How to use openssl to verify the ECDSA signature signed in enclave

yang__zhe · ‎05-29-2019

I use the function[sgx_ecdsa_sign] to sign a message .But when I use openssl to verify the signature ,the result is always wrong. Can you show me a piece of code to solve the problem.

Mai__Anthony · ‎06-05-2019

I am familiar with ECDSA so can answer part of your question. But I have a question of my own, too.

To sign a ECDSA signature, the enclave would have to obtain chip specific private key, which only the enclave can do. Could you show me exactly where is the precise code spot that you obtain the private key to do the ECDSA signing?

Now to verify the signature, you need to have the corresponding public key, and know for a fact that the public key is authentic. Openssl won't help you because Openssl does not have the public key. This is where Intel remote attestation comes in to play: You present a report containing a signature to Intel and say: This is a report from chip xxx, can you validate the signature for me. And Intel says: yes I looked up chip xxx and it has a public key yyy, and using yyy I can verify that signature zzz is authentic.

Now here is my second question. Is there a way for me to talk to an Intel server and present the chip identity, and obtain the chip's public key, and then from that point on I can do my own validation using the obtained public key for that chip, without talking to Intel server any more?