trustedjava-support

[Trustedjava-support] APKI and openssl

[Simon M. <sim...@in...>]

Dear all,

I am trying to process the EK Certificate created through the APKI PCA 
implementation through openssl.

The creation of the certificate works fine and i am able to output the 
pubic key through the java code.

When I execute the following openssl command i get an error:
openssl -inform PEM -in cert.pem -noout -modulus

The error is:
Modulus=unavailable
4716:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public 
key type:d2i_pu.c:125:
4716:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 
lib:x_pubkey.c:366:

The JAVA code which stores the certificate in the file is:
FileOutputStream fo = new FileOutputStream(filename);
fo.write(iaik.utils.Util.toPemString(cert).getBytes());
fo.close();

It looks like the public key isn't encoded in the right manner.

Has anyone a suggestion?
Thank you in advance!

Kind regards,
Simon Mittelberger

Re: [Trustedjava-support] APKI and openssl

[Martin P. <Mar...@ia...>]

Hi...

Simon Mittelberger wrote:
[...]
> When I execute the following openssl command i get an error:
> openssl -inform PEM -in cert.pem -noout -modulus

The actual openssl command is missing in this example?

[...]
> It looks like the public key isn't encoded in the right manner.
> 
> Has anyone a suggestion?

Is this only happening with PEM encoding?

I tried decoding a DER encoded EK certificate with the standalone dumpasn1
utility and via "openssl asn1parse -inform DER -in ek.cert"
This works fine.

HTH,
Martin

Re: [Trustedjava-support] APKI and openssl

[Simon M. <sim...@in...>]

Hi,

thank you for your reply.

The asn1parse works fine also on my part.

But I would like to verify the issued EKCertificate through openssl:

I first run:
sh client.sh ekcert_create --ekfile EKTest.der -o owner --host 
privacyca.iaik.tugraz.at --port 10011
then i download the EK issueing certificate 
http://opentc.iaik.tugraz.at/certs/caek.cert

convert them to pem:
openssl x509 -inform der -in caek.cert -outform pem -out CAEK.pem
openssl x509 -inform der -in EKTest.der -outform pem -out EKTest.pem

and then i try to display the public key of EKTest.der:
openssl x509 -inform pem -in EKTest.pem -noout -pubkey
error:
Error getting public key
13852:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public 
key type:d2i_pu.c:125:
13852:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 
lib:x_pubkey.c:366:

or to verify the certifiacte chain:
openssl verify -CAfile CAEK.pem EKTest.pem
error:
EKTest.pem:
error 20 at 0 depth lookup:unable to get local issuer certificate
13850:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public 
key type:d2i_pu.c:125:
13850:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 
lib:x_pubkey.c:366:
13850:error:0B06E06C:x509 certificate 
routines:X509_get_pubkey_parameters:unable to get certs public 
key:x509_vfy.c:1152:

Martin, unfortunately the verify command of openssl does only accept PEM 
encoded certificates. But the error in the x509 command happens also 
with der encoded certificates.

Maybe I am doing that the wrong way. Is there another possibility to 
verify this chain with openssl?
I tried also to verify the same certificates through a small JAVA 
program, using the JCE library, which works fine. So it is just a matter 
of formatting the public key, when it is written to the file?

Thank you in advance!

Kind regards,
Simon


Martin Pirker wrote:
> Hi...
>
> Simon Mittelberger wrote:
> [...]
>   
>> When I execute the following openssl command i get an error:
>> openssl -inform PEM -in cert.pem -noout -modulus
>>     
>
> The actual openssl command is missing in this example?
>
> [...]
>   
>> It looks like the public key isn't encoded in the right manner.
>>
>> Has anyone a suggestion?
>>     
>
> Is this only happening with PEM encoding?
>
> I tried decoding a DER encoded EK certificate with the standalone dumpasn1
> utility and via "openssl asn1parse -inform DER -in ek.cert"
> This works fine.
>
> HTH,
> Martin
>   

Re: [Trustedjava-support] APKI and openssl

[Martin P. <Mar...@ia...>]

Hi...

Simon Mittelberger wrote:
> and then i try to display the public key of EKTest.der:
> openssl x509 -inform pem -in EKTest.pem -noout -pubkey
> error:
> Error getting public key
> 13852:error:0D09B0A3:asn1 encoding routines:d2i_PublicKey:unknown public key type:d2i_pu.c:125:
> 13852:error:0B077066:x509 certificate routines:X509_PUBKEY_get:err asn1 lib:x_pubkey.c:366:

I can reproduce this here - but I do not have enough experience
with openssl to know why is that..... :-/

Martin