signer_cert_thumbprint_bin
elmarikon opened this issue · 4 comments
Hi again!
I figured there might be a bug in line 985 (AppVersion = "v0.2011.06.20")...
I tried on Win and Linux, found out that occasionally the signer_cert_thumbprint_bin is changed between en- and decrypt or better when being converted to 'bin'.
example:
in the KDM the CertificateThumbprint appears as:
d+2S5swln2uPMzvt7pVIdPATCtQ=
when i decrypt the cipher value and extract the thumbprint with
openssl base64 -d -in (cipher) | openssl rsautl -decrypt -oaep -inkey (key) | dd bs=4 skip=4 count=5 status=noxfer | openssl base64
it comes out as:
d+2S5swln2uPMzvt7pVIdPATDQo=
Seems to be a problem about interpretation of linefeed / carriage return...
Might be better to write the signer_cert_thumbprint_bin to a file and then copy it directly into the cipher data...
PS. the command line is just an example, i tried several ways. same result...
Beste Grüße aus Berlin!
SwK
Turns out I can't reproduce. Using CTP reference code and openssl I get:
$ dc-thumbprint ~/CERTS/dct-issue-3-test/leaf.pem
nSl67VU+/FFVKLJ1XnMfKi7f1ss=
$ grep CertificateThumbprint k_DCT-ISSUE-3-TEST_dcstore.smpte-430-2.LEAF_20110715_20110716_WOL_OV_ae3f6ed1.xml
<CertificateThumbprint>nSl67VU+/FFVKLJ1XnMfKi7f1ss=</CertificateThumbprint>
$ kdm-decrypt k_DCT-ISSUE-3-TEST_dcstore.smpte-430-2.LEAF_20110715_20110716_WOL_OV_ae3f6ed1.xml
SignerThumbprint: nSl67VU+/FFVKLJ1XnMfKi7f1ss=
# Extract cipher value from k_DCT-ISSUE3-TEST... to cipher.b64, decrypt, skip 16 bytes, print 20 bytes signer thumbprint
$ openssl base64 -d -in cipher.b64 | openssl rsautl -decrypt -oaep -inkey ~/CERTS/dct-issue-3-test/leaf.key | dd bs=4 skip=4 count=5 | openssl base64
nSl67VU+/FFVKLJ1XnMfKi7f1ss=Hm, everything sane and healthy. I wonder what's going on at your end ... ?
Hi again!
It looks like, it works depending on the bin value of the thumbprint...
I tried with several leaf.signed.pem, some seem to work, some don't.
maybe I can send you my one, so u can try...
atb!
elmarikon, if you can set up a github repo with a problem pair (key and certificate) so we can tackle this transparently.