How to verify Content Server secKey with PHP or OpenSSL?

Hello,

we implement an own SAP Content Server with the HTTP interface. We received with a putCert command the public key and converted it to X.509 to use it with OpenSSL in PHP or OpenSSL natively on console:

-----BEGIN CERTIFICATE-----

MIIC+zCCArsCByAUBAcGQhAwCQYHKoZIzjgEAzBkMQswCQYDVQQGEwJERTEcMBoG

A1UEChMTU0FQIFRydXN0IENvbW11bml0eTETMBEGA1UECxMKU0FQIFdlYiBBUzEU

MBIGA1UECxMLSTAwMjAxODQ4OTAxDDAKBgNVBAMTA1NFMjAeFw0xNDA0MDcwNjQy

MTBaFw0zODAxMDEwMDAwMDFaMGQxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNTQVAg

VHJ1c3QgQ29tbXVuaXR5MRMwEQYDVQQLEwpTQVAgV2ViIEFTMRQwEgYDVQQLEwtJ

MDAyMDE4NDg5MDEMMAoGA1UEAxMDU0UyMIIBtzCCASsGByqGSM44BAEwggEeAoGB

AP/jA7UNBUG5dqASOkGZ0+JLiKqwhHIEqKarqiuCGvho3Fwc8OzWxVr3cyGomHdw

q0UkwvMROGhGsg0DOvJc0u7wY4BKmR1gUkOwg6DzX0JZbZ/hMWW/wzixiC+LtoGD

p3DVvCzLbZ9ujaI4NhkhCaw/OPjli7Q0TbPPNxT15wmdAhUApZDvRmv7txM8IowT

JCJa0igBuw8CgYBqPNctSVdgszu2BJf9rYdafUUN6BP7jCY4JxGPgPqYkEdDsLAs

RdPfLohhjHUD8z6F0XBLvQBuwo+0ShAa3KZ8wEOYUAZ2IyJmoE7OBmW3uIcZ/s7g

jwftGABsfx2uJ8s2mbV6Mak++dw8Yn0WvsTWBD9NaI4cwn3Kw92GSNpQvgOBhQAC

gYEAisABEC7nuf3Stibic8RySBMbmg3CYLvX2N2MgQZcSC8dZ6WI6n39vtKDOT7k

ckS0ogDNFpWvfMZTjv2ZzyJkpcUbKI3K/yjWl5NeGRGuAM7wMZbpkPTe4eNWaW4k

exJWjWCSFz3W11XKgq7xDKzkTeb2oV+IfehxoTdTrJ1ZA2kwCQYHKoZIzjgEAwMv

ADAsAhQWUSemKo/Wa2y0asoNraOFlIE1DwIUGGM/Ll1zejSh5qzQVOrr1MzJRWI=

-----END CERTIFICATE-----

Now with the create command we are getting the message (which are the s-mandatory values and the signed values as described in the specification), for example it looks like:

W1005056A57D331ED49CF644B265BC8C33datarcudcCN%3DSE2,OU%3DI0020184890,OU%3DSAPWebAS,O%3DSAPTrustCommunity,C%3DDE20141124101613

And we are getting the secKey which we converted to binary with urldecode() and base64_decode() in PHP. The secKey is now in DER format.

On console with OpenSSL I can view the content of the secKey container:

openssl asn1parse -in seckey2.bin -inform der

    0:d=0  hl=4 l= 338 cons: SEQUENCE

    4:d=1  hl=2 l=   9 prim: OBJECT            :pkcs7-signedData

   15:d=1  hl=4 l= 323 cons: cont [ 0 ]

   19:d=2  hl=4 l= 319 cons: SEQUENCE

   23:d=3  hl=2 l=   1 prim: INTEGER           :01

   26:d=3  hl=2 l=  11 cons: SET

   28:d=4  hl=2 l=   9 cons: SEQUENCE

   30:d=5  hl=2 l=   5 prim: OBJECT            :sha1

   37:d=5  hl=2 l=   0 prim: NULL

   39:d=3  hl=2 l=  11 cons: SEQUENCE

   41:d=4  hl=2 l=   9 prim: OBJECT            :pkcs7-data

   52:d=3  hl=4 l= 286 cons: SET

   56:d=4  hl=4 l= 282 cons: SEQUENCE

   60:d=5  hl=2 l=   1 prim: INTEGER           :01

   63:d=5  hl=2 l= 111 cons: SEQUENCE

   65:d=6  hl=2 l= 100 cons: SEQUENCE

   67:d=7  hl=2 l=  11 cons: SET

   69:d=8  hl=2 l=   9 cons: SEQUENCE

   71:d=9  hl=2 l=   3 prim: OBJECT            :countryName

   76:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :DE

   80:d=7  hl=2 l=  28 cons: SET

   82:d=8  hl=2 l=  26 cons: SEQUENCE

   84:d=9  hl=2 l=   3 prim: OBJECT            :organizationName

   89:d=9  hl=2 l=  19 prim: PRINTABLESTRING   :SAP Trust Community

  110:d=7  hl=2 l=  19 cons: SET

  112:d=8  hl=2 l=  17 cons: SEQUENCE

  114:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  119:d=9  hl=2 l=  10 prim: PRINTABLESTRING   :SAP Web AS

  131:d=7  hl=2 l=  20 cons: SET

  133:d=8  hl=2 l=  18 cons: SEQUENCE

  135:d=9  hl=2 l=   3 prim: OBJECT            :organizationalUnitName

  140:d=9  hl=2 l=  11 prim: PRINTABLESTRING   :I0020184890

  153:d=7  hl=2 l=  12 cons: SET

  155:d=8  hl=2 l=  10 cons: SEQUENCE

  157:d=9  hl=2 l=   3 prim: OBJECT            :commonName

  162:d=9  hl=2 l=   3 prim: PRINTABLESTRING   :SE2

  167:d=6  hl=2 l=   7 prim: INTEGER           :20140407064210

  176:d=5  hl=2 l=   9 cons: SEQUENCE

  178:d=6  hl=2 l=   5 prim: OBJECT            :sha1

  185:d=6  hl=2 l=   0 prim: NULL

  187:d=5  hl=2 l=  93 cons: cont [ 0 ]

  189:d=6  hl=2 l=  24 cons: SEQUENCE

  191:d=7  hl=2 l=   9 prim: OBJECT            :contentType

  202:d=7  hl=2 l=  11 cons: SET

  204:d=8  hl=2 l=   9 prim: OBJECT            :pkcs7-data

  215:d=6  hl=2 l=  28 cons: SEQUENCE

  217:d=7  hl=2 l=   9 prim: OBJECT            :signingTime

  228:d=7  hl=2 l=  15 cons: SET

  230:d=8  hl=2 l=  13 prim: UTCTIME           :141124081613Z

  245:d=6  hl=2 l=  35 cons: SEQUENCE

  247:d=7  hl=2 l=   9 prim: OBJECT            :messageDigest

  258:d=7  hl=2 l=  22 cons: SET

  260:d=8  hl=2 l=  20 prim: OCTET STRING      [HEX DUMP]:221DF0EEC7FB07752C2360E9988D354E9366D26A

  282:d=5  hl=2 l=   9 cons: SEQUENCE

  284:d=6  hl=2 l=   7 prim: OBJECT            :dsaWithSHA1

  293:d=5  hl=2 l=  47 prim: OCTET STRING      [HEX DUMP]:302D02147A10B413FBCB9E9253668B30AB4A3BC6F2F5530302150090A2E63B96104049787D86507E0AB40F2C46B20A

This shows me that the conversion of the secKey is valid.

Now I am trying to verify the message through openssl_verify() function:

openssl_verify($originalMessage, $secKeyDer, $pubKey, 'sha1');

and getting these errors:

error:0906D06C:PEM routines:PEM_read_bio:no start line

error:0606C06E:digital envelope routines:EVP_VerifyFinal:wrong public key type

Now I am stuck, I have no clue why there is a wrong public key type. According to the documentation of the function teh public key must be in PEM format.

Does anyone has an idea how to verify the message in PHP or alternatively in OpenSSL?

Regards,

Chris.