Running sample code returns 400 when interacting with IAS

kss-espeo commented 5 years ago

Steps to reproduce:

Setup sgx-ra-sample as per project description
Execute ./run-server script
Execute ./run-client script
Expected: full attestation process is completed
Actual: attestation process fails while processing msg3. A following error is displayed:

---- IAS report HTTP Response ---------------------------------------------- HTTP/1.1 400 Bad Request Content-Length: 0 Request-ID: 8a3460c513e0429f810d4646c6138081 Date: Tue, 30 Jul 2019 15:13:37 GMT Connection: close

attestation query returned 400: Invalid payload Attestation failed error processing msg3 Waiting for a client to connect...

It seems that interface of IAS report method has changed since this code was written. API documentation (https://api.trustedservices.intel.com/documents/sgx-attestation-api-spec.pdf , section 4.2) sems to confirm that - it requires multiple fields but in the sample code only isvEnclaveQuote is set: payload.insert(make_pair("isvEnclaveQuote", b64quote));

I have tried to fix it on my own like this:

    payload.insert(make_pair("id", "123"));
    payload.insert(make_pair("timestamp", "2019-07-15"));
    payload.insert(make_pair("version", "3"));
    payload.insert(make_pair("isvEnclaveQuoteStatus", "OK"));
    payload.insert(make_pair("isvEnclaveQuoteBody", b64quote));

... but my request failed with same error.

Can I get some assistance with that please? What I'm after is not necessary fixed code of sgx-ra-sample , but just being able to successfully finish attestation process manually.

Also I suggest enhancing error handling on IAS side - just returning 400 with no error message is not very descriptive.

jmechalas commented 5 years ago

Are you running the latest version of the code? Make sure you are either on master or the v3.0 tag. The v2.x source does not set the content-type header to application/json when communicating with IAS. Originally, IAS was not enforcing that requirement, so this code sample worked even though it was not compliant. I can't say for sure this is your issue, but it manifests in exactly the way you describe.

kss-espeo commented 5 years ago

Yes, I'm running an up-to-date version of master. @jmechalas

jmechalas commented 5 years ago

Can you provide the excerpt from the server logs where IAS is contacted while processing msg3, with the DEBUG and VERBOSE options turned on? This should dump the exact request sent to IAS, with headers. (Please be sure to scrub any sensitive information in the content body.)

AnandakumarNatarajan commented 5 years ago

i am also facing the similar issue! @kss-espeo for IAS report request you need not to add extra params like id , timestamp etc, those are response json fields.

required params are :

"isvEnclaveQuote" "pseManifest" "nonce"

but with above params set, im getting 400 Invalid payload error!

AnandakumarNatarajan commented 5 years ago

another issue may be related to this thread!

IAS Signing Cert CA is required while starting run-server! but in the v3 api registeration we are not using any CA cert to registered with IAS!

@kss-espeo may i know which IAS Signing Cert CA you were using while starting run-server

can anyone please explain about this!

thanks!

kss-espeo commented 5 years ago

@jmechalas There is some of it in my first post, here's the rest:

---- Msg3 Details (from Client) --------------------------------------------
msg3.mac                 = 2390677621973710ace9f1514d16fdd7
msg3.g_a.gx              = 3cab77a66846cb6e7644ad316830506d9ec34def0fb3ebd5bdbd6df3c170c96f
msg3.g_a.gy              = 36ceda7a2029189bee3d96b271c2e724b48cb7b2d1ace88021164550d45ecfe8
msg3.ps_sec_prop         = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
msg3.quote.version       = 0200
msg3.quote.sign_type     = 0100
msg3.quote.epid_group_id = e30a0000
msg3.quote.qe_svn        = 0800
msg3.quote.pce_svn       = 0700
msg3.quote.xeid          = 00000000
msg3.quote.basename      = 911dbf50f2eb6dbe27784f60fffba85600000000000000000000000000000000
msg3.quote.report_body   = 0409ffff010200000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000700000000000000fee4bae07e1f1fdc85667f27afe0fad65e98c3ada8ec12f504e1123b051945960000000000000000000000000000000000000000000000000000000000000000bd71c6380ef77c5417e8b2d1ce2d4b6504b9f418e5049342440cfff2443d95bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003dad73fb49000312611898731965c2115b643a10299f71e09ad2439180ca2d200000000000000000000000000000000000000000000000000000000000000000
msg3.quote.signature_len = a8020000
msg3.quote.signature     = 27e74e235cc80a5ca1634117db7386f348ef93fbc1e19f24d259951eb6ca94e1a581015a52ff540c7767c1d006518abb59ef10b5e7aedc8a178a3ee290c576edd0bee07fe21250af48622d49818e90e6fb25b0414dc94c5eb69bd6c847433539de4373c46bf9d825abb74fe5551ce6adc5b7cf21f756aee61b5a8dcc971aaa1c90c18fe2c11feb1e22e29b76cead5f75f40d8388e02a5df6a1d80a127f17099652bb3129336e0c7fd2eef43f6d5c53c31ad5ef3c400e16e55b8044de4274aa4bb06bf0120a562e379a3937c9e6a002ff43cfab795eb5422852a57aa683d774002c6a9cbb4e372bc84b67fd61ead4dc8434a66cb2ff8ebc59eb99ec2fd2a1714ab8cd0e780f337be2a724c6a97daa96421edc71e395d3d77ac5bad4618e92e0bc2439b85895b5aa7a389ee8a968010000962933663725bc502ec45777c1dcd6c99b36f1754044456f04531ac8c5235ccdd1d31411e46065cb1dd6b007a3f6e0f8947cf67d4a807fef8c587e662af08dc4518011febf87ca4675bb0b2206174317b9117c2374a10456ff7e186c3e4ba857db1fc005fcb9c5dcf1cffa69999e71971e5b4e8bf918ad42256715bd44f81988e1db884fd138704eace7cf9522fd14bf0a1ddac079d761a92179b9bfb9b48b796d9778795fb59f02bdf35547c281094ac200c0349427057fc763a85c134ed2567bb02d36f17d857ac1e46215ef790d3f025d4b027091cc18f5b176570274bea4f12925149e4d47d8aa4ef8c36049291e92ae55dfc2716e739e532a69b3fa039b6c656e89e36b00c8c78752f193e4113c9d1c9ee456bb2d453e0591191dd6ae2317ecdd07700a2e2481fb5b5721a21ecf7f7b6addbcfdd024726d2f25d23e6211cd45d1344f8bc7dabae6d425f327ecc44ce057313691be89c21fb74a5fcf8582311e664a57a5fd6430e17b4b1c58281a363c315c541d8a31

---- Enclave Quote (base64) ==> Send to IAS --------------------------------
AgABAOMKAAAIAAcAAAAAAJEdv1Dy622+J3hPYP/7qFYAAAAAAAAAAAAAAAAAAAAABAn//wECAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAHAAAAAAAAAP7kuuB+Hx/chWZ/J6/g+tZemMOtqOwS9QThEjsFGUWWAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC9ccY4Dvd8VBfostHOLUtlBLn0GOUEk0JEDP/yRD2VvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA9rXP7SQADEmEYmHMZZcIRW2Q6ECmfceCa0kORgMotIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAIAACfnTiNcyApcoWNBF9tzhvNI75P7weGfJNJZlR62ypThpYEBWlL/VAx3Z8HQBlGKu1nvELXnrtyKF4o+4pDFdu3QvuB/4hJQr0hiLUmBjpDm+yWwQU3JTF62m9bIR0M1Od5Dc8Rr+dglq7dP5VUc5q3Ft88h91au5htajcyXGqockMGP4sEf6x4i4pt2zq1fdfQNg4jgKl32odgKEn8XCZZSuzEpM24Mf9Lu9D9tXFPDGtXvPEAOFuVbgETeQnSqS7Br8BIKVi43mjk3yeagAv9Dz6t5XrVCKFKleqaD13QALGqcu043K8hLZ/1h6tTchDSmbLL/jrxZ65nsL9KhcUq4zQ54DzN74qckxql9qpZCHtxx45XT13rFutRhjpLgvCQ5uFiVtap6OJ7oqWgBAACWKTNmNyW8UC7EV3fB3NbJmzbxdUBERW8EUxrIxSNczdHTFBHkYGXLHdawB6P24PiUfPZ9SoB/74xYfmYq8I3EUYAR/r+HykZ1uwsiBhdDF7kRfCN0oQRW/34YbD5LqFfbH8AF/LnF3PHP+mmZnnGXHltOi/kYrUIlZxW9RPgZiOHbiE/ROHBOrOfPlSL9FL8KHdrAeddhqSF5ub+5tIt5bZd4eV+1nwK981VHwoEJSsIAwDSUJwV/x2OoXBNO0lZ7sC028X2FesHkYhXveQ0/Al1LAnCRzBj1sXZXAnS+pPEpJRSeTUfYqk74w2BJKR6SrlXfwnFuc55TKmmz+gObbGVuieNrAMjHh1Lxk+QRPJ0cnuRWuy1FPgWRGR3WriMX7N0HcAouJIH7W1choh7Pf3tq3bz90CRybS8l0j5iEc1F0TRPi8fauubUJfMn7MRM4FcxNpG+icIft0pfz4WCMR5mSlel/WQw4XtLHFgoGjY8MVxUHYox
----------------------------------------------------------------------------
+++ Validating quote's epid_group_id against msg1
msg1.egid = e30a0000
msg3.quote.epid_group_id = e30a0000
+++ Trying agent_wget

---- IAS report HTTP Request -----------------------------------------------
HTTP POST https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
----------------------------------------------------------------------------
+++ POST data written to /tmp/wgetpostgCvbZ2

+++ Reconstructed Subscription Key:     '<sub key>'
+++ IAS Subscription Key (Hex):         <IAS key>
+++ One-time pad:                       db0217eb1b9fdf3f0153f2394b3c6ccc3fa9370fd80eaa4030ed6bf0a9c7d103
+++ Encrypted SubscriptionKey:          <sub key>

+++ Exec: wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key: c4e96b986c714d00b6b8e656764a5b79 --header=Content-Type: application/json --post-file=/tmp/wgetpostgCvbZ2 https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
--2019-08-07 12:27:56--  https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
Translacja api.trustedservices.intel.com (api.trustedservices.intel.com)... 40.87.90.88
Łączenie się z api.trustedservices.intel.com (api.trustedservices.intel.com)|40.87.90.88|:443... połączono.
Żądanie HTTP wysłano, oczekiwanie na odpowiedź... 400 Bad Request
Zapis do: `STDOUT'

-                                                                   [ <=>                                                                                                                                                   ]       0  --.-KB/s    w 0s       

2019-08-07 12:27:57 BŁĄD 400: Bad Request.

---- IAS report HTTP Response ----------------------------------------------
HTTP/1.1 400 Bad Request
Content-Length: 0
Request-ID: e70d5d81ed4a4b50b0dfcfbd226b7e54
Date: Wed, 07 Aug 2019 10:27:56 GMT
Connection: close

----------------------------------------------------------------------------
attestation query returned 400: 
Invalid payload
Attestation failed
error processing msg3
Waiting for a client to connect...

AnandakumarNatarajan commented 5 years ago

in my case issue solved by setting LINKABLE=1, since i created spid in linkable method.

now getting 200 response from IAS, but facing cert_stack_build: certificate verification failure

i am using below cert as IAS signing cert, which i got in successfull report api response header,

AnandakumarNatarajan commented 5 years ago

reference from intel sgx forum!

https://software.intel.com/en-us/forums/intel-software-guard-extensions-intel-sgx/topic/814779

it seems there is no option to download IAS signing CA cert from

https://api.portal.trustedservices.intel.com/

which is expected to be fixed soon. until we can't validate cert and sign returned from IAS report request.

jmechalas commented 5 years ago

@kss-espeo I see you are using the wget agent. I'll make another pass through the code and see if anything obvious jumps out. Do you get the same result if you use the curl agent?

Some additional items to check on your end:

Ensure the SPID you are using corresponds to your API key. If you started with the earlier versions of the sample that used the v2 API's (user certificates), be aware that you are issued new SPIDs for use with v3/API authentication.
Ensure you are using the correct key and SPID for the quote type (linkable vs. unlinkable)

jmechalas commented 5 years ago

@anand10717

it seems there is no option to download IAS signing CA cert

I believe this has been addressed. We'll get links to the cert on the IAS portal page shortly, but for now you can download it directly from https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem

kss-espeo commented 5 years ago

Ensure the SPID you are using corresponds to your API key. If you started with the earlier versions of the sample that used the v2 API's (user certificates), be aware that you are issued new SPIDs for use with v3/API authentication.

Ensure you are using the correct key and SPID for the quote type (linkable vs. unlinkable)

@jmechalas I am using v3 linkable keys (generated very recently, double checked) and that's how I configured it in my settings file. I have also tried the same for unlinkable keys, with appropiate config change.

@kss-espeo I see you are using the wget agent. I'll make another pass through the code and see if anything obvious jumps out. Do you get the same result if you use the curl agent?

Is there currently an easy way to change that? I don't believe so, since ./run-server -G returns that:

root@espeo-kspisacki:/home/kspisacki/coding/sgx-ra-sample# ./run-server -G
Available user agents:
wget

Agent_curl implementation exists but it doesn't seem it is hooked anywhere.

jmechalas commented 5 years ago

You need to install the libcurl package on your system. It's detected by 'configure' and enabled in the software at build if the package is found. The README indicates which package is required.

kss-espeo commented 5 years ago

I have installed everything as per README and indeed, libcurl4-openssl-dev is installed on my system:

root@espeo-kspisacki:/home/kspisacki/coding/gardener-server# apt-get install libcurl4-openssl-dev
Czytanie list pakietów... Gotowe
Budowanie drzewa zależności       
Odczyt informacji o stanie... Gotowe
libcurl4-openssl-dev is already the newest version (7.61.0-1ubuntu2.4).

And still, ./run-server -G returns

root@espeo-kspisacki:/home/kspisacki/coding/sgx-ra-sample# ./run-server -G
Available user agents:
wget

I am using Ubuntu 18.10. Is this relevant, @jmechalas ? I can see docs only mentioning Ubuntu 16.04 and Ubuntu 18.04.

jmechalas commented 5 years ago

Something is amiss with 'configure' if it's not picking up the libcurl libraries. Can you post the output from configure (including what options, if any, you are sending to it)?

kss-espeo commented 5 years ago

There you go, @jmechalas !

root@espeo-kspisacki:/home/kspisacki/coding/sgx-ra-sample# ./configure --with-openssldir=/opt/openssl/1.1.0i
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking whether make supports nested variables... yes
checking for g++... g++
checking whether the C++ compiler works... yes
checking for C++ compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking whether make supports the include directive... yes (GNU style)
checking dependency style of g++... gcc3
checking for gcc... gcc
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking whether gcc understands -c and -o together... yes
checking dependency style of gcc... gcc3
checking how to run the C preprocessor... gcc -E
checking for ranlib... ranlib
configure: Found your Intel SGX SDK in /opt/intel/sgxsdk
configure: enabling SGX... yes
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for xxd... /usr/bin/xxd
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking openssl/evp.h usability... yes
checking openssl/evp.h presence... yes
checking for openssl/evp.h... yes
checking openssl/x509.h usability... yes
checking openssl/x509.h presence... yes
checking for openssl/x509.h... yes
checking openssl/pem.h usability... yes
checking openssl/pem.h presence... yes
checking for openssl/pem.h... yes
checking for library containing ECDSA_SIG_set0... -lcrypto
checking curl/curl.h usability... yes
checking curl/curl.h presence... yes
checking for curl/curl.h... yes
checking for library containing curl_easy_init... -lcurl
checking CA bundle file... /etc/ssl/certs/ca-certificates.crt
checking that generated files are newer than configure... done
configure: creating ./config.status
config.status: creating mrsigner.sh
config.status: creating run-server
config.status: creating run-client
config.status: creating Makefile
config.status: creating Enclave/Makefile
config.status: creating config.h
config.status: config.h is unchanged
config.status: executing depfiles commands

jmechalas commented 5 years ago

checking curl/curl.h usability... yes
checking curl/curl.h presence... yes
checking for curl/curl.h... yes
checking for library containing curl_easy_init... -lcurl

Based on this, it should be adding curl as a user agent. These are the only requirements. I think a make clean followed by a remake might be a good idea here, just to ensure we are working from a known, clean build.

kss-espeo commented 5 years ago

It worked now!

---- IAS report HTTP Response ----------------------------------------------
HTTP/1.1 200 OK
Content-Length: 1169
Content-Type: application/json
Request-ID: dea8014fdd084c1b9b1211fc4001edb6

It is myserious to me why, though. I have done make clean in the past with no luck. I would imagine that either combination of including https://certificates.trustedservices.intel.com/Intel_SGX_Attestation_RootCA.pem and running make clean did the trick or something was changed in IAS API (unlikely)!

Anyway, thanks for your help @jmechalas .

intel / sgx-ra-sample

Running sample code returns 400 when interacting with IAS #28