Skip to content

Instantly share code, notes, and snippets.

Created June 20, 2019 15:21
Show Gist options
  • Save akhtarraza/bacf7c1783a228f83092288341496164 to your computer and use it in GitHub Desktop.
Save akhtarraza/bacf7c1783a228f83092288341496164 to your computer and use it in GitHub Desktop.
Convert RSA Public Key to DER Format
// Sources:
import Foundation
class RSAKeyEncoding: NSObject {
// ASN.1 identifiers
private let kASNBitStringIdentifier: UInt8 = 0x03
private let kASNSequenceIdentifier: UInt8 = 0x30
// ASN.1 AlgorithmIdentfier for RSA encryption containing OID 1 2 840 113549 1 1 1; NULL
private let kASNAlgorithmIdentifierForRSAEncryption: [UInt8] = [0x30, 0x0d, 0x06, 0x09,
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00]
* Converts the DER encoding of an RSA public key fetched from the keychain (e.g. by
* using SecItemCopyMatching) to a format typically used by tools and programming
* languages outside the iOS ecosystem (e.g. OpenSSL, Java, PHP and Perl). The DER
* encoding of an RSA public key created by iOS is represented with the ASN.1
* RSAPublicKey type as defined by PKCS#1. However, many systems outside the Apple
* ecosystem expect the DER encoding of a key to be represented with the ASN.1
* SubjectPublicKeyInfo type as defined by X.509. The two types are related in a way
* that if the SubjectPublicKeyInfo’s algorithm field contains the rsaEncryption object
* identifier as defined by PKCS#1, the subjectPublicKey field must contain the DER
* encoding of an RSA public key that is represented with the RSAPublicKey type.
* Returns the converted DER encoding of provided key.
func convertToX509EncodedKey(_ rsaPublicKeyData: Data) -> Data {
// Initialize an array that will be filled with bytes of the X509 encoded key
var derEncodedKeyBytes: [UInt8] = [UInt8](rsaPublicKeyData)
// Insert ASN.1 BIT STRING bytes at the beginning of the array
derEncodedKeyBytes.insert(0x00, at: 0)
derEncodedKeyBytes.insert(contentsOf: lengthField(of: derEncodedKeyBytes), at: 0)
derEncodedKeyBytes.insert(kASNBitStringIdentifier, at: 0)
// Insert ASN.1 AlgorithmIdentifier bytes at the beginning of the array
derEncodedKeyBytes.insert(contentsOf: kASNAlgorithmIdentifierForRSAEncryption, at: 0)
// Insert ASN.1 SEQUENCE bytes at the beginning of the array
derEncodedKeyBytes.insert(contentsOf: lengthField(of: derEncodedKeyBytes), at: 0)
derEncodedKeyBytes.insert(kASNSequenceIdentifier, at: 0)
return Data(bytes: derEncodedKeyBytes)
private func lengthField(of valueField: [UInt8]) -> [UInt8] {
var length = valueField.count
if length < 128 {
return [ UInt8(length) ]
// Number of bytes needed to encode the length
let lengthBytesCount = Int((log2(Double(length)) / 8) + 1)
// First byte in length field encoding the number of remaining bytes in this field
let firstLengthFieldByte = UInt8(128 + lengthBytesCount)
var lengthField: [UInt8] = []
for _ in 0..<lengthBytesCount {
// Take the last 8 bits of length
let lengthByte = UInt8(length & 0xff)
// Insert them at the beginning of the array
lengthField.insert(lengthByte, at: 0)
// Delete the last 8 bits of length
length = length >> 8
// Insert firstLengthFieldByte at the beginning of the array
lengthField.insert(firstLengthFieldByte, at: 0)
return lengthField
extension SecKey {
public func derFormat() -> String? {
var pbError:Unmanaged<CFError>?
if #available(iOS 10, *) {
guard let pbData = SecKeyCopyExternalRepresentation(self, &pbError) as Data? else {
print("error: ", pbError!.takeRetainedValue() as Error)
return nil
let publicKeyPemFormat = RSAKeyEncoding().convertToX509EncodedKey(pbData).base64EncodedString()
print("DER format key: \n",publicKeyPemFormat)
return publicKeyPemFormat
} else {
// On iOS 8/9, we need to add the key again to the keychain with a temporary tag, grab the data,
// and delete the key again.
let temporaryTag = UUID().uuidString
let addParams: [CFString: Any] = [
kSecValueRef: self as Any,
kSecReturnData: true,
kSecClass: kSecClassKey,
kSecAttrApplicationTag: temporaryTag
var data: AnyObject?
let addStatus = SecItemAdd(addParams as CFDictionary, &data)
guard let unwrappedData = data as? Data else {
return nil
let deleteParams: [CFString: Any] = [
kSecClass: kSecClassKey,
kSecAttrApplicationTag: temporaryTag
if addStatus == errSecSuccess {
_ = SecItemDelete(deleteParams as CFDictionary)
let keyDerFormat = RSAKeyEncoding().convertToX509EncodedKey(unwrappedData).base64EncodedString()
print("public key: \n", keyDerFormat)
return keyDerFormat
public func pemFormat() -> String? {
var pbError:Unmanaged<CFError>?
if #available(iOS 10, *) {
guard let pbData = SecKeyCopyExternalRepresentation(self, &pbError) as Data? else {
print("error: ", pbError!.takeRetainedValue() as Error)
return nil
let publicKeyPemFormat = pbData.base64EncodedString()
print("public key: \n", publicKeyPemFormat)
return publicKeyPemFormat
} else {
// On iOS 8/9, we need to add the key again to the keychain with a temporary tag, grab the data,
// and delete the key again.
let temporaryTag = UUID().uuidString
let addParams: [CFString: Any] = [
kSecValueRef: self as Any,
kSecReturnData: true,
kSecClass: kSecClassKey,
kSecAttrApplicationTag: temporaryTag
var data: AnyObject?
let addStatus = SecItemAdd(addParams as CFDictionary, &data)
guard let unwrappedData = data as? Data else {
return nil
let deleteParams: [CFString: Any] = [
kSecClass: kSecClassKey,
kSecAttrApplicationTag: temporaryTag
if addStatus == errSecSuccess {
_ = SecItemDelete(deleteParams as CFDictionary)
let publicKeyPemFormat = unwrappedData.base64EncodedString()
print("public key: \n", publicKeyPemFormat)
return publicKeyPemFormat
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment