- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all: I want to verify X-IASReport-Signature with IAS public key. I have get the IAS public Key from IAS public certificate with openssl:
openssl x509 -in AttestationReportSigningCACert.pem -pubkey -noout > k.key openssl rsa -in k.key -pubin -text -noout
Public-Key: (3072 bit) Modulus: 00:9f:3c:64:7e:b5:77:3c:bb:51:2d:27:32:c0:d7: 41:5e:bb:55:a0:fa:9e:de:2e:64:91:99:e6:82:1d: b9:10:d5:31:77:37:09:77:46:6a:6a:5e:47:86:cc: d2:dd:eb:d4:14:9d:6a:2f:63:25:52:9d:d1:0c:c9: 87:37:b0:77:9c:1a:07:e2:9c:47:a1:ae:00:49:48: 47:6c:48:9f:45:a5:a1:5d:7a:c8:ec:c6:ac:c6:45: ad:b4:3d:87:67:9d:f5:9c:09:3b:c5:a2:e9:69:6c: 54:78:54:1b:97:9e:75:4b:57:39:14:be:55:d3:2f: f4:c0:9d:df:27:21:99:34:cd:99:05:27:b3:f9:2e: d7:8f:bf:29:24:6a:be:cb:71:24:0e:f3:9c:2d:71: 07:b4:47:54:5a:7f:fb:10:eb:06:0a:68:a9:85:80: 21:9e:36:91:09:52:68:38:92:d6:a5:e2:a8:08:03: 19:3e:40:75:31:40:4e:36:b3:15:62:37:99:aa:82: 50:74:40:97:54:a2:df:e8:f5:af:d5:fe:63:1e:1f: c2:af:38:08:90:6f:28:a7:90:d9:dd:9f:e0:60:93: 9b:12:57:90:c5:80:5d:03:7d:f5:6a:99:53:1b:96: de:69:de:33:ed:22:6c:c1:20:7d:10:42:b5:c9:ab: 7f:40:4f:c7:11:c0:fe:47:69:fb:95:78:b1:dc:0e: c4:69:ea:1a:25:e0:ff:99:14:88:6e:f2:69:9b:23: 5b:b4:84:7d:d6:ff:40:b6:06:e6:17:07:93:c2:fb: 98:b3:14:58:7f:9c:fd:25:73:62:df:ea:b1:0b:3b: d2:d9:76:73:a1:a4:bd:44:c4:53:aa:f4:7f:c1:f2: d3:d0:f3:84:f7:4a:06:f8:9c:08:9f:0d:a6:cd:b7: fc:ee:e8:c9:82:1a:8e:54:f2:5c:04:16:d1:8c:46: 83:9a:5f:80:12:fb:dd:3d:c7:4d:25:62:79:ad:c2: c0:d5:5a:ff:6f:06:22:42:5d:1b Exponent: 65537 (0x10001)
I write rsa3072_verify() mostly like https://github.com/01org/linux-sgx/blob/master/sdk/tlibcrypto/sgx_rsa3072.cpp with IPP crypto library.
The steps I deal with IAS reponse are :
- Get X-IASReport-Signature string from response header and convert to byte array sig;
- Get response body and convert to byte array;
- compute sha256 hash of response body hash;
- Verify the hash with rsa3072_verify(hash, hash_size, &public_key, &sig, &result);
But I always get invalid return code. My Question is:
Is my verify steps right ? What are the correct steps ? Thanks .
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ret = g_sp_extended_epid_group_id->verify_attestation_evidence(quote, pro_desc, &attestation_report); fprintf(OUTPUT, "\n\tsignature:%s", attestation_report.signature); fprintf(OUTPUT, "\n\tdata: %s", attestation_report.data); uint8_t * arr; StringToByteArray(string(attestation_report.data), &arr); SERVER_PRINT_BYTE_ARRAY(OUTPUT, arr, strlen(attestation_report.data)); uint8_t * sigarr; string sigstr = Base64decode(string(attestation_report.signature)); StringToByteArray( sigstr, &sigarr); SERVER_PRINT_BYTE_ARRAY(OUTPUT, sigarr, sigstr.size());
Here Ican get the correct signature and response_body----data, Then I convert them to uint8_t array and get hash though this function;
At last verify the hash and signature with public key;
int check_valid_quote_sig(const uint8_t *signature, const uint8_t *data) { int res=0; barbi_rsa3072_public_key_t pub_key; memcpy(pub_key.mod, private_key_mod, sizeof(uint8_t) * 384); memcpy(pub_key.exp, pub_key_exp, sizeof(uint8_t) * 4); barbi_rsa_result_t result; barbi_sha256_hash_t hash; barbi_rsa3072_signature_t signature_to_verify; memcpy(&signature_to_verify, signature, sizeof(barbi_rsa3072_signature_t)); barbi_ipp_sha256_msg(data, sizeof(data), &hash); barbi_rsa3072_verify(hash, sizeof(hash), &pub_key, &signature_to_verify, &result); if (BARBI_RSA_VALID == result){ printf("\n\nVerify result: valid\n"); res = 1; }else{ printf("Verify result: Invalid. \n"); res = 0; } return res; }
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your verification steps are correct. I do a quick verification in C# using the same steps and it works fine under my environment.
Here is the code fragment that I used for the same set of steps:
string signatureString = response.Headers["x-iasreport-signature"];
string bodyString = response.GetResponseBodyString();
byte[] signature = Convert.FromBase64String(signatureString);
byte[] data = Encoding.UTF8.GetBytes(bodyString);
var rsa = (RSACryptoServiceProvider)cert.PublicKey.Key; // get the public key
if (!rsa.VerifyData(data, "SHA256", signature))
throw new Exception();
Can you provide your running environment? Windows or Linux? Which version? and whether you have a separate running service provider application? or is it just all done in a simple client appl library?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hoang Nguyen
Due to recent Chinese National Holiday(8 days), I haven't check my question. This is a brief description of my environment:
OS: Ubuntu 16.04
CPU: E3 1230 v5
SDK version: 1.9
I think I done remote attestation all in a simple client app library now. If I can pass all the tests, Then I will use the library in separate service provider.
Thanks
you.w
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe my usage of ipp crypto library is wrong, I reimplement the verification with openssl lib and now it works well.
Thanks
you
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page