Extract raw X.509 Certificate from a signed APK or JAR

Jeff DQ picture Jeff DQ · Dec 3, 2012 · Viewed 16.6k times · Source

I have a library of MD5 hashes of public keys used to sign various jars, and a mapping to their respective keystores which we use to sign different APKs. What I'd like to be able to do is identify which keystore was used to sign an APK, but without using trial and error. (Also, sadly, many of our keys share similar or identical DNs.)

My solution, because I know the META-INF/FOO.RSA (or FOO.DSA) contains the certificate, was to extract the certificate from the APK's RSA file and directly calculate the MD5 hash. (I know the certificate is there because it is accessible to a running android application, and the jarsigner documentation tells me it is there.)

But I can't find any tool that gives me the actual bytes of the certificate. I can get the DN and the certificate metadata when I use jarsigner -verbose -verify -certs my.apk, but that doesn't give me the bytes.

Answer

frederikdebacker picture frederikdebacker · Mar 22, 2013

Extract the JAR then use 'openssl' to output the certificate:

So assuming 'foo.jar' is in your current directory, do something like:

mkdir temp
cd temp
jar -xvf ../foo.jar
cd META-INF
openssl pkcs7 -in FOO.RSA -print_certs -inform DER -out foo.cer