Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

How to make sgx_ecc256 work with Openssl?

chaoshun_z_
Beginner
1,142 Views
Hi,
I am using SGX ECC256 functions (sgx_ecc256_open_context, sgx_ecdsa_verify) to do some verification works inside SGX. Although SGX SDK provides some functions to generate keys and  sign data, however, in my case, the signing machine does not have SGX which means that I can't use 'sgx_ecdsa_sign' to sign data. So I am tiring to use Openssl to sign data (including generate keys) and use SGX to verify signature. But it does not work, maybe I am using wrong parameters, please correct me.
Here is what I have done to test if sgx_ecc256 can work with Openssl or not:
1.Using Openssl to generate key pair: "openssl ecparam -name prime256v1 -genkey -out ec-priv.pem" (for the 'name' parameter, I tried prime256v1,secp256k1,brainpoolP256r1,brainpoolP256t1)
2.Extract private key and public key from ec-priv.pem: "openssl ec -in ec-priv.pem -text -noout"
3.Using private key to sign some data inside SGX by calling function "sgx_ecdsa_sign" to get signature "sig"
4.Using public key and "sig" to verify the data by calling function "sgx_ecdsa_verify". Then I got return value SGX_EC_INVALID_SIGNATURE.
In "Intel SGX SDK Developer Reference for Windows OS.pdf", it says the private key and public key are in LITTLE ENDIAN, I tried to convert the keys from Openssl to LITTLE ENDIAN in several ways, but none of them works.
Is there any thing wrong in my steps, or can SGX ECC256 functions work with Openssl? Is there any way to use Openssl to generate keys and sign data, and then use SGX ECC256 functions to verify the signature?
Thank you,
Chaoshun
0 Kudos
1 Reply
Anusha_K_Intel
Employee
1,142 Views

Hi,

Did you generate the key inside the enclave using intel sgx openssl trusted library functions or using ssl command prompt. The problem seems to be with the key conversion from little endian to big endian.The steps you followed are correct but openssl keys are in BIG endian format there must be something wrong with the conversion.

Why don't you try using the sgx functions for signing. you can use sgx_ecc256_create_key_pair() for the key generation process. Or You can use the SGX trusted SSL library inside enclave for signing and verification.The related information is given in the below link:

https://software.intel.com/sites/default/files/managed/3b/05/Intel-SgxSSL-Library-User-Guide.pdf

 

 

 

0 Kudos
Reply