Re: [Trustedjava-support] APKI and openssl

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi,

thank you for your reply.

The asn1parse works fine also on my part.

But I would like to verify the issued EKCertificate through openssl:

I first run:
sh client.sh ekcert_create --ekfile EKTest.der -o owner --host 
privacyca.iaik.tugraz.at --port 10011
then i download the EK issueing certificate 
http://opentc.iaik.tugraz.at/certs/caek.cert

convert them to pem:
openssl x509 -inform der -in caek.cert -outform pem -out CAEK.pem
openssl x509 -inform der -in EKTest.der -outform pem -out EKTest.pem

and then i try to display the public key of EKTest.der:
openssl x509 -inform pem -in EKTest.pem -noout -pubkey
error:
Error getting public key
13852:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public 
key type:d2i_pu.c:125:
13852:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 
lib:x_pubkey.c:366:

or to verify the certifiacte chain:
openssl verify -CAfile CAEK.pem EKTest.pem
error:
EKTest.pem:
error 20 at 0 depth lookup:unable to get local issuer certificate
13850:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public 
key type:d2i_pu.c:125:
13850:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 
lib:x_pubkey.c:366:
13850:error:0B06E06C:x509 certificate 
routines:X509_get_pubkey_parameters:unable to get certs public 
key:x509_vfy.c:1152:

Martin, unfortunately the verify command of openssl does only accept PEM 
encoded certificates. But the error in the x509 command happens also 
with der encoded certificates.

Maybe I am doing that the wrong way. Is there another possibility to 
verify this chain with openssl?
I tried also to verify the same certificates through a small JAVA 
program, using the JCE library, which works fine. So it is just a matter 
of formatting the public key, when it is written to the file?

Thank you in advance!

Kind regards,
Simon

Martin Pirker wrote:
> Hi...
>
> Simon Mittelberger wrote:
> [...]
>   
>> When I execute the following openssl command i get an error:
>> openssl -inform PEM -in cert.pem -noout -modulus
>>     
>
> The actual openssl command is missing in this example?
>
> [...]
>   
>> It looks like the public key isn't encoded in the right manner.
>>
>> Has anyone a suggestion?
>>     
>
> Is this only happening with PEM encoding?
>
> I tried decoding a DER encoded EK certificate with the standalone dumpasn1
> utility and via "openssl asn1parse -inform DER -in ek.cert"
> This works fine.
>
> HTH,
> Martin
>   