search

microsoft / CCF

Confidential Consortium Framework
https://microsoft.github.io/CCF/
Apache License 2.0
778 stars 211 forks source link

SGX enclaves fail to load as oe_verify_report fails with OE_VERIFY_CRL_EXPIRED #103

Closed jumaffre closed 5 years ago

jumaffre commented 5 years ago

Our CI and local build on machines supporting SGX currently fail, e.g.:

 ./cchost --enclave-file=./libsmallbankenc.so.signed --raft-election-timeout-ms=100 000 --raft-host=127.37.17.198 --raft-port=59176 --tls-host=127.37.17.198 --tls-pubhost=127.37.17.198 --tls-port=5745 8 --ledger-file=0.ledger --node-cert-file=0.pem --enclave-type=debug --log-level=info --quote-file=quote0.bin
[info]../src/host/main.cpp:245 -  - Starting new node.
[info]../src/host/main.cpp:263 -  - Created new node.
15:08:16:190698 tid(0x7fc841795740) (H)[ERROR]:OE_BUFFER_TOO_SMALL[../host/crypto/openssl/cert.c oe_cert_find_extension:991]
15:08:16:190715 tid(0x7fc841795740) (H)[ERROR]:OE_BUFFER_TOO_SMALL[../host/crypto/openssl/cert.c oe_cert_find_extension:991]
15:08:17:376146 tid(0x7fc841795740) (H)[ERROR]X509_verify_cert failed!
 error: (12) CRL has expired
 (oe_result_t=OE_VERIFY_CRL_EXPIRED)[../host/crypto/openssl/cert.c oe_cert_verify:721]
15:08:17:376170 tid(0x7fc841795740) (H)[ERROR]oe_cer_verify failed with error = CRL has expired
 (oe_result_t=OE_VERIFY_CRL_EXPIRED)[../common/sgx/revocation.c oe_enforce_revocation:248]
15:08:17:376174 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595]
15:08:17:376176 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595]
15:08:17:376177 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595]
15:08:17:376179 tid(0x7fc841795740) (H)[ERROR]enforcing CRL (oe_result_t=(null))[OE_VERIFY_CRL_EXPIRED ../common/sgx/quote.c:5139712]
15:08:17:376183 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/key.c oe_public_key_free:314]
15:08:17:376185 tid(0x7fc841795740) (H)[ERROR]:OE_INVALID_PARAMETER[../host/crypto/openssl/cert.c oe_cert_chain_free:595]
15:08:17:376187 tid(0x7fc841795740) (H)[ERROR]:OE_VERIFY_CRL_EXPIRED[../host/sgx/report.c oe_verify_report:315]
[fail]../src/host/enclave.h:154 -  - Quote could not be verified: OE_VERIFY_CRL_EXPIRED
[fatal]../src/host/main.cpp:289 -  - Verification of local node quote failed
terminate called after throwing an instance of 'std::logic_error'
  what():  Fatal: [fatal]../src/host/main.cpp:289 -  - Verification of local node quote failed

See https://github.com/microsoft/openenclave/issues/1842 for further details.

achamayou commented 5 years ago

The issue seems to have been in the az-dcap-client or further upstream caching the CA CRL for an incorrect amount of time.