[openssl-users] Verifying Android hardware attestation certificates with OpenSSL
Philip Prindeville
philipp_subx at redfish-solutions.com
Fri Jul 23 00:55:16 UTC 2021
Did you ever get to the root of this?
-Philip
> On Oct 30, 2018, at 5:52 PM, Pietu Pohjalainen <ppohja at gmail.com> wrote:
>
> Dear all,
>
> I have been trying to verify hardware attestation certificates originating from different Android phones with the OpenSSL tool. There seems to be not too much information about how are these supposed to work. With OpenSSL I'm getting mixed results.
>
> Android developer spec for certificate extension data schema is available at
> https://developer.android.com/training/articles/security-key-attestation <https://developer.android.com/training/articles/security-key-attestation> and is linking to a few years old Java code example at https://github.com/googlesamples/android-key-attestation <https://github.com/googlesamples/android-key-attestation> . Unfortunately this Java code has not been updated to match later versions of key attestation, and it fails with many of my real world use cases.
>
> The OpenSSL command shipping with Mac OS 10.13 (LibreSSL 2.2.7) fails even to parse these certificates.
>
> OpenSSL 1.1.0g shipping with Ubuntu parses all of my example certificates just fine. However, trying to verify certificate chains sometime succeeds, sometime fails. ver 1.1.2-dev follows the same pattern.
>
> So far, I have figured out the following patterns:
> - Certificate chain extracted from a real world device is either 3 or 4 certificates.
> - When the chain is 4 certificates, the last one is equal to Google's root certificate found in the Java code example https://github.com/googlesamples/android-key-attestation/blob/master/server/src/main/java/com/android/example/KeyAttestationExample.java <https://github.com/googlesamples/android-key-attestation/blob/master/server/src/main/java/com/android/example/KeyAttestationExample.java>
> - When the chain is 3 certificates, the middle and last certificates are always the same.
>
> - Out of these 8 real world chains, I'm having
> * 3 cases where OpenSSL verifies the chain just nice - branches a, g and h in the upcoming transcript.
> * 1 case where OpenSSL gives error
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error f1.pem: verification failed
> 139747492622784:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:101:
> 139747492622784:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1118:
> 139747492622784:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:553:
> * 4 cases where OpenSSL gives error
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error e1.pem: verification failed
>
> The hardware devices are in somewhat random order, as follows:
> a: Nokia 8 running Android 8.1
> b: Motorola Moto Z running Android 7.1.1
> c: Nokia 1 running Android 8.1
> d: Nokia 2 running Android 7.1.1
> e: Sony Oneplus A5000 running Android 7.1.1
> f: Huawei Honor 8 running Android 7.0
> g: Nokia 5.1 running Android 8.0
> h: OnePlus 3T running Android 8.0
>
>
> Due to other OpenSSL implementations failing to even parse these certificates, I'm now in doubt is it my wrong usage pattern, certificates that are really faulty, or is this a bug with OpenSSL.
>
>
> br,
> Pietu
>
> --- clip ---
>
> Here's my full set of files and commands tried:
> $ /usr/local/bin/openssl version
> OpenSSL 1.1.2-dev xx XXX xxxx
>
> $ md5sum a2.pem b2.pem d2.pem e2.pem f2.pem h2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 a2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 b2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 d2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 e2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 f2.pem
> 2575f8bb229a2c5bc02260dbc8af5575 h2.pem
>
> $ md5sum a3.pem b3.pem d3.pem e3.pem f3.pem h3.pem
> 0ec1822cb22ea66f96fc459633dfee78 a3.pem
> 0ec1822cb22ea66f96fc459633dfee78 b3.pem
> 0ec1822cb22ea66f96fc459633dfee78 d3.pem
> 0ec1822cb22ea66f96fc459633dfee78 e3.pem
> 0ec1822cb22ea66f96fc459633dfee78 f3.pem
> 0ec1822cb22ea66f96fc459633dfee78 h3.pem
>
> $ # Test out chains with 3 certificates - a and h verify fine.
> $ for branch in a; do echo; echo "Checking $branch"; cat "$branch"1.pem "$branch"2.pem "$branch"3.pem; /usr/local/bin/openssl verify -CAfile <(cat "$branch"2.pem "$branch"3.pem) "$branch"1.pem; echo; done
>
> Checking a
> -----BEGIN CERTIFICATE-----
> MIICgDCCAiagAwIBAgIBATAKBggqhkjOPQQDAjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDE7MDkGA1UEAwwyQW5kcm9pZCBLZXlzdG9yZSBTb2Z0d2FyZSBBdHRlc3RhdGlvbiBJbnRlcm1lZGlhdGUwIBcNNzAwMTAxMDAwMDAwWhgPMjEwNjAyMDcwNjI4MTVaMB8xHTAbBgNVBAMMFEFuZHJvaWQgS2V5c3RvcmUgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEDRgbsaYD1OPI5P78IVIJsgQlAIDKIoGl7BAbuV4tkx0Km3tfcoMAwfWL1exnBoAxuw2ZHUhlNUhWE8kyAW7bsaOB5jCB4zALBgNVHQ8EBAMCB4AwgbIGCisGAQQB1nkCAREEgaMwgaACAQIKAQACAQEKAQEEC2hlbGxvIHdvcmxkBAAwSr+FPQgCBgFmrBioCL+FRToEODA2MRAwDgQJY29tLnB5eXBsAgEMMSIEIIMi9g2//U87C53x3twp61y6K1+22oaTkEjGgyTgXw37MDehBTEDAgECogMCAQOjBAICAQClCzEJAgEEAgEFAgEGqgMCAQG/g3cCBQC/hT4DAgEAv4U/AgUAMB8GA1UdIwQYMBaAFD/8rNYasTqegSC41SUcxWW7HpGpMAoGCCqGSM49BAMCA0gAMEUCIQC+ty2c6G69zydlw3mhdTV0C+IMN45WIxC4K4kpvQIT2wIgBE48WjBNlRTH3RWURiL1oIriLcfTlN7sKeMVkeH1PCU=
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIICeDCCAh6gAwIBAgICEAEwCgYIKoZIzj0EAwIwgZgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRUwEwYDVQQKDAxHb29nbGUsIEluYy4xEDAOBgNVBAsMB0FuZHJvaWQxMzAxBgNVBAMMKkFuZHJvaWQgS2V5c3RvcmUgU29mdHdhcmUgQXR0ZXN0YXRpb24gUm9vdDAeFw0xNjAxMTEwMDQ2MDlaFw0yNjAxMDgwMDQ2MDlaMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQLDAdBbmRyb2lkMTswOQYDVQQDDDJBbmRyb2lkIEtleXN0b3JlIFNvZnR3YXJlIEF0dGVzdGF0aW9uIEludGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOueefhCY1msyyqRTImGzHCtkGaTgqlzJhP+rMv4ISdMIXSXSir+pblNf2bU4GUQZjW8U7ego6ZxWD7bPhGuEBSjZjBkMB0GA1UdDgQWBBQ//KzWGrE6noEguNUlHMVlux6RqTAfBgNVHSMEGDAWgBTIrel3TEXDo88NFhDkeUM6IVowzzASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIChDAKBggqhkjOPQQDAgNIADBFAiBLipt77oK8wDOHri/AiZi03cONqycqRZ9pDMfDktQPjgIhAO7aAV229DLp1IQ7YkyUBO86fMy9Xvsiu+f+uXc/WT/7
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIICizCCAjKgAwIBAgIJAKIFntEOQ1tXMAoGCCqGSM49BAMCMIGYMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzEVMBMGA1UECgwMR29vZ2xlLCBJbmMuMRAwDgYDVQQLDAdBbmRyb2lkMTMwMQYDVQQDDCpBbmRyb2lkIEtleXN0b3JlIFNvZnR3YXJlIEF0dGVzdGF0aW9uIFJvb3QwHhcNMTYwMTExMDA0MzUwWhcNMzYwMTA2MDA0MzUwWjCBmDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFTATBgNVBAoMDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEzMDEGA1UEAwwqQW5kcm9pZCBLZXlzdG9yZSBTb2Z0d2FyZSBBdHRlc3RhdGlvbiBSb290MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7l1ex+HA220Dpn7mthvsTWpdamguD/9/SQ59dx9EIm29sa/6FsvHrcV30lacqrewLVQBXT5DKyqO107sSHVBpKNjMGEwHQYDVR0OBBYEFMit6XdMRcOjzw0WEOR5QzohWjDPMB8GA1UdIwQYMBaAFMit6XdMRcOjzw0WEOR5QzohWjDPMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgKEMAoGCCqGSM49BAMCA0cAMEQCIDUho++LNEYenNVg8x1YiSBq3KNlQfYNns6KGYxmSGB7AiBNC/NR2TB8fVvaNTQdqEcbY6WFZTytTySn502vQX3xvw==
> -----END CERTIFICATE-----
>
> a1.pem: OK
>
>
> $ #for keeping msg length in moderation, not duplicating root and intermediate certificates
> $ for branch in b d e f h; do echo; echo "Checking $branch"1.pem; cat "$branch"1.pem; /usr/local/bin/openssl verify -CAfile <(cat "$branch"2.pem "$branch"3.pem) "$branch"1.pem; echo; done
>
> Checking b1.pem
> -----BEGIN CERTIFICATE-----
> MIIBzTCCAXOgAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDDBFBbmRyb2lkIEtleW1hc3RlcjAgFw03MDAxMDEwMDAwMDBaGA8yMTA2MDIwNzA2MjgxNVowGjEYMBYGA1UEAwwPQSBLZXltYXN0ZXIgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuvoG6Aobkj6eP+Q4bCf7vIY2hLvsQ9rRKG0mdD1YDPoE7lnth4ekSa+lhlMnieHrsH2pnGLZxP4jZoSk3GQdJaOBpTCBojALBgNVHQ8EBAMCB4AwcgYKKwYBBAHWeQIBEQRkMGICAQEKAQACAQEKAQEEC2hlbGxvIHdvcmxkBAAwDL+FPQgCBgFmrHjFgDA3oQUxAwIBAqIDAgEDowQCAgEApQsxCQIBBAIBBQIBBqoDAgEBv4N3AgUAv4U+AwIBAL+FPwIFADAfBgNVHSMEGDAWgBQ//KzWGrE6noEguNUlHMVlux6RqTAKBggqhkjOPQQDAgNIADBFAiEA+atKJFXAli8iI4u42gP+dRCarhtXYTPvSx4gBUoGWEsCIGdA9chHpZmRaNYr+oODruhF+Q1xIyLJYX+pq2q6wHvl
> -----END CERTIFICATE-----
>
> CN = A Keymaster Key
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error b1.pem: verification failed
>
>
> Checking d1.pem
> -----BEGIN CERTIFICATE-----
> MIIB1zCCAX2gAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDDBFBbmRyb2lkIEtleW1hc3RlcjAeFw03MDAxMDEwMDAwMDBaFw02OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0EgS2V5bWFzdGVyIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD2A/WLrFMSEGX3XdgKDlxcTAstZnlXgJRZsLC+Z55JR80UYfNgV7EfN3arpKMuJ3fFJ/cYEoACTLHjinhmXVFijgbEwga4wCwYDVR0PBAQDAgeAMH4GCisGAQQB1nkCAREEcDBuAgEBCgEAAgECCgEABAtoZWxsbyB3b3JsZAQAME+hBTEDAgECogMCAQOjBAICAQClCzEJAgEEAgEFAgEGqgMCAQG/g3cCBQC/hT0IAgYBZq9Wdbi/hT4DAgEAv4VBBQIDARHVv4VCBQIDAxRPMAAwHwYDVR0jBBgwFoAUP/ys1hqxOp6BILjVJRzFZbsekakwCgYIKoZIzj0EAwIDSAAwRQIhAObHcoPKw6ntrXr+EC7HmGJO9heDbSuFMjO9sbcOw6rYAiBXtqcI6p0VCDN+jPtztLYtxeqkCnZYDve8MTkrReNSJQ==
> -----END CERTIFICATE-----
>
> CN = A Keymaster Key
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error d1.pem: verification failed
>
>
> Checking e1.pem
> -----BEGIN CERTIFICATE-----
> MIIBzTCCAXOgAwIBAgIBATAKBggqhkjOPQQDAjAcMRowGAYDVQQDDBFBbmRyb2lkIEtleW1hc3RlcjAgFw03MDAxMDEwMDAwMDBaGA8yMTA2MDIwNzA2MjgxNVowGjEYMBYGA1UEAwwPQSBLZXltYXN0ZXIgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE+KjC/Y5eImDnRgreH+fZeXj9r4725cHz3T8p7wCyWJKajku2c8khAJepG4fUEqHwiggPj7V5IWhaxzi29g7U1aOBpTCBojALBgNVHQ8EBAMCB4AwcgYKKwYBBAHWeQIBEQRkMGICAQEKAQACAQEKAQEEC2hlbGxvIHdvcmxkBAAwDL+FPQgCBgFmr+53yDA3oQUxAwIBAqIDAgEDowQCAgEApQsxCQIBBAIBBQIBBqoDAgEBv4N3AgUAv4U+AwIBAL+FPwIFADAfBgNVHSMEGDAWgBQ//KzWGrE6noEguNUlHMVlux6RqTAKBggqhkjOPQQDAgNIADBFAiEAmm+LNCeZRpBBHUxXGVU9VC/fxEwoLfbC3x7UNCd3ra4CIAW9JO5u6msXwvix4QD0OSBrdrzUCzuS9ItwfjZv+mB3
> -----END CERTIFICATE-----
>
> CN = A Keymaster Key
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error e1.pem: verification failed
>
>
> Checking f1.pem
> -----BEGIN CERTIFICATE-----
> MIIB/TCCAaSgAwIBAgIBATAKBggqhkjOPQQDAjAdMRswGQYDVQQDExJBbmRyb2lkIEtleW1hc3RlcjIwHhcNNzAwMTAxMDAwMDAwWhcNMDYwMjA3MDYyODE1WjAaMRgwFgYDVQQDEw9BIEtleW1hc3RlciBLZXkwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASiqHWB8dQg1/Fw67gZvYqIq2WZvbWFll4W5y2uz0UymS34g0FMGkwsJqAlnCquVFraoiaJH35x+jPrGqmdXy6Mo4HXMIHUMAsGA1UdDwQEAwIHgDAIBgNVHR8EAQAwgboGCisGAQQB1nkCAREEgaswgagCAQEKAQECAQIKAQEEC2hlbGxvIHdvcmxkBAAwJL+DdwIFAL+FPQgCBgFmxPuCBb+FQQUCAwERcL+FQgUCAwMUUDBloQUxAwIBAqIDAgEDowQCAgEApQUxAwIBBKoDAgEBv4U+AwIBAL+FQCowKAQgU0HmsmRpeacOV2UwB6HzEBaUIeyb3Z8aVkj3Wt4AWvEBAf8KAQC/hUEFAgMBEXC/hUIFAgMDFFAwCgYIKoZIzj0EAwIDRwAwRAIgEH9o6neMfv7o6ixwUkL4t7r5uS9FbMGAS9Pt9St9qecCICKhqBjZBisaGDSqE3Qo2vFUpvtB03tDHqlzScWXbry1
> -----END CERTIFICATE-----
>
>
> CN = A Keymaster Key
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error f1.pem: verification failed
> 140121898299840:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:101:
> 140121898299840:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1118:
> 140121898299840:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:553:
>
>
> Checking h1.pem
> -----BEGIN CERTIFICATE-----
> MIICgDCCAiagAwIBAgIBATAKBggqhkjOPQQDAjCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAoMDEdvb2dsZSwgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDE7MDkGA1UEAwwyQW5kcm9pZCBLZXlzdG9yZSBTb2Z0d2FyZSBBdHRlc3RhdGlvbiBJbnRlcm1lZGlhdGUwIBcNNzAwMTAxMDAwMDAwWhgPMjEwNjAyMDcwNjI4MTVaMB8xHTAbBgNVBAMMFEFuZHJvaWQgS2V5c3RvcmUgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE99dbLWDWw+j/h1MO8Sap27sC+wnjS3w4I2FIea+Tw8AzjCnG3F9tqNwPEDP1Y/NILB0TqgLQ8sKwxXrxXR7yW6OB5jCB4zALBgNVHQ8EBAMCB4AwgbIGCisGAQQB1nkCAREEgaMwgaACAQIKAQACAQEKAQEEC2hlbGxvIHdvcmxkBAAwSr+FPQgCBgFmxQWrGL+FRToEODA2MRAwDgQJY29tLnB5eXBsAgEMMSIEIIMi9g2//U87C53x3twp61y6K1+22oaTkEjGgyTgXw37MDehBTEDAgECogMCAQOjBAICAQClCzEJAgEEAgEFAgEGqgMCAQG/g3cCBQC/hT4DAgEAv4U/AgUAMB8GA1UdIwQYMBaAFD/8rNYasTqegSC41SUcxWW7HpGpMAoGCCqGSM49BAMCA0gAMEUCIDyO1O3bN1RqAPlmEku6Bm64EZVsnXP2AUqABbh5uZQmAiEApb4XgXemFO2By1Uk/2YSTmZY8wKUAf4ZsWCc6+fxiio=
> -----END CERTIFICATE-----
>
> h1.pem: OK
>
>
> # Test out chains with 4 certificates - g verifies fine.
> $ for branch in c g; do echo; echo "Checking $branch"; cat "$branch"1.pem "$branch"2.pem "$branch"3.pem "$branch"4.pem; /usr/local/bin/openssl verify -CAfile <(cat "$branch"2.pem "$branch"3.pem "$branch"4.pem) "$branch"1.pem; echo; done
>
> Checking c
> -----BEGIN CERTIFICATE-----
> MIICUTCCAfagAwIBAgIBATAKBggqhkjOPQQDAjAbMRkwFwYDVQQFExA5NWU3MzI4NzZiNjUxNjhkMCIYDzE5MDAwMTAwMDAwMDAwWhgPMTkwMDAxMDAwMDAwMDBaMB8xHTAbBgNVBAMMFEFuZHJvaWQgS2V5c3RvcmUgS2V5MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7Sd6FaAz8BONTGJvtGw5AIaiLhGH4ILfaD9OKzLYjfjB/nTcW6ti+CjSMtaROpXzbuYh6IgCGlD089gPnP5+BaOCASEwggEdMAsGA1UdDwQEAwIHgDCB7AYKKwYBBAHWeQIBEQSB3TCB2gIBAgoBAQIBAwoBAQQLaGVsbG8gd29ybGQEADBKv4U9CAIGAWasjANIv4VFOgQ4MDYxEDAOBAljb20ucHl5cGwCAQwxIgQggyL2Db/9TzsLnfHe3CnrXLorX7bahpOQSMaDJOBfDfswcaEFMQMCAQKiAwIBA6MEAgIBAKULMQkCAQQCAQUCAQaqAwIBAb+DdwIFAL+FPgMCAQC/hUAqMCgEIE15D6Cl/oHWs1K5Cv5DBoTZvIF1GM0kxQ5jQzlffFHyAQEBCgEAv4VBBQIDATjkv4VCBQIDAxRQMB8GA1UdIwQYMBaAFBuQe659NNU7MawBkucw39T1flt2MAoGCCqGSM49BAMCA0kAMEYCIQC14bLPGSNXwYUrFzO3Xno7WLHCy1wFtcP+mXCnVlvCngIhAMX60lRiVTvfl2Bq09opnfb3Y7QgE0DViuhheQyNSvL4
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIICKzCCAbKgAwIBAgIKFhlXZkYXJGEUNDAKBggqhkjOPQQDAjAbMRkwFwYDVQQFExA1YjAzNTljY2E4ODc5Y2I1MB4XDTE2MDUyNjE2NTQxNloXDTI2MDUyNDE2NTQxNlowGzEZMBcGA1UEBRMQOTVlNzMyODc2YjY1MTY4ZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJoEzxn1L0hLklubtqi8kvk9KEJf4nu8UB7EfcHn5zGbONW9HGgwBlq5X5llRvmNUToPcgbI3sHOvFoHky5nrgyjgd0wgdowHQYDVR0OBBYEFBuQe659NNU7MawBkucw39T1flt2MB8GA1UdIwQYMBaAFAbd7gqSHZtx4caJQUTvOTlwJgA1MAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgeAMCQGA1UdHgQdMBugGTAXghVpbnZhbGlkO2VtYWlsOmludmFsaWQwVAYDVR0fBE0wSzBJoEegRYZDaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8xNjE5NTc2NjQ2MTcyNDYxMTQzNDAKBggqhkjOPQQDAgNnADBkAjAMeVZ84Z55FM2+nOrljCQlb7xpdiYDTc96LQyh8OE6EZj8jkQQL9Lh3MT5p5lZ+QsCMGLwHkdPAeD1M8PYEJRyurfC4EYV1k3zJowZbRmYu3N8ztCb3FBgE+1oJpxEPNXIGQ==
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIIDwzCCAaugAwIBAgIKA4gmZ2BliZaFczANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MB4XDTE2MDUyNjE2NDEyOVoXDTI2MDUyNDE2NDEyOVowGzEZMBcGA1UEBRMQNWIwMzU5Y2NhODg3OWNiNTB2MBAGByqGSM49AgEGBSuBBAAiA2IABHf4FUKTZivDuwdyVbXyPF12IRuDzZKq61MbqooE3/gx9gIS9pFS4NZgGTnjSMm6ltYrCv3sDzuPQls+V+BLPQgNfRHavmP9eulc1uR3GNgCnKqxB2o0QcTQGPAxJA81c6OBtjCBszAdBgNVHQ4EFgQUBt3uCpIdm3HhxolBRO85OXAmADUwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC9FOEZBMTk2MzE0RDJGQTE4MA0GCSqGSIb3DQEBCwUAA4ICAQAsPFNbAeVGRXKg0H1Ixy31n+vc1GAtLTtdruQGZ3rk6Dq3G5OiNfwLI4vRowDERgTr5RoVRMLs9HzTTCvvdEBhcILKOnaPAd6Jg4HvBi8hsfbXEvRi2kmIfiYAabC71ErJLFEMprTJMSDEOe3lXCJG409z99ofsf/s1M1i77NFVCwstAvRLMjc9TjxRXrGrGD0rMdG2RkionXa3H+4cYqSUf7JCIW6dMB2p+4R3n463DqxxSJNGbchGGUbL6b0qIWdaVcwG2ro+WyItfyw5C4h9XSosauyC9ajjZLt8RAK2ouZHN/kyIXcD1U7IFbSy0SZfaRDLNCzse4iL6IOnuyITEFLnvLfcDSwNX1/ptBRAeeme7G1nwpeohJjiddmf20e421+n3tWUyUhLk9s83MJQQp+mhfApA1Qvz+a7M3OqPvHhBoeu6C4NOlYkb8mrjtuZ/RU5WIRXfyXZqA05Qnu8usuxxNFozU5hWbXIZQx7at2x/7t8/kgHSJhKs4hWIdbVgIDyWIhgoDD+gqTIRlzTwrS876dgy0MTZm1riMEBB5jvAhaeciDBf8u6AFWnMsS0UVtOinr5lTRkHSwie2n90kazqpkeMUdnbBSG7HSMhyg5lvem9G82NakH4S1EPgRBLN1eF8Q51ZmzeNl3DnIGGjNI+LAXw10KVuEkzgd8A==
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
> -----END CERTIFICATE-----
>
> CN = Android Keystore Key
> error 20 at 0 depth lookup: unable to get local issuer certificate
> error c1.pem: verification failed
>
>
> Checking g
> -----BEGIN CERTIFICATE-----
> MIICMzCCAdmgAwIBAgIBATAKBggqhkjOPQQDAjApMRkwFwYDVQQFExBhMTk1Mzk2NGJhMmEyODlkMQwwCgYDVQQMDANURUUwHhcNNzAwMTAxMDAwMDAwWhcNNDkxMjMxMjM1OTU5WjAfMR0wGwYDVQQDDBRBbmRyb2lkIEtleXN0b3JlIEtleTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABP8c/Ldx44Ms4bM37CyNoE6Us5uS8dAERkRV8kyxCY7bD3P9rds93fflXJS8Pccyb/fXXJgSS3T2SVdbbPrc5oqjgfswgfgwDAYDVR0PBAUDAweAADCB5wYKKwYBBAHWeQIBEQSB2DCB1QIBAgoBAQIBAwoBAQQLaGVsbG8gd29ybGQEADBLv4U9CQIHBXlxm+8jSL+FRToEODA2MRAwDgQJY29tLnB5eXBsAgEPMSIEIIMi9g2//U87C53x3twp61y6K1+22oaTkEjGgyTgXw37MGuhBTEDAgECogMCAQOjBAICAQClBTEDAgEEqgMCAQG/g3cCBQC/hT4DAgEAv4VAKjAoBCBNeQ+gpf6B1rNSuQr+QwaE2byBdRjNJMUOY0M5X3xR8gEB/woBAL+FQQUCAwE4gL+FQgUCAwMUUDAKBggqhkjOPQQDAgNIADBFAiEA7cObHYk5pcrMI+ZGd5KmVMlr83SbHzDJe6z3rNLqtlwCIAM/9o4YhpHmujecGzSX9sMk/xEaNHXdytqmxwh2wFBM
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIICJjCCAaugAwIBAgIKEyY3BBKHSRYpeTAKBggqhkjOPQQDAjApMRkwFwYDVQQFExAyOTYwY2I5YWViZDUwNWY0MQwwCgYDVQQMDANURUUwHhcNMTgwMzIxMjA1ODE1WhcNMjgwMzE4MjA1ODE1WjApMRkwFwYDVQQFExBhMTk1Mzk2NGJhMmEyODlkMQwwCgYDVQQMDANURUUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATHJiYgEb7N5f8ZnbKTZkDSvp2VugEEvz4Mm7wxVmcizwSPMPiTjv6gm2n1CoNBSHLVnTZ84ywfEk7HiftX1K6Co4G6MIG3MB0GA1UdDgQWBBQkYNkasG1v9aQK31IvheOpubhN5jAfBgNVHSMEGDAWgBTZCjmyzP+wdzrAqIzS/zURX5DNxjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDBUBgNVHR8ETTBLMEmgR6BFhkNodHRwczovL2FuZHJvaWQuZ29vZ2xlYXBpcy5jb20vYXR0ZXN0YXRpb24vY3JsLzEzMjYzNzA0MTI4NzQ5MTYyOTc5MAoGCCqGSM49BAMCA2kAMGYCMQCsCvSIoT/6E+cbiD+v4e+Y6PUYX3ZcatDAAM1eWTAWZmnabkTW9u3/BWhzYYYm4fYCMQCdsRDgh8XG4ZWJhuvFtHy/C3vi1Hf1wD93YoHOLLJaIPvuv/hWR+1UpKO2lgHo9+4=
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIID0TCCAbmgAwIBAgIKA4gmZ2BliZaFfTANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MB4XDTE4MDMyMTIwNTM1M1oXDTI4MDMxODIwNTM1M1owKTEZMBcGA1UEBRMQMjk2MGNiOWFlYmQ1MDVmNDEMMAoGA1UEDAwDVEVFMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEjXELw7zFszCPjAS+Qn6zEFajdp6hD+53zSpN7egUzWfkFEh+wcLa4k67Fv2tKuekmLIhr4xidPllElgiwAyeB33abMJ5BckSX1ayj4lnpMVvYRovl/5ZHIKNIJMN/hC6o4G2MIGzMB0GA1UdDgQWBBTZCjmyzP+wdzrAqIzS/zURX5DNxjAfBgNVHSMEGDAWgBQ2YeEAfIgFCVGLRGxH/xpMyepPEjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDBQBgNVHR8ESTBHMEWgQ6BBhj9odHRwczovL2FuZHJvaWQuZ29vZ2xlYXBpcy5jb20vYXR0ZXN0YXRpb24vY3JsL0U4RkExOTYzMTREMkZBMTgwDQYJKoZIhvcNAQELBQADggIBAJKrsCoJam9qc1ZaHeQWf2TAjHDDVylLuUvczTSuu8VhZJiU0+yKGbTNnA13n/dvn7rmMj8W6ObWL582Se9MBBdKtAVeCG7qYFq+m6kYFIfL8sOuutKXG5eW+8VY4he0hu+5eZiS2e3mAZGYF9JwQTAv0H//6+9eLm/+j+L5tr2X4b7H6k2h4YW5HTIzIbVMvp/ic/zmv+RvrmYyXliaz1xglRqrJ6EiFI9/KsYYsSSVgorlrXPyKOBeXGc2SFIVQmLwfW4gc9BC8V4qBDcpFK1kxOfnkyXloVZeat4yuYFSIdtJq9FErMFHfp+pDjIKRGeeWWrPzkbELqtHUSeSktbqN229c+86YRfScxpx5iJ0Jp2YsHkiYDFs+0LOex2RNdOKErGKZ+8QbMtVxUIQARTlhZkeLTLAWufFcclEbZkpoe6jo131VjAlUrkQfK6dVVMx+gLhOffLjH9EmUOD8Y1an9DQCsZl1tpBN4WgInbRMlzBsKF17Z9BEW1f2A+Gn0mnznZoq6t0OxsvRJTEHEgswQh4Vkr77UYSdcwQ0flrpD9Oe6ObnB0VSSCVo1yhPC39R35Z5KDhiNS8BkuPaJoUK8RBbkl5ay4O86LFfY9tdAoHT0A/2hmq/NZhz48K1C9AJGtS+0+zHwSatjWJ7rM/KXAhJ0Nln/nMaeteQy2f
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk
> -----END CERTIFICATE-----
>
>
> g1.pem: OK
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210722/7f656f5d/attachment-0001.html>
More information about the openssl-users
mailing list