Verifying Android hardware attestation certificates with OpenSSL
I have been trying to verify hardware attestation certificates originating from different Android phones with the OpenSSL tool. There seems to be not too much information about how are these supposed to work. With OpenSSL I'm getting mixed results.
Android developer spec for certificate extension data schema is available at
The OpenSSL command shipping with Mac OS 10.13 (LibreSSL 2.2.7) fails even to parse these certificates.
OpenSSL 1.1.0g shipping with Ubuntu parses all of my example certificates just fine. However, trying to verify certificate chains sometime succeeds, sometime fails. ver 1.1.2-dev follows the same pattern.
So far, I have figured out the following patterns:
- Certificate chain extracted from a real world device is either 3 or 4 certificates.