2

SafetyNet documentation (https://developer.android.com/training/safetynet/attestation) states that field returned in attestation token called apkCertificateDigestSha256 is Base-64 encoded representation(s) of the SHA-256 hash of the calling app's signing certificate(s).

I might be misunderstanding what it means, since my data doesn't match. If I investigate my certificate fingerprints I have field SHA256, which has 32 bytes of length. When I try to encode it in base64 I get even longer string. This is sample result made with string hello world sha256 hashed and then encoded to base64: Yjk0ZDI3Yjk5MzRkM2UwOGE1MmU1MmQ3ZGE3ZGFiZmFjNDg0ZWZlMzdhNTM4MGVlOTA4OGY3YWNlMmVmY2RlOQ==

Meanwhile google attestation token returns much shorter hashes that decoded from base64 show seemingly random values. For example this: EmGH9u67SiSyLuvZCoAN+R+NU/yHP29gSmoUgvNtehk= Which is nothing sensible after decoding.

How do I get to the same results as google gets based on my certificate? Why is their sha256 hash not 32 bytes long?

Areinu
  • 172
  • 1
  • 13

2 Answers2

2

As by Michael's suggestion in the comments the problem was I was using text representation of the fingerprint instead of binary data. By changing this one detail I managed to get the same results as Google returns.

Areinu
  • 172
  • 1
  • 13
0

You can use this command to easily generate it
OSX:
keytool -printcert -jarfile ~/PATH_TO/YOURAPKFILE.apk | grep "SHA256: " | cut -d " " -f 3 | xxd -r -p | openssl base64

or if you already have a text representation of SHA256 signature the use this command
echo "SHA256_TEXT_REPRESENTATION" | xxd -r -p | openssl base64

xxd does a hex dump of input, basically text to binary

Build3r
  • 1,748
  • 16
  • 22