Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

How to make sure that ECDSA root certificate is valid

Olkhon
Beginner
580 Views

Hello,

I'm new in SGX and I have a question about how DCAP remote attestation works.

I generated a quote in azure cloud using quote generation example from that repo . Certification data type of the quote is 5 (Concatenated PCK Cert Chain) so I parsed the quote, extracted the certificate chain and verified it. The root certificate has been issued by Intel and is self-signed.

But, how can i check if the root certificate extracted from that quote hasn't been faked and has actually been issued by Intel? It seems important in case of receiving a quote from third parties.

For example, the EPID remote attestation root certificate is published here. But i can't find something simular for DCAP attestation.

 

The certificate i'm talking about is:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:65:0c:d6:5a:9d:34:89:f3:83:b4:95:52:bf:50:1b:39:27:06:ac
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US
Validity
Not Before: May 21 10:45:10 2018 GMT
Not After : Dec 31 23:59:59 2049 GMT
Subject: CN = Intel SGX Root CA, O = Intel Corporation, L = Santa Clara, ST = CA, C = US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:0b:a9:c4:c0:c0:c8:61:93:a3:fe:23:d6:b0:2c:
da:10:a8:bb:d4:e8:8e:48:b4:45:85:61:a3:6e:70:
55:25:f5:67:91:8e:2e:dc:88:e4:0d:86:0b:d0:cc:
4e:e2:6a:ac:c9:88:e5:05:a9:53:55:8c:45:3f:6b:
09:04:ae:73:94
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC

X509v3 CRL Distribution Points:

Full Name:
URI:https://certificates.trustedservices.intel.com/IntelSGXRootCA.der

X509v3 Subject Key Identifier:
22:65:0C:D6:5A:9D:34:89:F3:83:B4:95:52:BF:50:1B:39:27:06:AC
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
Signature Algorithm: ecdsa-with-SHA256
30:46:02:21:00:e5:bf:e5:09:11:f9:2f:42:89:20:dc:36:8a:
30:2e:e3:d1:2e:c5:86:7f:f6:22:ec:64:97:f7:80:60:c1:3c:
20:02:21:00:e0:9d:25:ac:7a:0c:b3:e5:e8:e6:8f:ec:5f:a3:
bd:41:6c:47:44:0b:d9:50:63:9d:45:0e:dc:be:a4:57:6a:a2

Labels (2)
0 Kudos
1 Solution
Sahira_Intel
Moderator
521 Views

Hi,

At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic. 

You will find more relevant information in this document and on this page.

I hope this information is helpful.

Sincerely,

Sahira 

 

 

View solution in original post

0 Kudos
1 Reply
Sahira_Intel
Moderator
522 Views

Hi,

At a high level, the SGX ECDSA Quote Verification Library contains a Quote Verification Enclave (QvE) that will verify the quote generated by the ECDSA-based Quoting Enclave. The QvE is developed and signed by intel. The root certificate derived from this quote will therefore be authentic. 

You will find more relevant information in this document and on this page.

I hope this information is helpful.

Sincerely,

Sahira 

 

 

0 Kudos
Reply