https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-make-sure-that-ECDSA-root-certificate-is-valid/m-p/1396935#M5372 <P>Hi,</P> <P>At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic.&nbsp;</P> <P>You will find more relevant information in <A href="https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf" target="_self">this document</A> and on&nbsp;<A href="https://www.intel.com/content/www/us/en/developer/articles/technical/quote-verification-attestation-with-intel-sgx-dcap.html" target="_self">this page</A>.</P> <P>I hope this information is helpful.</P> <P>Sincerely,</P> <P>Sahira&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 30 Jun 2022 22:52:18 GMT Sahira_Intel 2022-06-30T22:52:18Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-make-sure-that-ECDSA-root-certificate-is-valid/m-p/1395178#M5351 <P>Hello,</P> <P>I'm new in SGX and I have a question about how DCAP remote attestation works.</P> <P>I generated a quote in azure cloud using quote generation example from <A href="https://github.com/intel/SGXDataCenterAttestationPrimitives/tree/master/SampleCode/QuoteGenerationSample" target="_self">that</A> repo . Certification data type of the quote is 5&nbsp;<SPAN>(Concatenated PCK Cert Chain) so</SPAN>&nbsp;I parsed the quote, extracted the certificate chain and verified it. The root certificate has been issued by Intel and is self-signed.</P> <P>But, <STRONG>how can i check</STRONG> if the root certificate extracted from that quote hasn't been faked and has actually been issued by Intel? It seems important in case of&nbsp;receiving a quote from third parties.</P> <P>For example, the EPID remote attestation root certificate is published <A href="https://api.portal.trustedservices.intel.com/documentation" target="_self">here</A>. But i can't find something simular for DCAP attestation.</P> <P>&nbsp;</P> <P>The certificate i'm talking about is:</P> <P>Certificate:<BR />Data:<BR />Version: 3 (0x2)<BR />Serial Number:<BR />22:65:0c:d6:5a:9d:34:89:f3:83:b4:95:52:bf:50:1b:39:27:06:ac<BR />Signature Algorithm: ecdsa-with-SHA256<BR />Issuer: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US<BR />Validity<BR />Not Before: May 21 10:45:10 2018 GMT<BR />Not After : Dec 31 23:59:59 2049 GMT<BR />Subject: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US<BR />Subject Public Key Info:<BR />Public Key Algorithm: id-ecPublicKey<BR />Public-Key: (256 bit)<BR />pub:<BR />04:0b:a9:c4:c0:c0:c8:61:93:a3:fe:23:d6:b0:2c:<BR />da:10:a8:bb:d4:e8:8e:48:b4:45:85:61:a3:6e:70:<BR />55:25:f5:67:91:8e:2e:dc:88:e4:0d:86:0b:d0:cc:<BR />4e:e2:6a:ac:c9:88:e5:05:a9:53:55:8c:45:3f:6b:<BR />09:04:ae:73:94<BR />ASN1 OID: prime256v1<BR />NIST CURVE: P-256<BR />X509v3 extensions:<BR />X509v3 Authority Key Identifier: <BR />keyid:22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC</P> <P>X509v3 CRL Distribution Points:</P> <P>Full Name:<BR />URI:<A href="https://certificates.trustedservices.intel.com/IntelSGXRootCA.der" target="_blank">https://certificates.trustedservices.intel.com/IntelSGXRootCA.der</A></P> <P>X509v3 Subject Key Identifier: <BR />22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC<BR />X509v3 Key Usage: critical<BR />Certificate Sign, CRL Sign<BR />X509v3 Basic Constraints: critical<BR />CA:TRUE, pathlen:1<BR />Signature Algorithm: ecdsa-with-SHA256<BR />30:46:02:21:00:e5:bf:e5:09:11:f9:2f:42:89:20:dc:36:8a:<BR />30:2e:e3:d1:2e:c5:86:7f:f6:22:ec:64:97:f7:80:60:c1:3c:<BR />20:02:21:00:e0:9d:25:ac:7a:0c:b3:e5:e8:e6:8f:ec:5f:a3:<BR />bd:41:6c:47:44:0b:d9:50:63:9d:45:0e:dc:be:a4:57:6a:a2</P> Fri, 24 Jun 2022 12:44:32 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-make-sure-that-ECDSA-root-certificate-is-valid/m-p/1395178#M5351 Olkhon 2022-06-24T12:44:32Z https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-make-sure-that-ECDSA-root-certificate-is-valid/m-p/1396935#M5372 <P>Hi,</P> <P>At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic.&nbsp;</P> <P>You will find more relevant information in <A href="https://download.01.org/intel-sgx/sgx-dcap/1.14/linux/docs/Intel_SGX_ECDSA_QuoteLibReference_DCAP_API.pdf" target="_self">this document</A> and on&nbsp;<A href="https://www.intel.com/content/www/us/en/developer/articles/technical/quote-verification-attestation-with-intel-sgx-dcap.html" target="_self">this page</A>.</P> <P>I hope this information is helpful.</P> <P>Sincerely,</P> <P>Sahira&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 30 Jun 2022 22:52:18 GMT https://community.intel.com/t5/Intel-Software-Guard-Extensions/How-to-make-sure-that-ECDSA-root-certificate-is-valid/m-p/1396935#M5372 Sahira_Intel 2022-06-30T22:52:18Z