These steps validate that the TPM controls the private counterpart of the public key present in the platform certificate and can be used for signatures.
# Extract the public key from the platform certificate
openssl x509 -pubkey -noout -in device-platform-certificate.crt > ak-public-key.pem
# Nonce signed by AK was already replied in previous HTTP POST (EK/TPM challenge)
# ak_signature is replied in base64 format. Let's decode it
jq -r .data.ak_signature response.json | base64 -d > signed_ak_nonce.sig
# Verify the signature with AK public key
openssl dgst -sha256 -verify ak-public-key.pem -signature signed_ak_nonce.sig nonce.txt
#Verified OK
# Destroy NG API ticket
curl -s -X DELETE \
https://nodegrid/api/v1/Session \
--insecure \
-H 'Content-Type: application/json' \
-H 'accept: application/json' \
-H "ticket: ${ticket}"