1 Reply by andrade

(8 replies, posted in wolfSSL)

Hello Jacob,

What a silly mistake, thank you! That fixed that issue.

I have a few more questions regarding certificates. My certificate chain is Root -> Intermediate -> Leaf.

1. Do I have to explicitly check the intermediate certificate, or is it enough to check the leaf certificate (and intermediate certificates in the chain are checked implicitly forming a root to leaf complete chain verification)?

2. I'm loading the intermediate certificate using wolfSSL_CertManagerLoadCABuffer(). Are there functions to load intermediate certificates or is this the correct function?

I'm asking because in the API there are functions to unload both CAs and intermediates – wolfSSL_CertManagerUnloadCAs() and wolfSSL_CertManagerUnloadIntermediateCerts() – but I see nothing to load intermediate certs.

https://www.wolfssl.com/doxygen/group__CertManager.html

3. In my code I'm doing:

wolfSSL_CertManagerLoadCABuffer( Root )
wolfSSL_CertManagerLoadCABuffer( Intermediate )
wolfSSL_CertManagerVerifyBuffer( Intermediate ) // Root checks Intermediate
wolfSSL_CertManagerVerifyBuffer( Leaf ) // Intermediate checks Leaf

Is this the correct way to go about it?

I'm currently getting an error: "wolfSSL_CertManagerLoadCABuffer() failed (-155): ASN sig error, confirm failure" in the wolfSSL_CertManagerVerifyBuffer( Intermediate )". According to the API, the error indicates the signature could not be verified. But I've checked my certificate chain using OpenSSL and it gets verified successfully.

Go to forum: wolfSSL

2 Reply by andrade

(8 replies, posted in wolfSSL)

Hello,

I'm trying to redo my certificates chain validation without resorting to the OpenSSL compatibility layer, and using only wolfSSL functions.

The SGX enclave does not have access to the filesystem. Only one of the examples you mentioned seems to load the certificates from a buffer (and not through a file path):
https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

I managed to get this example running inside an enclave. However, when I replace the original certificates of the example with my own certificates it fails on the first wolfSSL_CertManagerLoadCABuffer with error -162 (Couldn't find PEM header). But my certificates do have the PEM headers and the chain verifies correctly using the OpenSSL command line.

My certificates are as follows:

static const byte authCert[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv+xzXnVd95RmxYLMNdXt\n"
"6PNF1kJIHyWbpNFaEP7SNrrgFCrGTYAbhWua8iNcdgaLNw6a410JHpnQJzgT612n\n"
"Brut86YWQnqX4X7eB3y3uvl1+EomujQSxLen+0kybnFgdbYJXzXao6JeEtEOY8PT\n"
"tg0T8msgsnY19qX066v9KixPytWiA7obu44zr1uWSgUttN5lDzZYmpo9sPZTb0JM\n"
"dZIByykRfZtWXcxVMe8xxzcVjrs+KTv/mjp+f4va92nO/76uSnRLO5JtX63xDhDY\n"
"QLwlJ69ASqUS7AuAeeiYDAqhMjodKmsq7pH458frAgoaVxHeK3+xIWBVgQ3yLtmo\n"
"Kpa5UjDdNTAR/sFlhWDVJdzQQq8rUwXlgPxIwrs9rDzK8v9ZOhQFN3eF9J8RDKe2\n"
"lUHergl6sQ/1By1PmktoCGm3u++4QwTZHBoncyZmVnBsQVWfQbSRKP9QcIFenCLE\n"
"Hi5E0BH0RMt8dTeA0PnvR/7Q15P3UCU/IigWmytPjpIGa2Xn8zrz1WVJLp7qL01v\n"
"/NMphmcmHlaBIqcfgS76N1USub9B4VwW1c5GFtocv/gzOg3xXxVSmjuzOP4KO2Wz\n"
"wM0XiUjMQ1X+9sMxHXT3kuR20A3zWf36XyzOONSYK3cVwjnT+gnYi3Tj/CEtJ74/\n"
"MWvAvtk7jAIp/DvSIVYS3/UCAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

static const byte testCert1[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvWeVHAwMQ/hj+9uYkhKy\n"
"CLxkFD79ShgXSCbWr/4po3KUvrKDG8bmrTeRXFSyooj18jI9xnLpc4tJWkWtlFAo\n"
"kwulWbEshmfN/QRxH1B9Tz6TDclIf+Ukh8oFI0T3shBehGkhrpkaolPDJD7e9SdT\n"
"GOj0NA/yBUynpkD6qZ5JRmZhmhUr6i3sq80A4Y5bwrBHdRTAzgL9Ho3hezbLwsXb\n"
"qLOApLfb0sZ8LRiVuHRjwwqCCmysE8dQLsnYZ2xDtkrC++eylMAek84wUbU9QPBd\n"
"pPv5QE3yD+wJ8A5hq2wSjM/xJneo7BNspZFEBcODF5uTkUmn32HQWveaFvNXceMR\n"
"qFlKSXPTTBQ6TCuf0FnGmnTREDpdnd0oBYR5370oUL5KtDUtJ7Fhs4oAYtUwnEIL\n"
"Yk2Oj6b5UXPQyf6bFFusn5vi1XTCyF2ZZINvP8Qef/EfP5rZWIDaYX5S3W4WMDI2\n"
"9aBKOOXfrntwCAN4Zgsix1PsYcVvadvIvIpzkQAu1ScEP30oAQP4NmceCTyERtZo\n"
"662l/gwWwy99jzVo6FmOTWdS+U4yb7hOfVPHw5Plg4djraN6t0J97ux2kNmDROel\n"
"8j5nenfqaQlNmbON6fCIB1xAJN/SDHhv0cFSYhNVnuYrJFfZS7AB4akwpnEzhXYT\n"
"bNdZ6EZPzSv86FMmZrQ0f1MCAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

static const byte testCert2[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx+DhUGmKmbfEoNyDXHjh\n"
"GO9nrXVcuVNxRRN+D3DFR6JmeUl6VBcO3asOYr9bS0on53yW1ivpb4ZYY5iP3AIG\n"
"iTKVMICvkGBxUYQZxobkeiVntt9AklUHloLc7irNrjp9bLKAmytdK2f/aAsB5+zK\n"
"mMQoXZWOoE+k1iN38r4qjmShCmwKeSG1wIx0YkeQkNZpF/nsQgpWN23MdPqyCPhT\n"
"434OMQA1OAK4DXTm9fB9DysQQFPuSxLhKIzH6ZgNLc3rEZkM+Km2XBkpRJZqJZqx\n"
"SUyo83+Ux6l1yaAm3fUQxtf9y+yiKZN84KWtsXczrBjGPFY7YUpaE2276cc1ilO+\n"
"ECRTTk59mxXtvFKBdX0pTOjR5dgHPayqfeZrtptJTDuCECfcXV5j/gDJmu190ftu\n"
"qCt4u0fOMqRI08XOMO88ha42J081dNJc555+4aTM4N3qOf2hfxuLwSY+vWe1W7s6\n"
"e5WFQz6ruAC8Va9mR9ieXBXTv6M2sU4PiBa2HicAsjm5EL0LkBMsTffQzT2Zfidx\n"
"WzCyB/xFSamuErbq/9kW5SU5sd7XDuBqKP1ogDT2HWRwIRyU9hp0CSVZx4IeXGh+\n"
"1d9RpldUCGKwNJC8JMcU28eCC2yF0LsopGsecJB4jWJWyW7aWrfOCi1nokiCFpXn\n"
"d3RadQtwd1fOgFoaLRLHqK8CAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

Why am I getting this PEM header error?

Go to forum: wolfSSL

3 Reply by andrade

(8 replies, posted in wolfSSL)

Hello Jacob,

I've already built the library and run the official example successfully. But there are functions that are defined in libwolfssl.a/so but are undefined in libwolfssl.sgx.static.lib.a.

Below I've added the steps I've done compiling the official library and running the official SGX example to show more clearly what is the problem. (This is for branch v5.8.2-stable but I've tried branch master and the results are the same.)

---

1. First cloned and compiled wolfSSL (OK):

$ git clone git@github.com:wolfSSL/wolfssl.git
$ cd wolfssl
$ git checkout v5.8.2-stable
$ ./autogen.sh
$ ./configure --enable-static --enable-all --enable-debug
$ make

$ cd IDE/LINUX-SGX/
$ ls -l ../../wolfssl/options.h   (check file is there)
-rw-rw---- 1 daniel daniel 16129 set 29 16:55 ../../wolfssl/options.h
$ make -f sgx_t_static.mk all
(...)
LINK =>  libwolfssl.sgx.static.lib.a

2.1. Then cloned and compiled the official example (Fails out of the box):

$ git clone git@github.com:wolfSSL/wolfssl-examples.git
$ cd wolfssl-examples/SGX_Linux/
$ export WOLFSSL_ROOT=../../wolfssl
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
/usr/bin/ld: cannot find -lsgx_tstdcxx: No such file or directory
collect2: error: ld returned 1 exit status
(...)

2.2 The error is because of `-lsgx_tstdcxx`, there's an open bug report on this (https://github.com/wolfSSL/wolfssl-examples/issues/284). I replaced it, in `sgx_t.mk`, with `-lsgx_tcxx` and compiled the official example again (OK):

$ make clean
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
Succeed.
SIGN =>  Wolfssl_Enclave.signed.so

2.3. I run the server-client example successfully (OK).

3. To check whether the missing definitions is a problem with my code or with the wolfSSL official library, I've added a function needed to load a certificate to the official example. The line isn't meant to do anything, only check whether the definition is in the wolfSSL library `libwolfssl.sgx.static.lib.a` (it isn't). (I've added a screenshot with `$ git diff` to show the changes.)

I've added the line wolfSSL_X509_load_certificate_buffer(NULL, 0, 1); (Line 164) to the function enc_wolfSSL_Init in enclave file trusted/Wolfssl_Enclave.c. Then compile (Fails):

$ make clean
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
/usr/bin/ld: trusted/Wolfssl_Enclave.o: in function `enc_wolfSSL_Init':
Wolfssl_Enclave.c:(.text+0x54): undefined reference to `wolfSSL_X509_load_certificate_buffer'
collect2: error: ld returned 1 exit status
make[1]: *** [sgx_t.mk:147: Wolfssl_Enclave.so] Error 1

As seen from the error, wolfSSL_X509_load_certificate_buffer is missing from the official wolfSSL SGX library itself. This undefined reference isn't an issue with my code. (My previous post has nm output.)

---

This (wolfSSL_X509_load_certificate_buffer) is one of several functions (that I'm using in my code) missing from libwolfssl.sgx.static.lib.a. But these functions do appear in libwolfssl.a and libwolfssl.so.

Question: How can I compile wolfSSL SGX in such a way wolfSSL_X509_load_certificate_buffer is defined in libwolfssl.sgx.static.lib.a so that I can use it in an enclave?

---

The list of wolfSSL functions I'm using in my code but are undefined in libwolfssl.sgx.static.lib.a is:

```
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_X509_STORE_new'
undefined reference to `wolfSSL_X509_STORE_add_cert'
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_sk_X509_new_null'
undefined reference to `wolfSSL_sk_X509_push'
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_X509_STORE_CTX_new'
undefined reference to `wolfSSL_X509_STORE_CTX_init'
undefined reference to `wolfSSL_X509_verify_cert'
undefined reference to `wolfSSL_X509_STORE_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_sk_X509_free'
```

Go to forum: wolfSSL

4 Reply by andrade

(8 replies, posted in wolfSSL)

Hello,

I'm working on an academic research project with trusted execution environments, one of which is Intel SGX. This bit of code I'm working on is part of the attestation process. A client receives an attestation report as part of our protocol, and the client needs to validate the attestation report. This includes: 1) ensuring the certificate chain is valid, 2) ensuring the root key is known to the client, and 3) verifying the sender's signature over the attestation report (compute hash of report and then check signature).

The code I'm having trouble with validates de chain (1) and verifies the signature over the attestation report (3). Since it's working outside the enclave, in TEE terminology in the untrusted domain (i.e., the normal code), I suspect this could be related to how I'm compiling my code and how I'm compiling the wolfSSL library for use in SGX enclaves.

In addition to the unknown types errors in my previous post, several of the wolfSSL functions don't seem to be available in the SGX version of the library (below only the function wc_CertPemToDer is defined, the other functions that I use in my code are missing):

$ nm src/.libs/libwolfssl.a | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
000000000001ce7f T wc_CertPemToDer
000000000008dca4 T wolfSSL_sk_X509_new_null
000000000007d4c7 T wolfSSL_X509_load_certificate_buffer
0000000000095e3c T wolfSSL_X509_STORE_new

$ nm src/.libs/libwolfssl.so | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
0000000000181f81 T wc_CertPemToDer
0000000000318bc1 T wolfSSL_sk_X509_new_null
00000000003083db T wolfSSL_X509_load_certificate_buffer
0000000000320d59 T wolfSSL_X509_STORE_new

$ nm IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
000000000000a620 T wc_CertPemToDer

I don't know whether I need to include options.h or user_settings.h. (I'm new to wolfSSL so I'm not sure I need it.) This is for a proof-of-concept on a desktop machine, I don't have any constraints in terms of library size, for example, so I don't mind having a larger library. I compiled it with `--enable-static --enable-all --enable-debug`.

Regards,
Daniel

Go to forum: wolfSSL

5 Topic by andrade

(8 replies, posted in wolfSSL)

Hello,

My code to validate a certificate chain and a signature does not compile when inside an enclave. I'm using v5.8.2-stable. Compilation throws errors:

/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfcrypt/random.h:197:5: error: unknown type name ‘pid_t’
  197 |     pid_t pid;
      |     ^~~~~
In file included from /home/daniel/res/gitsaves/wolfssl/wolfssl/ssl.h:262:
/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfio.h:529:5: error: unknown type name ‘SOCKADDR’
  529 |     SOCKADDR sa;
      |     ^~~~~~~~
/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfio.h:530:5: error: unknown type name ‘SOCKADDR_IN’
  530 |     SOCKADDR_IN sa_in;
      |     ^~~~~~~~~~~

(The code works outside the enclave, though, with normal wolfSSL.)

I've placed the code in a github repository:
https://github.com/andrade/iamstuck/tre … verify-sgx

Could I get some pointers on how to fix this?

Regards,
Daniel

Go to forum: wolfSSL

6 Reply by andrade

(2 replies, posted in wolfCrypt)

Hello,

Thank you for the workaround, Kareem, that works.

I've also tried creating a new set of certificates with positive serial numbers and can now run the code successfully without the 

CFLAGS='-DWOLFSSL_ASN_ALLOW_0_SERIAL'

.

Thank you,
Daniel

Go to forum: wolfCrypt

7 Topic by andrade

(2 replies, posted in wolfCrypt)

Hello,

I'm working on wolfSSL in an academic setting. This is part of a larger code base that is using wolfSSL + SGX.

Context: My main code base (currently private) was throwing errors on the SGX part when I added code to validate a certificate chain and a signature. For example, `error: unknown type name ‘time_t’`. In order to track down the issue, to see if this is a problem with my code or with wolfSSL, I was trying to create a separate MWE with only this block of code (to run outside SGX, i.e. with normal wolfSSL).

Current problem: This smaller chunk of code is not throwing errors when compiling, but the output is different depending on the wolfSSL version in use:
- With v5.6.6-stable it works as expected (the output is all zeros).
- With v5.8.2-stable, however, the code errors out when trying to load the first certificate.

The code fails in function 

wolfSSL_X509_load_certificate_buffer

(L162) with the error ASN_PARSE_E.

I've placed the code in a git repo:
https://github.com/andrade/iamstuck/tre … ain-verify

In addition, the README has the output of the code when run with 5.6.6 (same version as in Ubuntu repositories) and with 5.8.2, which is the latest stable version.

Any idea on what is wrong?

Regards,
Daniel

Go to forum: wolfCrypt