dimakuv
commented
3 years ago I'm not a maintainer of this repository (but participated in this), so I'll just quickly note that this repo is outdated and is not recommended for use with RA-TLS. The officially supported way to use RA-TLS is to use it in conjunction with Graphene-SGX: https://github.com/oscarlab/graphene.
You can find more info on RA-TLS plus Graphene here: https://graphene.readthedocs.io/en/latest/attestation.html.
The examples can be found here: https://github.com/oscarlab/graphene/tree/master/Examples/ra-tls-secret-prov and https://github.com/oscarlab/graphene/tree/master/Examples/ra-tls-mbedtls.
Hello,
I am running sgx-ra-tls with wolfSSL but I got the following issue raising from the client side:
`[+] Client Test: [+] Connection with server has been established wolfSSL Entering wolfSSL_Init wolfSSL Entering wolfCrypt_Init wolfSSL Entering TLSv1_2_client_method_ex wolfSSL Entering wolfSSL_CTX_new_ex wolfSSL Entering wolfSSL_CertManagerNew wolfSSL Leaving WOLFSSL_CTX_new, return 0 wolfSSL Entering wolfSSL_CTX_set_verify wolfSSL Entering SSL_new wolfSSL Leaving SSL_new, return 0 wolfSSL Entering SSL_set_fd wolfSSL Entering SSL_set_read_fd wolfSSL Leaving SSL_set_read_fd, return 1 wolfSSL Entering SSL_set_write_fd wolfSSL Leaving SSL_set_write_fd, return 1 wolfSSL Entering SSL_connect() wolfSSL Entering SendClientHello Adding signature algorithms extension growing output buffer
Signature Algorithms extension to write Point Formats extension to write Supported Groups extension to write Encrypt-Then-Mac extension to write EMS extension to write Shrinking output buffer
wolfSSL Leaving SendClientHello, return 0 connect state: CLIENT_HELLO_SENT growing input buffer
received record layer msg got HANDSHAKE wolfSSL Entering DoHandShakeMsg() wolfSSL Entering DoHandShakeMsgType processing server hello wolfSSL Entering DoServerHello wolfSSL Entering VerifyClientSuite wolfSSL Leaving DoServerHello, return 0 Shrinking input buffer
wolfSSL Leaving DoHandShakeMsgType(), return 0 wolfSSL Leaving DoHandShakeMsg(), return 0 growing input buffer
received record layer msg got HANDSHAKE wolfSSL Entering DoHandShakeMsg() wolfSSL Entering DoHandShakeMsgType processing certificate wolfSSL Entering DoCertificate wolfSSL Entering ProcessPeerCerts Loading peer's cert chain Put another cert into chain Verifying Peer's cert wolfSSL Entering GetExplicitVersion wolfSSL Entering GetSerialNumber Got Cert Header wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() Got Algo ID Getting Cert Name Getting Cert Name Got Subject Name wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() Got Key Parsed Past Key wolfSSL Entering DecodeCertExtensions wolfSSL Entering GetObjectId() wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() No CA signer to verify with Failed to verify Peer's cert Callback override available, will continue wolfSSL Entering GetExplicitVersion wolfSSL Entering GetSerialNumber Got Cert Header wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() Got Algo ID Getting Cert Name Getting Cert Name Got Subject Name wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() Got Key Parsed Past Key wolfSSL Entering DecodeCertExtensions wolfSSL Entering GetObjectId() wolfSSL Entering GetAlgoId wolfSSL Entering GetObjectId() quote size is 4594; quote signature_data_len is 4158. [load_qve ../sgx_dcap_quoteverify.cpp:199] Call sgx_create_enclave for QvE. /usr/lib/x86_64-linux-gnu/libsgx_qve.signed.so [sgx_qv_get_quote_supplemental_data_size ../sgx_dcap_quoteverify.cpp:541] Info: sgx_qve_get_quote_supplemental_data_version successfully returned. [sgx_qv_get_quote_supplemental_data_size ../sgx_dcap_quoteverify.cpp:551] Info: sgx_qve_get_quote_supplemental_data_size successfully returned. [unload_qve ../sgx_dcap_quoteverify.cpp:267] unload qve enclave 0X3 sgx_qv_get_quote_supplemental_data_size successfully returned. [load_qve ../sgx_dcap_quoteverify.cpp:199] Call sgx_create_enclave for QvE. /usr/lib/x86_64-linux-gnu/libsgx_qve.signed.so [sgx_qv_get_quote_supplemental_data_size ../sgx_dcap_quoteverify.cpp:541] Info: sgx_qve_get_quote_supplemental_data_version successfully returned. [sgx_qv_get_quote_supplemental_data_size ../sgx_dcap_quoteverify.cpp:551] Info: sgx_qve_get_quote_supplemental_data_size successfully returned. [unload_qve ../sgx_dcap_quoteverify.cpp:267] unload qve enclave 0X4 [sgx_qv_verify_quote ../sgx_dcap_quoteverify.cpp:450] Info: get_fmspc_ca_from_quote successfully returned. [sgx_qv_verify_quote ../sgx_dcap_quoteverify.cpp:465] Info: sgx_dcap_retrieve_verification_collateral successfully returned. [sgx_qv_verify_quote ../sgx_dcap_quoteverify.cpp:484] Info: QVL: sgx_qve_verify_quote successfully returned. App: sgx_qv_verify_quote successfully returned. Warning: App: Verification completed with Non-terminal result: a007 Verifying SGX certificate extensions ... Success wolfSSL Entering SendAlert growing output buffer
Shrinking output buffer
wolfSSL Leaving SendAlert, return 0 wolfSSL Leaving ProcessPeerCerts, return -188 wolfSSL Leaving DoCertificate, return -188 wolfSSL Leaving DoHandShakeMsgType(), return -188 wolfSSL Leaving DoHandShakeMsg(), return -188 wolfSSL error occurred, error = -188 wolfSSL error occurred, error = -188 ERROR: failed to connect to wolfSSL wolfSSL Entering SSL_free CTX ref count not 0 yet, no free Shrinking input buffer`
When I track this error, it mentions "ASN sig error, no CA signer to verify certificate". Does it mean after calling a verify_certificate_callback, it still needs a trusted CA to verify the server's certificate?
Here is a part of the code I implemented on the client side:
.... `wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, cert_verify_callback);
...
Thank you in advance,
Best Regards, Sri Yulianti