Open zhq0918 opened 5 years ago
The certificate generated by RA-TLS is a self-signed certificate. There is no "certificate chain". It's just a single certificate which is also the root certificate.
In other words, the usual PKI notion of "chain of trust" doesn't apply to RA-TLS.
From where does the user gain trust then? The RA-TLS certificates incorporates the "SGX proof-of-validity " in custom X.509 fields of the certificate. In particular, the reply from IAS is embedded in these fields: the Attestation Verification Report, its signature, and its Signing Certificates (all from Intel). The client (the challenger) must somehow obtain the Root Attestation Report Signing Certificate from Intel via an out-of-band process. The client then verifies the chain of Signing Certificates, and then the Attestation Verification Report itself (including SGX fields like MRENCLAVE and MRSIGNER).
Please check Section 3 of the RA-TLS whitepaper: https://github.com/cloud-security-research/sgx-ra-tls/blob/master/whitepaper.pdf
Back to your question. The client (the challenger) must modify its certificate verification process as description in the RA-TLS whitepaper, Section 4.2 (and Figure 5). The special function verify_sgx_cert_extensions()
does all the verification of the Attestation Report Signing Certificates' chain (rooting at Intel). I guess this is what you're asking about?
After this function succeeds, the challenger can proceed to check SGX-specific fields like MRENCLAVE/MRSIGNER by calling get_quote_from_cert()
.
Hi @dimakuv , thank you for your response. My current problem is that i want verify the client certificate in Enclave.I have tried changed the app into “mutual authentication”,but i found that those functions which named such as wolfSSL_X509_verify_cert、wolfSSL_get_verify_result,etc can’t use。I checked the code which named ssl.c,I found that this need to add parameter "-DOPENSSL_EXTRA" to makefile and when generated the lib which named "libwolfssl.sgx.static.lib.a" ,I regerated the lib,but when i make the app,it reported as flows: /wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a(ssl.o): In function `wolfSSL_BIO_free': ssl.c:(.text+0x435b): undefined reference to `close' I want to know how can i resolve this problem. Regrads zhq0918
This particular error says that your WolfSSL cannot find a libc library. This is pretty weird and doesn't seem to be the problem of WolfSSL. What is the command line used to build your app? It seems that whatever you use, it circumvents the standard C library.
@dimakuv , In this project ,first i changed the build.sh,to generate lib which named libwolfssl.sgx.static.lib.a,i added some macro define prameters such as :-DWOLFSSL_CERT_EXT, -DKEEP_PEER_CERT, -DSESSION_CERTS, -DSHOW_CERTS, -DKEEP_OUR_CERT, -DOPENSSL_EXTRA etc;second, I changed the sgx_t_static.mk file in the directory "/opt/sgx_main/sgx-ra-tls/deps/wolfssl/IDE/LINUX-SGX",I modified the variable Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX -DSHOW_CERTS -DKEEP_OUR_CERT -DOPENSSL_EXTRA; third, I changed the file sgx_t.mk which in "sgx-ra-tls/deps/wolfssl-examples/SGX_Linux",I modified the variable Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT -DKEEP_PEER_CERT -DSESSION_CERTS -DSHOW_CERTS -DOPENSSL_EXTRA -DKEEP_OUR_CERT . The main modified is above. and my main purpose is make the function named such as wolfSSL_X509_verify_cert、wolfSSL_get_verify_result,etc into the lib named libwolfssl.sgx.static.lib.a,but it looked failed. Regards zhq0918
Can you run make with verbose output and see which exact command it executes fails? Also, please format your messages on GitHub with Markdown, they are hard read. Sorry, I don't have cycles to reproduce your build.
@dimakuv ,Sorry,my main modification is the wolfssl-example/SGX-Linux project. Feeling like I'm better consulting on wolfssl-example,In conclusion, thank you very much for your guidance.
In sgx enclave,can we verify the certificate signature and verify the certificate chain?I tried,but failed.I want to know whether or not the wolfssl support verify the certificate chain and signature?