Hi,
Recently I start to evaluate the payment cryptography API. So far by using the cli command I can:
- Create the top KEK
- Using get-parameters-for-export command to get the export token
- Import my testing KRD CA cert
- Export the KEK in TR34 format by using my KRD's host public cert (signed by my KRD's CA)
However, when I try to use my KRD's private cert to decrypt the CMS's Ephemeral symmetric key I failed. Without that I cannot further decode the Keyblock and hence the KEK.
I've tried to using openssl command or using JAVA's crypto library and it's always failed.
The command is look like this:
*#openssl pkeyutl -in aws_kdh_ephemeral_key.bin -inkey certs/server.key -pkeyopt rsa_padding_mode:oaep -decrypt
Public Key operation error
140139261809088:error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error:../crypto/rsa/rsa_oaep.c:245:
*
(The above aws_kdh_ephemeral_key.bin is extracted from the CMS OCTECT STRING inside the OID 1.2.840.113549.1.7.3 envelopedData)
Any comments are welcome
BR,
Tim