search

intel / sgx-ra-sample

Other
178 stars 65 forks source link

wget HTTP Request Fails with 400 Bad Request #75

Closed xanderdunn closed 2 years ago

xanderdunn commented 2 years ago

I'm using sgx-ra-sample on latest master:

$ git log
commit 53445084bd4a5709ec3cd8d168f37e46b6ae9f14 (HEAD -> master, origin/master, origin/HEAD)
Merge: 876dde7 6b95b36
Author: John Mechalas <john.p.mechalas@intel.com>
Date:   Mon Apr 26 08:35:24 2021 -0700

    Merge pull request #67 from ScottR-Intel/SigRL-Fix

    Added required BASE64 decoding of SigRL.

I'm on Ubuntu 18.04:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 18.04.6 LTS
Release:    18.04
Codename:   bionic

I have curl installed:

$ sudo apt install libcurl4-openssl-dev
Reading package lists... Done
Building dependency tree
Reading state information... Done
libcurl4-openssl-dev is already the newest version (7.58.0-2ubuntu3.16).
The following package was automatically installed and is no longer required:
  googletest
Use 'sudo apt autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 1 not upgraded.

I have OpenSSL 1.1.1:

$ openssl version
OpenSSL 1.1.1  11 Sep 2018

Configure finds curl:

$ ./bootstrap
$ ./configure
...
checking curl/curl.h usability... yes
checking curl/curl.h presence... yes
checking for curl/curl.h... yes
checking for library containing curl_easy_init... -lcurl
...
$ make
...

I signed up and got a dev linkable subscription SPID, primary, and secondary key and put them in the settings file.

I start the server and the client

$ ./run-server --verbose --debug
$ ./run-client --linkable --verbose --debug

The wget command is failing on the server side on msg3:

+++ Validating quote's epid_group_id against msg1
msg1.egid = 130c0000
msg3.quote.epid_group_id = 130c0000
+++ Trying agent_wget

---- IAS report HTTP Request -----------------------------------------------
HTTP POST https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
----------------------------------------------------------------------------
+++ POST data written to /tmp/wgetpost7OLukj

+++ Reconstructed Subscription Key: 'f46c28c6228841df9e4cb6b7190cc16c'
+++ IAS Subscription Key (Hex):     6634366332386336323238383431646639653463623662373139306363313663
+++ One-time pad:           242f74148a70a9125addc8d90252616420c8930d5663ab1dd7d244474174a65f
+++ Encrypted SubscriptionKey:      421b4277b848ca2468eff0e13663050219ada76e3455c92ae6eb74242245903c

+++ Exec: wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key: f46c28c6228841df9e4cb6b7190cc16c --header=Content-Type: application/json --post-file=/tmp/wgetpost7OLukj https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
--2021-12-19 22:11:46--  https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
Resolving api.trustedservices.intel.com (api.trustedservices.intel.com)... 40.87.90.88
Connecting to api.trustedservices.intel.com (api.trustedservices.intel.com)|40.87.90.88|:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
Saving to: ‘STDOUT’

-                                     [ <=>                                                          ]       0  --.-KB/s    in 0s

2021-12-19 22:11:46 ERROR 400: Bad Request.

---- IAS report HTTP Response ----------------------------------------------
HTTP/1.1 400 Bad Request
Content-Length: 0
Request-ID: 31c81f723245491098c67144b7798b64
Date: Mon, 20 Dec 2021 03:11:45 GMT
Connection: close

----------------------------------------------------------------------------
attestation query returned 400:
Invalid payload
Attestation failed
error processing msg3

Furthermore, run-server doesn't find curl:

$ ./run-server -G
Available user agents:
wget

When I try to manually run the wget command it shows:

$ wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key: f46c28c6228841df9e4cb6b7190cc16c --header=Content-Type: application/json --post-file=/tmp/wgetpostbCbf3H https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
-2021-12-19 22:27:55--  http://f46c28c6228841df9e4cb6b7190cc16c/
BODY data file ‘/tmp/wgetpostbCbf3H’ missing: No such file or directory
--2021-12-19 22:27:55--  http://application/json
BODY data file ‘/tmp/wgetpostbCbf3H’ missing: No such file or directory
--2021-12-19 22:27:55--  https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
BODY data file ‘/tmp/wgetpostbCbf3H’ missing: No such file or directory
$ touch /tmp/wgetpostbCbf3H
# There's also an extra space in the header, trying again:
$ wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key:f46c28c6228841df9e4cb6b7190cc16c --header=Content-Type: application/json --post-file=/tmp/wgetpostbCbf3H https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
-2021-12-19 22:30:21--  http://application/json
Resolving application (application)... failed: Temporary failure in name resolution.
wget: unable to resolve host address ‘application’
--2021-12-19 22:30:21--  https://api.trustedservices.intel.com/sgx/dev/attestation/v4/report
Resolving api.trustedservices.intel.com (api.trustedservices.intel.com)... 40.87.90.88
Connecting to api.trustedservices.intel.com (api.trustedservices.intel.com)|40.87.90.88|:443... connected.
HTTP request sent, awaiting response... 415 Unsupported Media Type
Saving to: ‘STDOUT’
HTTP/1.1 415 Unsupported Media Type
Content-Length: 0
Request-ID: 8f2e45a01b274cad90b5d85b9d38f8b9
Date: Mon, 20 Dec 2021 03:30:21 GMT
Connection: close

-                                     [ <=>                                                          ]       0  --.-KB/s    in 0s

2021-12-19 22:30:21 ERROR 415: Unsupported Media Type.

I can't find a way to make this wget request work manually.

Note that the key in the above snippets has been revoked.

xanderdunn commented 2 years ago

Still haven't figure out why curl isn't found, but I did get past the 400 bad request error. I realized passing --linkable to the client isn't enough, I also need to set LINKABLE=1 in the settings file for the server. However, I'm currently not getting a TRUSTED response:

---- ISV Enclave Trust Status ----------------------------------------------
Enclave NOT TRUSTED - Reason: SW_HARDENING_NEEDED
A Platform Info Blob (PIB) was NOT provided by the IAS

I'm using SDK version 2.15:

wget https://download.01.org/intel-sgx/latest/linux-latest/distro/ubuntu18.04-server/sgx_linux_x64_sdk_2.15.101.1.bin
xanderdunn commented 2 years ago

I'm running on an SGX machine in Azure. Based on the post here it looks like this is the highest level of trust I will be able to receive from the Intel attestation process given the processor in use.