVdqI3lKSGW19BwBIGczct6Nt
GGGawYYDPVYw1FKx32auhaNPEgJSQCBpCviMLFXrnR4cWiLOu4vx+hwwHgZ2rcuv
lAxzEIEcT35FVdFHU+5I5dSQmjE03IV8a/qBrB+XeRBwjwXxFOL/AajgUhIJFBSd
WOmOQEKm0ntp0memymaRPGGNuyKb6ga2RDdI+0inByriQ5vNQxny64d7zplulNGV
su6Par+yDWFzQ77SlDEIoF2GADSlKSr73lEoCifosXxT/GHvdo/Jqfnf/teouFmu
1rubAoGBAMgnd8LuMLEQLv/KtWmy9eP1fDPefnZX4SQZdx/VcFG7B/gj9lUUPSmJ
GmHT8Dm/Ic9YfIKq++AEmxL8/osTB8yOs3pdO1QwnsPujlGTgYjsRnPKe0qWbgng
7C/hhGcZDjEOz11KQyP6fJ8fOHhCVGax3NpL9VXKXQFy4ba6YonFAoGBAMggNxg3
NvNk9wV49Otb6kdq6RWqoXZUcu0tgbQNwSY9kK4dW4EBqvWoAvmFpt8Ttxf5SfqY
Stlh6BTqUfpusO0NI8fy/wWDpSQ/uIdc3mSSoSwUE6KHTNWZLXCxmBZEszSXlCJr
eU9bBK4+aKfRMfe52X2LMAq5dBrRmjSFSiT7AoGBAIVvpSyeyyC1dKqHI5vMo+1O
Us0+/vmP621mT2qOSuEnWqVtTuNi03EGEZaNStEqFoo6/axx/UADEgyoqbIMr920
d6bo0jggadf0XuENAQXy2aKG/NxkSVvrSB/rrZoQtCC0ij4xghf8UxS/evrW4u8h
PebdTjkxk1ZMlnnRlwaDAoGBAIVqz2V6JKJDT1j7TfI9RtpHRg5xwPmNofNzq81e
gMQpCx6+PQCrx05wAfuubz9ieg/7hqcQMeZBRWNG4VGfIJ4IwoVMqgOtGMLVJa+T
Pu23Fh1it8GviI5mHkshEA7Yd3hlDWxHpjTnWHQpmxqLdqUmkP5cyrHQ+BHhEXhY
3BinAoGAPiXjreVhRDab+C0/uz/o9ZN8bzmfbCRrl0V5PR187Cb0Qp3OaEnMKpLu
ouR48xvIMjVWYNbEBm1W1lpnDbWkvCN12pWAB2EMm/EhsZUD+HLSgDeI9h25NThw
DFvOHXwEGEMBXAXWiU7TF0JW21+UYcfdMBOKhbiGqceiCjpg8Uc=
-----END RSA PRIVATE KEY-----

what is pem format
It means pkcs#1 format with pem encoding.

transform a private key between different formats and encodings

  • Transform a private key in pkcs#8 format with der encoding to pem format (pkcs#1 format in pem encoding).
  • $ openssl pkcs8 -nocrypt -inform der -outform pem -in platform.pk8 -out platform.pem 
    
  • Transform the private key in pem format back to pkcs#8 format with der encoding
  • $ openssl pkcs8 -nocrypt -topk8 -inform pem -outform der -in platform.pem -out platform.pk8.2
    $ md5 platform.pk8 platform.pk8.2
    MD5 (platform.pk8) = 6d1611ff6c2201b5edb8c4906b8adcfa
    MD5 (platform.pk8.2) = 6d1611ff6c2201b5edb8c4906b8adcfa 
    
  • Transform the private key in pem format to pkcs#8 format with pem encoding
  • $ openssl pkcs8 -nocrypt -topk8 -inform pem -outform pem -in platform.pem -out platform.pk8.pem
    $ cat platform.pk8.pem 
    -----BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCceAWSrA1dOBze
    qmXsyKYAbjZIDG1yB7EgEb5Qhjqr4rVdAJrfcUbW8iAigMfNTXvbJiQ7ioBsJrNL
    E3UjpJJoIkkE3AFJPnwKzxoFyHT2mwN7YDCdkHTSQoDha60qhzQ2GVHq9ypILQmy
    BLGHXhKsmMGqdz1oALnq/eVtWL7Y6NoW+aNgCZw3qDSm3+23trRKBJ4Homn8zyxU
    lvLPNtZN+Qo7jY80o7qrTPUzcasncZs7pYdUrQxT/BTh20XVHiNPu+k8m6Tt+c5U
    JhNQ7FNWB79pov9KoH219+ogDQmmwbSeIUAvie0RkIk6q1qRgPFS6C+FpFdTz1/B
    kHHF7sgnAgEDAoIBAGhQA7cdXj4laJRxmUiFxABJeYVdnkwFIMAL1DWu0cfseOir
    EepLhI9MFWxV2ojeUpIZbX0HAEgZzNy3o20YYZrBhgM9VjDUUrHfZq6Fo08SAlJA
    IGkK+IwsVeudHhxaIs67i/H6HDAeBnaty6+UDHMQgRxPfkVV0UdT7kjl1JCaMTTc
    hXxr+oGsH5d5EHCPBfEU4v8BqOBSEgkUFJ1Y6Y5AQqbSe2nSZ6bKZpE8YY27Ipvq
    BrZEN0j7SKcHKuJDm81DGfLrh3vOmW6U0ZWy7o9qv7INYXNDvtKUMQigXYYANKUp
    KvveUSgKJ+ixfFP8Ye92j8mp+d/+16i4Wa7Wu5sCgYEAyCd3wu4wsRAu/8q1abL1
    4/V8M95+dlfhJBl3H9VwUbsH+CP2VRQ9KYkaYdPwOb8hz1h8gqr74ASbEvz+ixMH
    zI6zel07VDCew+6OUZOBiOxGc8p7SpZuCeDsL+GEZxkOMQ7PXUpDI/p8nx84eEJU
    ZrHc2kv1VcpdAXLhtrpiicUCgYEAyCA3GDc282T3BXj061vqR2rpFaqhdlRy7S2B
    tA3BJj2Qrh1bgQGq9agC+YWm3xO3F/lJ+phK2WHoFOpR+m6w7Q0jx/L/BYOlJD+4
    h1zeZJKhLBQToodM1ZktcLGYFkSzNJeUImt5T1sErj5op9Ex97nZfYswCrl0GtGa
    NIVKJPsCgYEAhW+lLJ7LILV0qocjm8yj7U5SzT7++Y/rbWZPao5K4SdapW1O42LT
    cQYRlo1K0SoWijr9rHH9QAMSDKipsgyv3bR3pujSOCBp1/Re4Q0BBfLZoob83GRJ
    W+tIH+utmhC0ILSKPjGCF/xTFL96+tbi7yE95t1OOTGTVkyWedGXBoMCgYEAhWrP
    ZXokokNPWPtN8j1G2kdGDnHA+Y2h83OrzV6AxCkLHr49AKvHTnAB+65vP2J6D/uG
    pxAx5kFFY0bhUZ8gngjChUyqA60YwtUlr5M+7bcWHWK3wa+IjmYeSyEQDth3eGUN
    bEemNOdYdCmbGot2pSaQ/lzKsdD4EeEReFjcGKcCgYA+JeOt5WFENpv4LT+7P+j1
    k3xvOZ9sJGuXRXk9HXzsJvRCnc5oScwqku6i5HjzG8gyNVZg1sQGbVbWWmcNtaS8
    I3XalYAHYQyb8SGxlQP4ctKAN4j2Hbk1OHAMW84dfAQYQwFcBdaJTtMXQlbbX5Rh
    x90wE4qFuIapx6IKOmDxRw==
    -----END PRIVATE KEY-----
    

    difference between pkcs#1 and pkcs#8 format

    • A private key in pkcs#1 format with pem encoding begins with —–BEGIN RSA PRIVATE KEY—–
    • A private key in pkcs#8 format with pem encoding begins with —–BEGIN PRIVATE KEY—–
    • pkcs#1 format only includes a RSA private key.
    • pkcs#8 format includes meta data and a private key. The key might not be RSA private key. The meta data implies if it’s RSA private key or not.

    how to verify certificate with private key
    The certificate’s embedded public key is supposed to be the same as the public key computed from its corresponding private key.

    • Get the public key embedded in a certificate.
    • $ openssl x509 -in  platform.x509.pem -noout -pubkey
      -----BEGIN PUBLIC KEY-----
      MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAnHgFkqwNXTgc3qpl7Mim
      AG42SAxtcgexIBG+UIY6q+K1XQCa33FG1vIgIoDHzU172yYkO4qAbCazSxN1I6SS
      aCJJBNwBST58Cs8aBch09psDe2AwnZB00kKA4WutKoc0NhlR6vcqSC0JsgSxh14S
      rJjBqnc9aAC56v3lbVi+2OjaFvmjYAmcN6g0pt/tt7a0SgSeB6Jp/M8sVJbyzzbW
      TfkKO42PNKO6q0z1M3GrJ3GbO6WHVK0MU/wU4dtF1R4jT7vpPJuk7fnOVCYTUOxT
      Vge/aaL/SqB9tffqIA0JpsG0niFAL4ntEZCJOqtakYDxUugvhaRXU89fwZBxxe7I
      JwIBAw==
      -----END PUBLIC KEY-----
      
    • Compute the public key from a private key.
    • $ openssl pkcs8 -in platform.pk8 -inform der -nocrypt -out platform.pem -outform pem
      $ openssl rsa -in platform.pem -inform pem -pubout
      writing RSA key
      -----BEGIN PUBLIC KEY-----
      MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAnHgFkqwNXTgc3qpl7Mim
      AG42SAxtcgexIBG+UIY6q+K1XQCa33FG1vIgIoDHzU172yYkO4qAbCazSxN1I6SS
      aCJJBNwBST58Cs8aBch09psDe2AwnZB00kKA4WutKoc0NhlR6vcqSC0JsgSxh14S
      rJjBqnc9aAC56v3lbVi+2OjaFvmjYAmcN6g0pt/tt7a0SgSeB6Jp/M8sVJbyzzbW
      TfkKO42PNKO6q0z1M3GrJ3GbO6WHVK0MU/wU4dtF1R4jT7vpPJuk7fnOVCYTUOxT
      Vge/aaL/SqB9tffqIA0JpsG0niFAL4ntEZCJOqtakYDxUugvhaRXU89fwZBxxe7I
      JwIBAw==
      -----END PUBLIC KEY-----
      

    conclusion
    This post discusses private key formats and encodings. It also shows how to verify a certificate with its corresponding private key.

android: security: x509 certificate and encodings

December 19, 2016

This post discusses x509 certificate, its encodings, and android default platform key’s certificate.

what is certificate
It includes a public key and information related to this key, such as issuers and encryption algorithm.

what is x509 certificate
A certificate format.

android default platform key’s certificate
Android default platform key is only used during development stage. Below shows how to get android default platform key’s certificate in android 5.1.1. The file name of this certificate is platform.x509.pem.

$ git clone https://android.googlesource.com/platform/build
$ git reset --hard android-5.1.1_r1
$ cd build/target/product/security 
$ ls 
Android.mk              media.pk8               platform.pk8            shared.pk8              testkey.pk8             verity.pk8              verity_key
README                  media.x509.pem          platform.x509.pem       shared.x509.pem         testkey.x509.pem        verity.x509.pem

x509 and encodings
X509 format could be represented in two encodings.

  • pem encoding: Base64 in ASCII text. It begins with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–
  • der encoding: binary data
  • $ file platform.x509.pem
    platform.x509.pem: ASCII text
    $ cat platform.x509.pem
    -----BEGIN CERTIFICATE-----
    MIID4zCCAsugAwIBAgIJAIYmxNS3ueGhMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
    VQQGEwJDTjERMA8GA1UECAwIU2hlbnpoZW4xEDAOBgNVBAcMB05hbnNoYW4xDTAL
    BgNVBAoMBE1pa2kxDTALBgNVBAsMBE1pa2kxEjAQBgNVBAMMCVNpdGVyd2VsbDEh
    MB8GCSqGSIb3DQEJARYSc2l0ZXJ3ZWxsQG1pa2kuY29tMB4XDTE2MDkxMjEzMTEw
    NloXDTQ0MDEyOTEzMTEwNlowgYcxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGVu
    emhlbjEQMA4GA1UEBwwHTmFuc2hhbjENMAsGA1UECgwETWlraTENMAsGA1UECwwE
    TWlraTESMBAGA1UEAwwJU2l0ZXJ3ZWxsMSEwHwYJKoZIhvcNAQkBFhJzaXRlcndl
    bGxAbWlraS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe+L/H
    VlmJt2oRCLoxvebthSPpIAYcFK3+MK4yv0On8bzbrDpaTMct1b+8Or24xkomyz7I
    7y0mKLkDYxd2NLwMTw/JsX0n6yOUBVpvkGPQKg8jXXI13BvnOqzZDBdU4uUX0SAx
    IbVIYijfTdCH5IT6O7Fym9Iju2F39iMMpjePvsi4IAlaqHmXe4blaJcMsBrIV7yf
    vQExGDJpJiFIQ0UUSKVsKpUnFI0TdQiBZGHY3cHV0HI6mDHUocnTGIXhnZ0jF2Cs
    LdJ1oEryvnMkVTRd4KjtxilkntWGTy8PjY3Je1KuAKrxIl6gLx8w6rCEDYFAZXTh
    RdWHAe63Z1n94UCdAgMBAAGjUDBOMB0GA1UdDgQWBBTBICrojPpl7zoOs937tO9Z
    gdsHxDAfBgNVHSMEGDAWgBTBICrojPpl7zoOs937tO9ZgdsHxDAMBgNVHRMEBTAD
    AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB5Id+i6oaC/tJ4/7Tc3xg/3v15VLT+qgcN
    G0NWPq+XyGJ4fI95CNAV3QcDQXkVk6u00JFLC0yIygnaz3r/rYFh+1v0P/sHK4A6
    LG75C6RUGmQaqW8enDHK8hkcp7Qxfk+75b7geIQiotGH0Yk2Zl1HGRHB0+54W+hU
    sOfgymV5cNhkC+NYOUc1y3QTVv6kMjua3g0fGIHTD+CqhEeUVlkhm4+LOl0AXD1Q
    PVY0Qoe6d3g21bucFiX/1NWhVUQccYIKhsRlX3FS7JGRLYUCC3/Xt8pn84yENEo7
    V1d7SOWTspSKRUnZySFZc1eObuveKOdjl893o/vQF1CSAwOh/JkH
    -----END CERTIFICATE-----
    

transform x509 format between different encodings

  • Transform a x509 format certificate from pem encoding into der encoding
  • $ openssl x509 -in platform.x509.pem -inform pem -out platform.x509.der -outform der
    
  • Transform a x509 format certificate from der encoding into pem encoding
  • $ openssl x509 -in platform.x509.der -inform der -out platform.x509.pem.2 -outform pem
    
  • Verify that this x509 certificate is the same with the two encodings.
  • bash-3.2$ openssl x509 -in platform.x509.pem -inform pem
    -----BEGIN CERTIFICATE-----
    MIID4zCCAsugAwIBAgIJAIYmxNS3ueGhMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
    VQQGEwJDTjERMA8GA1UECAwIU2hlbnpoZW4xEDAOBgNVBAcMB05hbnNoYW4xDTAL
    BgNVBAoMBE1pa2kxDTALBgNVBAsMBE1pa2kxEjAQBgNVBAMMCVNpdGVyd2VsbDEh
    MB8GCSqGSIb3DQEJARYSc2l0ZXJ3ZWxsQG1pa2kuY29tMB4XDTE2MDkxMjEzMTEw
    NloXDTQ0MDEyOTEzMTEwNlowgYcxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGVu
    emhlbjEQMA4GA1UEBwwHTmFuc2hhbjENMAsGA1UECgwETWlraTENMAsGA1UECwwE
    TWlraTESMBAGA1UEAwwJU2l0ZXJ3ZWxsMSEwHwYJKoZIhvcNAQkBFhJzaXRlcndl
    bGxAbWlraS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe+L/H
    VlmJt2oRCLoxvebthSPpIAYcFK3+MK4yv0On8bzbrDpaTMct1b+8Or24xkomyz7I
    7y0mKLkDYxd2NLwMTw/JsX0n6yOUBVpvkGPQKg8jXXI13BvnOqzZDBdU4uUX0SAx
    IbVIYijfTdCH5IT6O7Fym9Iju2F39iMMpjePvsi4IAlaqHmXe4blaJcMsBrIV7yf
    vQExGDJpJiFIQ0UUSKVsKpUnFI0TdQiBZGHY3cHV0HI6mDHUocnTGIXhnZ0jF2Cs
    LdJ1oEryvnMkVTRd4KjtxilkntWGTy8PjY3Je1KuAKrxIl6gLx8w6rCEDYFAZXTh
    RdWHAe63Z1n94UCdAgMBAAGjUDBOMB0GA1UdDgQWBBTBICrojPpl7zoOs937tO9Z
    gdsHxDAfBgNVHSMEGDAWgBTBICrojPpl7zoOs937tO9ZgdsHxDAMBgNVHRMEBTAD
    AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB5Id+i6oaC/tJ4/7Tc3xg/3v15VLT+qgcN
    G0NWPq+XyGJ4fI95CNAV3QcDQXkVk6u00JFLC0yIygnaz3r/rYFh+1v0P/sHK4A6
    LG75C6RUGmQaqW8enDHK8hkcp7Qxfk+75b7geIQiotGH0Yk2Zl1HGRHB0+54W+hU
    sOfgymV5cNhkC+NYOUc1y3QTVv6kMjua3g0fGIHTD+CqhEeUVlkhm4+LOl0AXD1Q
    PVY0Qoe6d3g21bucFiX/1NWhVUQccYIKhsRlX3FS7JGRLYUCC3/Xt8pn84yENEo7
    V1d7SOWTspSKRUnZySFZc1eObuveKOdjl893o/vQF1CSAwOh/JkH
    -----END CERTIFICATE-----
    bash-3.2$ openssl x509 -in platform.x509.der -inform der
    -----BEGIN CERTIFICATE-----
    MIID4zCCAsugAwIBAgIJAIYmxNS3ueGhMA0GCSqGSIb3DQEBBQUAMIGHMQswCQYD
    VQQGEwJDTjERMA8GA1UECAwIU2hlbnpoZW4xEDAOBgNVBAcMB05hbnNoYW4xDTAL
    BgNVBAoMBE1pa2kxDTALBgNVBAsMBE1pa2kxEjAQBgNVBAMMCVNpdGVyd2VsbDEh
    MB8GCSqGSIb3DQEJARYSc2l0ZXJ3ZWxsQG1pa2kuY29tMB4XDTE2MDkxMjEzMTEw
    NloXDTQ0MDEyOTEzMTEwNlowgYcxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGVu
    emhlbjEQMA4GA1UEBwwHTmFuc2hhbjENMAsGA1UECgwETWlraTENMAsGA1UECwwE
    TWlraTESMBAGA1UEAwwJU2l0ZXJ3ZWxsMSEwHwYJKoZIhvcNAQkBFhJzaXRlcndl
    bGxAbWlraS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDe+L/H
    VlmJt2oRCLoxvebthSPpIAYcFK3+MK4yv0On8bzbrDpaTMct1b+8Or24xkomyz7I
    7y0mKLkDYxd2NLwMTw/JsX0n6yOUBVpvkGPQKg8jXXI13BvnOqzZDBdU4uUX0SAx
    IbVIYijfTdCH5IT6O7Fym9Iju2F39iMMpjePvsi4IAlaqHmXe4blaJcMsBrIV7yf
    vQExGDJpJiFIQ0UUSKVsKpUnFI0TdQiBZGHY3cHV0HI6mDHUocnTGIXhnZ0jF2Cs
    LdJ1oEryvnMkVTRd4KjtxilkntWGTy8PjY3Je1KuAKrxIl6gLx8w6rCEDYFAZXTh
    RdWHAe63Z1n94UCdAgMBAAGjUDBOMB0GA1UdDgQWBBTBICrojPpl7zoOs937tO9Z
    gdsHxDAfBgNVHSMEGDAWgBTBICrojPpl7zoOs937tO9ZgdsHxDAMBgNVHRMEBTAD
    AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQB5Id+i6oaC/tJ4/7Tc3xg/3v15VLT+qgcN
    G0NWPq+XyGJ4fI95CNAV3QcDQXkVk6u00JFLC0yIygnaz3r/rYFh+1v0P/sHK4A6
    LG75C6RUGmQaqW8enDHK8hkcp7Qxfk+75b7geIQiotGH0Yk2Zl1HGRHB0+54W+hU
    sOfgymV5cNhkC+NYOUc1y3QTVv6kMjua3g0fGIHTD+CqhEeUVlkhm4+LOl0AXD1Q
    PVY0Qoe6d3g21bucFiX/1NWhVUQccYIKhsRlX3FS7JGRLYUCC3/Xt8pn84yENEo7
    V1d7SOWTspSKRUnZySFZc1eObuveKOdjl893o/vQF1CSAwOh/JkH
    -----END CERTIFICATE-----
    

    get issuer information from a x509 certificate
    Below shows how to use openssl x509 command to get issuer information from android default platform key’s certificate.

    $ openssl x509 -in  platform.x509.pem -noout -issuer 
    issuer= /C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com
    

    get public key from a x509 certificate
    Below shows how to use openssl x509 command to get public key from android default platform key’s certificate.

    $ openssl x509 -in  platform.x509.pem -noout -pubkey
    -----BEGIN PUBLIC KEY-----
    MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKCAQEAnHgFkqwNXTgc3qpl7Mim
    AG42SAxtcgexIBG+UIY6q+K1XQCa33FG1vIgIoDHzU172yYkO4qAbCazSxN1I6SS
    aCJJBNwBST58Cs8aBch09psDe2AwnZB00kKA4WutKoc0NhlR6vcqSC0JsgSxh14S
    rJjBqnc9aAC56v3lbVi+2OjaFvmjYAmcN6g0pt/tt7a0SgSeB6Jp/M8sVJbyzzbW
    TfkKO42PNKO6q0z1M3GrJ3GbO6WHVK0MU/wU4dtF1R4jT7vpPJuk7fnOVCYTUOxT
    Vge/aaL/SqB9tffqIA0JpsG0niFAL4ntEZCJOqtakYDxUugvhaRXU89fwZBxxe7I
    JwIBAw==
    -----END PUBLIC KEY-----
    

    get all information from a x509 certificate
    Below shows how to use openssl x509 command to all information from android default platform key’s certificate.

    $ openssl x509 -in  platform.x509.pem -noout -text
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                b3:99:80:86:d0:56:cf:fa
            Signature Algorithm: md5WithRSAEncryption
            Issuer: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/emailAddress=android@android.com
            Validity
                Not Before: Apr 15 22:40:50 2008 GMT
                Not After : Sep  1 22:40:50 2035 GMT
            Subject: C=US, ST=California, L=Mountain View, O=Android, OU=Android, CN=Android/emailAddress=android@android.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (2048 bit)
                    Modulus (2048 bit):
                        00:9c:78:05:92:ac:0d:5d:38:1c:de:aa:65:ec:c8:
                        a6:00:6e:36:48:0c:6d:72:07:b1:20:11:be:50:86:
                        3a:ab:e2:b5:5d:00:9a:df:71:46:d6:f2:20:22:80:
                        c7:cd:4d:7b:db:26:24:3b:8a:80:6c:26:b3:4b:13:
                        75:23:a4:92:68:22:49:04:dc:01:49:3e:7c:0a:cf:
                        1a:05:c8:74:f6:9b:03:7b:60:30:9d:90:74:d2:42:
                        80:e1:6b:ad:2a:87:34:36:19:51:ea:f7:2a:48:2d:
                        09:b2:04:b1:87:5e:12:ac:98:c1:aa:77:3d:68:00:
                        b9:ea:fd:e5:6d:58:be:d8:e8:da:16:f9:a3:60:09:
                        9c:37:a8:34:a6:df:ed:b7:b6:b4:4a:04:9e:07:a2:
                        69:fc:cf:2c:54:96:f2:cf:36:d6:4d:f9:0a:3b:8d:
                        8f:34:a3:ba:ab:4c:f5:33:71:ab:27:71:9b:3b:a5:
                        87:54:ad:0c:53:fc:14:e1:db:45:d5:1e:23:4f:bb:
                        e9:3c:9b:a4:ed:f9:ce:54:26:13:50:ec:53:56:07:
                        bf:69:a2:ff:4a:a0:7d:b5:f7:ea:20:0d:09:a6:c1:
                        b4:9e:21:40:2f:89:ed:11:90:89:3a:ab:5a:91:80:
                        f1:52:e8:2f:85:a4:57:53:cf:5f:c1:90:71:c5:ee:
                        c8:27
                    Exponent: 3 (0x3)
            X509v3 extensions:
                X509v3 Subject Key Identifier: 
                    4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
                X509v3 Authority Key Identifier: 
                    keyid:4F:E4:A0:B3:DD:9C:BA:29:F7:1D:72:87:C4:E7:C3:8F:20:86:C2:99
                    DirName:/C=US/ST=California/L=Mountain View/O=Android/OU=Android/CN=Android/emailAddress=android@android.com
                    serial:B3:99:80:86:D0:56:CF:FA
    
                X509v3 Basic Constraints: 
                    CA:TRUE
        Signature Algorithm: md5WithRSAEncryption
            57:25:51:b8:d9:3a:1f:73:de:0f:6d:46:9f:86:da:d6:70:14:
            00:29:3c:88:a0:cd:7c:d7:78:b7:3d:af:cc:19:7f:ab:76:e6:
            21:2e:56:c1:c7:61:cf:c4:2f:d7:33:de:52:c5:0a:e0:88:14:
            ce:fc:0a:3b:5a:1a:43:46:05:4d:82:9f:1d:82:b4:2b:20:48:
            bf:88:b5:d1:49:29:ef:85:f6:0e:dd:12:d7:2d:55:65:7e:22:
            e3:e8:5d:04:c8:31:d6:13:d1:99:38:bb:89:82:24:7f:a3:21:
            25:6b:a1:2d:1d:6a:8f:92:ea:1d:b1:c3:73:31:7b:a0:c0:37:
            f0:d1:af:f6:45:ae:f2:24:97:9f:ba:6e:7a:14:bc:02:5c:71:
            b9:81:38:ce:f3:dd:fc:05:96:17:cf:24:84:5c:f7:b4:0d:63:
            82:f7:27:5e:d7:38:49:5a:b6:e5:93:1b:94:21:76:5c:49:1b:
            72:fb:68:e0:80:db:db:58:c2:02:9d:34:7c:8b:32:8c:e4:3e:
            f6:a8:b1:55:33:ed:fb:e9:89:bd:6a:48:dd:4b:20:2e:da:94:
            c6:ab:8d:d5:b8:39:92:03:da:ae:2e:d4:46:23:2e:4f:e9:bd:
            96:13:94:c6:30:0e:51:38:e3:cf:d2:85:e6:e4:e4:83:53:8c:
            b8:b1:b3:57
    

    conclusion
    This post discusses x509 format certificate. It demonstrates how to use openssl x509 command to manipulate and get information from android default platform key’s certificate.


%d bloggers like this: