Topic: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

I want verify the certificate chain in sgx Enclave.And the client set the certificate chain with function , but when i call the function wolfSSL_X509_verify_cert to verify the certificate chain,it report " undefined reference to `wolfSSL_X509_verify_cert'",I checked the resource code, I find the function which named  wolfSSL_X509_verify_cert need the macro “NO_CERTS”。And I added the option "NO_CERTS" made libwolfssl.sgx.static.lib.a again,but it report error such as internal.c:20620:41: error: ‘Buffers {aka struct Buffers}’ has no member named ‘key’ etc.


Does the wolfssl not support verify certificate chain in sgx enclave?

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

@zhq0918,

Are you working on Linux or Windows?

You will need to set either OPENSSL_EXTRA or OPENSSL_ALL in your settings. If working on Linux you would do this in the sgx makefile wolfssl/IDE/LINUX-SGX/sgx_t_static.mk

Look for the line: Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX and add this below that line to gain access to the X509 API's:

Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DOPENSSL_EXTRA

If working on windows add in the custom user_settings.h for SGX.

Regards,

K

3 (edited by zhq0918 2019-05-16 19:07:03)

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

thank you @Kaleb ,I tried it ,but when i make my file, i met this problem, as flows:
/wolfssl/IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a(ssl.o): In function `wolfSSL_BIO_free':
ssl.c:(.text+0x435b): undefined reference to `close'
collect2: error: ld returned 1 exit status
Makefile:287: recipe for target 'Wolfssl_Enclave.so' failed.
except the parameter "-DOPENSSL_EXTRA", Do I have anything else to do?

Regards
zhang

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

I tried add "-DOPENSSL_ALL",and make file. it reported the message:: undefined reference to `wolfSSL_X509_verify_cert'

Share

5 (edited by Kaleb J. Himes 2019-05-23 07:52:36)

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

zhq0918,

close is a file system api. Similar to printf or scanf those are system level api's that the enclave knows nothing about. You will need to adjust the library includes in the makefile to compensate. libraries are pulled in with the -l<libname> specifier. I highly recommend reading some of the intel forums on these questions as many have been asked and answered there.

The Intel documentation is also very helpful: https://software.intel.com/en-us/downlo … oper-guide

[EDIT 23 May 2019, see https://github.com/wolfSSL/wolfssl-examples/issues/152]

For calls to things like close and open you will need to write untrusted out calls to the system for the enclave to be able to utilize IE:

Step 1: Checkout https://github.com/wolfSSL/wolfssl-exam … _Enclave.c and see how we made functions for printf, recv, send, current_time, .... etc. The enclave can't even call "printf" because it doesn't have access to the system. It doesn't know what the stdout stream is so we have to give the enclave access to those system level functions via untrusted out calls. Write a close function in https://github.com/wolfSSL/wolfssl-exam … _Enclave.c and have it call ocall_close passing along the item to be closed.

Step 2: Prototype ocall_close so the enclave can call out to the untrusted execution space. Prototype this ocall in https://github.com/wolfSSL/wolfssl-exam … nclave.edl in the untrusted { } section.

Step 3: Write the ocall_close in the untrusted application https://github.com/wolfSSL/wolfssl-exam … ted/App.c. Have it call the system function "close" on the item to be closed.


Warm Regards,

K

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

@zhq0918,

Can you tell us what the product you are working on will do and what or who is driving the project?

Regards,

K

7 (edited by zhq0918 2019-05-19 20:34:14)

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

@Kaleb , Now that I'm working on wolfssl and sgx, I want to try to verify the client-side certification in Enclave.But when i execute the function such as wolfSSL_X509_verify_cert、wolfSSL_X509_notBefore、wolfSSL_X509_notAfter、wolfSSL_CertManagerVerifyBuffer,those functions all report error。
Regards
zhq0918

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

zhq0918,

If you are looking to verify the client side certificate can you help me understand what you mean by that:

1) Are you trying to verify the client certificate before sending it to the server?
2) Are you trying to verify the client certificate after the server receives it?

If you are trying to do mutual authentication (case 2 above) you do not need to use the API's you are trying to work with you would just use:

wolfSSL_CTX_use_certificate -> On the server side load the server cert, on client use to load client cert
wolfSSL_CTX_use_PrivateKey -> On the server side load server private key, on client use to load the client private key
wolfSSL_CTX_load_verify -> On the server load the clients ROOT CA, on the client use to load the Servers ROOT CA.

Then wolfSSL will internally do the verification for you.

Warm Regards,

K

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

Hi,Kaleb. My main purpose is do mutual authentication.  Does only three method that you said(WolfSSL_CTX_user_certificate、wolfSSL_CTX_user_PrivzateKey、wolfSSL_CTX_load_verify) can complete the mutual authentication? Does not it need to verify signature and certificate chain and other?I think  the authentication of identity including certificate subject, timeliness, certificate signature and certificate chain verification,etc。So i used the function i mentioned.
Regards
zhq0918

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

@zhq0918,

If you are trying to do mutual authentication then YES the above noted API's are all you need. wolfSSL will internally verify the certificates expiration data, the validity of it's signature based on whatever cert the server has loaded to verify the client with and any extensions and their validity within the cert. The client will do the same:

SERVER SIDE:

wolfSSL_CTX_load_verify_[locations | buffer] - Load the ROOT CA that signed the --CLIENTS-- certificate chain.

wolfSSL_CTX_use_certificate_[file | buffer] - Load the --SERVERS-- certificate chain of trust with the only optional item being the root CA (The --CLIENT-- will already have a copy of the --SERVERS-- Root CA that signed the --SERVERS-- certificate chain so the root CA does not have to be sent during the handshake along with the rest of the chain)

wolfSSL_CTX_use_PrivateKey_[file | buffer] - Load the --SERVERS-- private key that is associated with the --SERVERS-- entity certificate.

CLIENT SIDE:

wolfSSL_CTX_load_verify_[locations | buffer] - Load the ROOT CA that signed the --SERVERS-- certificate chain.

wolfSSL_CTX_use_certificate_[file | buffer] - Load the --CLIENTS-- certificate chain of trust with the only optional item being the root CA (The --SERVER-- will already have a copy of the --CLIENTS-- Root CA that signed the --CLIENTS-- certificate chain so the root CA does not have to be sent during the handshake along with the rest of the chain)

wolfSSL_CTX_use_PrivateKey_[file | buffer] - Load the --CLIENTS-- private key that is associated with the --CLIENTS-- entity certificate.

Warm Regards,

K

11 (edited by Kaleb J. Himes 2019-05-23 07:54:28)

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

[ Moderator edit: There was some confusion about which close was causing the issue. Has been addressed in https://github.com/wolfSSL/wolfssl-examples/issues/152 ]

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

This problem has been resolved, thank you @kaleb

Share

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

zhq0918,

Not a problem, the Enclave stuff can be very confusing the first time through, thus my recommendation to review the intel documentation https://software.intel.com/en-us/downlo … oper-guide

Imagine the Enclave as a black box of nothingness. It isn't allowed to do anything you don't let it IE if you do not provide it functionality it won't know what it is. I am referring to things we might take for granted in typical programming such as scanf, printf, DEBUG_LOGGING (writing to a file stream) etc. The enclave doesn't know what a file stream is, it doesn't even know what a file is unless you tell it. Anything that involves I/O (reading/writing) will have to occur outside the enclave in the untrusted space. You can then pass things into the enclave by either:

A) pass a buffer pointer out of the enclave to be written to
B) Pass a buffer pointer into the enclave for the enclave to read from

We have to specifically note these types of calls as untrusted however because it is information being gathered from outside the enclave or passed into the enclave from the untrusted execution space. IE if a malicious actor gained full control of the system that malicious actor still could do nothing about the code running inside the enclave but they might be able to pass in stuff via untrusted out_calls so we map those in the untrusted section of the .edl. Anyway, please take time to peruse the intel documentation it will help give a much more thorough understanding of the execution space and you'll start to see patterns of what types of things (IE "close being undefined") are expected and how to resolve them.

Regards,

K

Re: [SOLVED] In sgx Enclave,can't use function wolfSSL_X509_verify_cert?

OK, thank you @Kaleb

Share