• Registered: 2025-07-16
  • Posts: 7

Topic: Compilation fails when code is placed in a SGX enclave (unknown types)

Hello,

My code to validate a certificate chain and a signature does not compile when inside an enclave. I'm using v5.8.2-stable. Compilation throws errors:

/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfcrypt/random.h:197:5: error: unknown type name ‘pid_t’
  197 |     pid_t pid;
      |     ^~~~~
In file included from /home/daniel/res/gitsaves/wolfssl/wolfssl/ssl.h:262:
/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfio.h:529:5: error: unknown type name ‘SOCKADDR’
  529 |     SOCKADDR sa;
      |     ^~~~~~~~
/home/daniel/res/gitsaves/wolfssl/wolfssl/wolfio.h:530:5: error: unknown type name ‘SOCKADDR_IN’
  530 |     SOCKADDR_IN sa_in;
      |     ^~~~~~~~~~~

(The code works outside the enclave, though, with normal wolfSSL.)

I've placed the code in a github repository:
https://github.com/andrade/iamstuck/tre … verify-sgx

Could I get some pointers on how to fix this?

Regards,
Daniel

Post's attachments

Screenshot from 2025-09-25 14-24-39 (pid_t and SOCKADDR errors when compiling 2509-wolfssl-chain-verify-sgx 5.8.2).png 510.19 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

  • Registered: 2021-08-12
  • Posts: 159

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hi,
My name is Anthony and I am a member of the wolfSSL team.
Do you need to include an options.h file or a user_settings.h file?

Can you tell  us a bit more about your project?  What are your goals?

Warm regards, Anthony

Share

3 Reply by andrade (edited by andrade 2025-09-29 04:56:16)

  • Registered: 2025-07-16
  • Posts: 7

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hello,

I'm working on an academic research project with trusted execution environments, one of which is Intel SGX. This bit of code I'm working on is part of the attestation process. A client receives an attestation report as part of our protocol, and the client needs to validate the attestation report. This includes: 1) ensuring the certificate chain is valid, 2) ensuring the root key is known to the client, and 3) verifying the sender's signature over the attestation report (compute hash of report and then check signature).

The code I'm having trouble with validates de chain (1) and verifies the signature over the attestation report (3). Since it's working outside the enclave, in TEE terminology in the untrusted domain (i.e., the normal code), I suspect this could be related to how I'm compiling my code and how I'm compiling the wolfSSL library for use in SGX enclaves.

In addition to the unknown types errors in my previous post, several of the wolfSSL functions don't seem to be available in the SGX version of the library (below only the function wc_CertPemToDer is defined, the other functions that I use in my code are missing):

$ nm src/.libs/libwolfssl.a | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
000000000001ce7f T wc_CertPemToDer
000000000008dca4 T wolfSSL_sk_X509_new_null
000000000007d4c7 T wolfSSL_X509_load_certificate_buffer
0000000000095e3c T wolfSSL_X509_STORE_new

$ nm src/.libs/libwolfssl.so | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
0000000000181f81 T wc_CertPemToDer
0000000000318bc1 T wolfSSL_sk_X509_new_null
00000000003083db T wolfSSL_X509_load_certificate_buffer
0000000000320d59 T wolfSSL_X509_STORE_new

$ nm IDE/LINUX-SGX/libwolfssl.sgx.static.lib.a | grep -P "wc_CertPemToDer|wolfSSL_X509_load_certificate_buffer|wolfSSL_X509_STORE_new|wolfSSL_sk_X509_new_null"
000000000000a620 T wc_CertPemToDer

I don't know whether I need to include options.h or user_settings.h. (I'm new to wolfSSL so I'm not sure I need it.) This is for a proof-of-concept on a desktop machine, I don't have any constraints in terms of library size, for example, so I don't mind having a larger library. I compiled it with `--enable-static --enable-all --enable-debug`.

Regards,
Daniel

Share

  • Jacob
  • Moderator
  • Offline
  • Registered: 2014-08-21
  • Posts: 85

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hi Daniel,

Start with the wolfSSL SGX examples, and modify them to your use case. This is where the instructions and example build of the wolfSSL library for SGX use is https://github.com/wolfSSL/wolfssl/tree … /LINUX-SGX

The example of using the built library is located here
https://github.com/wolfSSL/wolfssl-exam … /SGX_Linux

Share

5 Reply by andrade (edited by andrade 2025-09-29 10:11:44)

  • Registered: 2025-07-16
  • Posts: 7

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hello Jacob,

I've already built the library and run the official example successfully. But there are functions that are defined in libwolfssl.a/so but are undefined in libwolfssl.sgx.static.lib.a.

Below I've added the steps I've done compiling the official library and running the official SGX example to show more clearly what is the problem. (This is for branch v5.8.2-stable but I've tried branch master and the results are the same.)

---

1. First cloned and compiled wolfSSL (OK):

$ git clone git@github.com:wolfSSL/wolfssl.git
$ cd wolfssl
$ git checkout v5.8.2-stable
$ ./autogen.sh
$ ./configure --enable-static --enable-all --enable-debug
$ make

$ cd IDE/LINUX-SGX/
$ ls -l ../../wolfssl/options.h   (check file is there)
-rw-rw---- 1 daniel daniel 16129 set 29 16:55 ../../wolfssl/options.h
$ make -f sgx_t_static.mk all
(...)
LINK =>  libwolfssl.sgx.static.lib.a

2.1. Then cloned and compiled the official example (Fails out of the box):

$ git clone git@github.com:wolfSSL/wolfssl-examples.git
$ cd wolfssl-examples/SGX_Linux/
$ export WOLFSSL_ROOT=../../wolfssl
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
/usr/bin/ld: cannot find -lsgx_tstdcxx: No such file or directory
collect2: error: ld returned 1 exit status
(...)

2.2 The error is because of `-lsgx_tstdcxx`, there's an open bug report on this (https://github.com/wolfSSL/wolfssl-examples/issues/284). I replaced it, in `sgx_t.mk`, with `-lsgx_tcxx` and compiled the official example again (OK):

$ make clean
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
Succeed.
SIGN =>  Wolfssl_Enclave.signed.so

2.3. I run the server-client example successfully (OK).

3. To check whether the missing definitions is a problem with my code or with the wolfSSL official library, I've added a function needed to load a certificate to the official example. The line isn't meant to do anything, only check whether the definition is in the wolfSSL library `libwolfssl.sgx.static.lib.a` (it isn't). (I've added a screenshot with `$ git diff` to show the changes.)

I've added the line wolfSSL_X509_load_certificate_buffer(NULL, 0, 1); (Line 164) to the function enc_wolfSSL_Init in enclave file trusted/Wolfssl_Enclave.c. Then compile (Fails):

$ make clean
$ make SGX_MODE=SIM SGX_PRERELEASE=0 SGX_WOLFSSL_LIB=../../wolfssl/IDE/LINUX-SGX/ WOLFSSL_ROOT=../../wolfssl SGX_DEBUG=0 HAVE_WOLFSSL_TEST=0 HAVE_WOLFSSL_BENCHMARK=0 all
(...)
/usr/bin/ld: trusted/Wolfssl_Enclave.o: in function `enc_wolfSSL_Init':
Wolfssl_Enclave.c:(.text+0x54): undefined reference to `wolfSSL_X509_load_certificate_buffer'
collect2: error: ld returned 1 exit status
make[1]: *** [sgx_t.mk:147: Wolfssl_Enclave.so] Error 1

As seen from the error, wolfSSL_X509_load_certificate_buffer is missing from the official wolfSSL SGX library itself. This undefined reference isn't an issue with my code. (My previous post has nm output.)

---

This (wolfSSL_X509_load_certificate_buffer) is one of several functions (that I'm using in my code) missing from libwolfssl.sgx.static.lib.a. But these functions do appear in libwolfssl.a and libwolfssl.so.

Question: How can I compile wolfSSL SGX in such a way wolfSSL_X509_load_certificate_buffer is defined in libwolfssl.sgx.static.lib.a so that I can use it in an enclave?

---

The list of wolfSSL functions I'm using in my code but are undefined in libwolfssl.sgx.static.lib.a is:

```
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_X509_STORE_new'
undefined reference to `wolfSSL_X509_STORE_add_cert'
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_sk_X509_new_null'
undefined reference to `wolfSSL_sk_X509_push'
undefined reference to `wolfSSL_X509_load_certificate_buffer'
undefined reference to `wolfSSL_X509_STORE_CTX_new'
undefined reference to `wolfSSL_X509_STORE_CTX_init'
undefined reference to `wolfSSL_X509_verify_cert'
undefined reference to `wolfSSL_X509_STORE_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_X509_free'
undefined reference to `wolfSSL_sk_X509_free'
```

Post's attachments

Screenshot from 2025-09-29 17-45-42 wolfssl official SGX example diff with fix and test check load cert function for definition.png 374.05 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

Share

  • Jacob
  • Moderator
  • Offline
  • Registered: 2014-08-21
  • Posts: 85

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hi Daniel,

The macro OPENSSL_EXTRA will need to be defined for wolfSSL to be built with the *_X509_* API. This is API in the compatibility layer which eases integration into applications previously using OpenSSL. Once at the point you are at, with the examples compiling and running, you can then adjust which macros are defined for configuring how wolfSSL is built. For example in the example IDE/LINUX-SGX/sgx_t_static.mk file there is the Wolfssl_C_Extra_Flags variable that OPENSSL_EXTRA could be added to. Note that this macro define should be added to both the building of libwolfssl and to the compiling of the application.

We've not tested with the additional functions built with SGX, there might be system calls in the compatibility layer that need worked around for running smoothly with SGX.

Here are some non SGX examples that do not use the compatibility layer API that could be referenced (https://github.com/wolfSSL/wolfssl-exam … er/certvfy).

These are also examples that show using a CA to verify a signature without using the compatibility layer API (https://github.com/wolfSSL/wolfssl-exam … ertmanager).

Share

  • Registered: 2025-07-16
  • Posts: 7

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hello,

I'm trying to redo my certificates chain validation without resorting to the OpenSSL compatibility layer, and using only wolfSSL functions.

The SGX enclave does not have access to the filesystem. Only one of the examples you mentioned seems to load the certificates from a buffer (and not through a file path):
https://github.com/wolfSSL/wolfssl-exam … fybuffer.c

I managed to get this example running inside an enclave. However, when I replace the original certificates of the example with my own certificates it fails on the first wolfSSL_CertManagerLoadCABuffer with error -162 (Couldn't find PEM header). But my certificates do have the PEM headers and the chain verifies correctly using the OpenSSL command line.

My certificates are as follows:

static const byte authCert[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAv+xzXnVd95RmxYLMNdXt\n"
"6PNF1kJIHyWbpNFaEP7SNrrgFCrGTYAbhWua8iNcdgaLNw6a410JHpnQJzgT612n\n"
"Brut86YWQnqX4X7eB3y3uvl1+EomujQSxLen+0kybnFgdbYJXzXao6JeEtEOY8PT\n"
"tg0T8msgsnY19qX066v9KixPytWiA7obu44zr1uWSgUttN5lDzZYmpo9sPZTb0JM\n"
"dZIByykRfZtWXcxVMe8xxzcVjrs+KTv/mjp+f4va92nO/76uSnRLO5JtX63xDhDY\n"
"QLwlJ69ASqUS7AuAeeiYDAqhMjodKmsq7pH458frAgoaVxHeK3+xIWBVgQ3yLtmo\n"
"Kpa5UjDdNTAR/sFlhWDVJdzQQq8rUwXlgPxIwrs9rDzK8v9ZOhQFN3eF9J8RDKe2\n"
"lUHergl6sQ/1By1PmktoCGm3u++4QwTZHBoncyZmVnBsQVWfQbSRKP9QcIFenCLE\n"
"Hi5E0BH0RMt8dTeA0PnvR/7Q15P3UCU/IigWmytPjpIGa2Xn8zrz1WVJLp7qL01v\n"
"/NMphmcmHlaBIqcfgS76N1USub9B4VwW1c5GFtocv/gzOg3xXxVSmjuzOP4KO2Wz\n"
"wM0XiUjMQ1X+9sMxHXT3kuR20A3zWf36XyzOONSYK3cVwjnT+gnYi3Tj/CEtJ74/\n"
"MWvAvtk7jAIp/DvSIVYS3/UCAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

static const byte testCert1[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvWeVHAwMQ/hj+9uYkhKy\n"
"CLxkFD79ShgXSCbWr/4po3KUvrKDG8bmrTeRXFSyooj18jI9xnLpc4tJWkWtlFAo\n"
"kwulWbEshmfN/QRxH1B9Tz6TDclIf+Ukh8oFI0T3shBehGkhrpkaolPDJD7e9SdT\n"
"GOj0NA/yBUynpkD6qZ5JRmZhmhUr6i3sq80A4Y5bwrBHdRTAzgL9Ho3hezbLwsXb\n"
"qLOApLfb0sZ8LRiVuHRjwwqCCmysE8dQLsnYZ2xDtkrC++eylMAek84wUbU9QPBd\n"
"pPv5QE3yD+wJ8A5hq2wSjM/xJneo7BNspZFEBcODF5uTkUmn32HQWveaFvNXceMR\n"
"qFlKSXPTTBQ6TCuf0FnGmnTREDpdnd0oBYR5370oUL5KtDUtJ7Fhs4oAYtUwnEIL\n"
"Yk2Oj6b5UXPQyf6bFFusn5vi1XTCyF2ZZINvP8Qef/EfP5rZWIDaYX5S3W4WMDI2\n"
"9aBKOOXfrntwCAN4Zgsix1PsYcVvadvIvIpzkQAu1ScEP30oAQP4NmceCTyERtZo\n"
"662l/gwWwy99jzVo6FmOTWdS+U4yb7hOfVPHw5Plg4djraN6t0J97ux2kNmDROel\n"
"8j5nenfqaQlNmbON6fCIB1xAJN/SDHhv0cFSYhNVnuYrJFfZS7AB4akwpnEzhXYT\n"
"bNdZ6EZPzSv86FMmZrQ0f1MCAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

static const byte testCert2[] =
"-----BEGIN PUBLIC KEY-----\n"
"MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAx+DhUGmKmbfEoNyDXHjh\n"
"GO9nrXVcuVNxRRN+D3DFR6JmeUl6VBcO3asOYr9bS0on53yW1ivpb4ZYY5iP3AIG\n"
"iTKVMICvkGBxUYQZxobkeiVntt9AklUHloLc7irNrjp9bLKAmytdK2f/aAsB5+zK\n"
"mMQoXZWOoE+k1iN38r4qjmShCmwKeSG1wIx0YkeQkNZpF/nsQgpWN23MdPqyCPhT\n"
"434OMQA1OAK4DXTm9fB9DysQQFPuSxLhKIzH6ZgNLc3rEZkM+Km2XBkpRJZqJZqx\n"
"SUyo83+Ux6l1yaAm3fUQxtf9y+yiKZN84KWtsXczrBjGPFY7YUpaE2276cc1ilO+\n"
"ECRTTk59mxXtvFKBdX0pTOjR5dgHPayqfeZrtptJTDuCECfcXV5j/gDJmu190ftu\n"
"qCt4u0fOMqRI08XOMO88ha42J081dNJc555+4aTM4N3qOf2hfxuLwSY+vWe1W7s6\n"
"e5WFQz6ruAC8Va9mR9ieXBXTv6M2sU4PiBa2HicAsjm5EL0LkBMsTffQzT2Zfidx\n"
"WzCyB/xFSamuErbq/9kW5SU5sd7XDuBqKP1ogDT2HWRwIRyU9hp0CSVZx4IeXGh+\n"
"1d9RpldUCGKwNJC8JMcU28eCC2yF0LsopGsecJB4jWJWyW7aWrfOCi1nokiCFpXn\n"
"d3RadQtwd1fOgFoaLRLHqK8CAwEAAQ==\n"
"-----END PUBLIC KEY-----\n";

Why am I getting this PEM header error?

Share

  • Jacob
  • Moderator
  • Offline
  • Registered: 2014-08-21
  • Posts: 85

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hi Daniel,

That's great that the certificate example ran okay. For the current issue, the certificates need to begin with the string "-----BEGIN CERTIFICATE-----\n". The wolfSSL API is finding "-----BEGIN PUBLIC KEY-----\n" from those buffers and rejecting it since it is looking for certificate headers.

Share

  • Registered: 2025-07-16
  • Posts: 7

Re: Compilation fails when code is placed in a SGX enclave (unknown types)

Hello Jacob,

What a silly mistake, thank you! That fixed that issue.

I have a few more questions regarding certificates. My certificate chain is Root -> Intermediate -> Leaf.

1. Do I have to explicitly check the intermediate certificate, or is it enough to check the leaf certificate (and intermediate certificates in the chain are checked implicitly forming a root to leaf complete chain verification)?

2. I'm loading the intermediate certificate using wolfSSL_CertManagerLoadCABuffer(). Are there functions to load intermediate certificates or is this the correct function?

I'm asking because in the API there are functions to unload both CAs and intermediates – wolfSSL_CertManagerUnloadCAs() and wolfSSL_CertManagerUnloadIntermediateCerts() – but I see nothing to load intermediate certs.

https://www.wolfssl.com/doxygen/group__CertManager.html

3. In my code I'm doing:

wolfSSL_CertManagerLoadCABuffer( Root )
wolfSSL_CertManagerLoadCABuffer( Intermediate )
wolfSSL_CertManagerVerifyBuffer( Intermediate ) // Root checks Intermediate
wolfSSL_CertManagerVerifyBuffer( Leaf ) // Intermediate checks Leaf

Is this the correct way to go about it?

I'm currently getting an error: "wolfSSL_CertManagerLoadCABuffer() failed (-155): ASN sig error, confirm failure" in the wolfSSL_CertManagerVerifyBuffer( Intermediate )". According to the API, the error indicates the signature could not be verified. But I've checked my certificate chain using OpenSSL and it gets verified successfully.

Share