Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

IAS request error

Rodolfo_S_
New Contributor III
1,003 Views

Hi,

I'm trying to use the IAS following the example 3.1.2.1 provided at https://software.intel.com/sites/default/files/managed/3d/c8/IAS_1_0_API_spec_1_1_Final.pdf, but so far at no success.

When I submit an HTTP request exactly as the one provided in the example (with gid=00000010), I get as response "404 Not Found". The same result is obtained if I try gid=00000000 (I tried this other gid since in the remote attestation end-to-end sample code, it is stated that IAS only accepts gid equal to zero).

When I try the request with a gid shorter than 8 digits (e.g. gid=0) the response is a different error "405 Method Not Allowed".

Any tips in what am I doing wrong?

Below you can find the requests and reponses illustrating what I just wrote.

Best regards,

Rodolfo

rodolfoams@badejo:~$ curl -1 --tlsv1.2 -v -E clientconc.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000000
* Hostname was NOT found in DNS cache
*   Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
*      subject: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=test-as.sgx.trustedservices.intel.com
*      start date: 2015-05-20 06:42:44 GMT
*      expire date: 2016-11-10 06:42:44 GMT
*      subjectAltName: test-as.sgx.trustedservices.intel.com matched
*      issuer: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=Intel External Basic Issuing CA 3B
*      SSL certificate verify ok.
> GET /attestation/sgx/v1/sigrl/00000000 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: test-as.sgx.trustedservices.intel.com
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< request-id: 84058baa149f48afbaa529da2f6ba62a
< date: Tue, 09 Aug 2016 20:56:19 GMT
< transfer-encoding: chunked
< Connection: keep-alive
< 
* Connection #0 to host test-as.sgx.trustedservices.intel.com left intact
rodolfoams@badejo:~$ curl -1 --tlsv1.2 -v -E clientconc.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000000
* Hostname was NOT found in DNS cache
*   Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES128-GCM-SHA256
* Server certificate:
* 	 subject: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=test-as.sgx.trustedservices.intel.com
* 	 start date: 2015-05-20 06:42:44 GMT
* 	 expire date: 2016-11-10 06:42:44 GMT
* 	 subjectAltName: test-as.sgx.trustedservices.intel.com matched
* 	 issuer: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=Intel External Basic Issuing CA 3B
* 	 SSL certificate verify ok.
> GET /attestation/sgx/v1/sigrl/00000000 HTTP/1.1
> User-Agent: curl/7.35.0
> Host: test-as.sgx.trustedservices.intel.com
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< request-id: be2f19cd7f7543f2abdddcec778d8677
< date: Tue, 09 Aug 2016 20:58:10 GMT
< transfer-encoding: chunked
< Connection: keep-alive
< 
* Connection #0 to host test-as.sgx.trustedservices.intel.com left intact

 

 

0 Kudos
1 Solution
Surenthar_S_Intel
1,003 Views

Hi Rodolfo,

A point to be noted here is that, platform GID is to be sent as part of the GET request to IAS not the Extended GID ( which is 0 for now). The length of the GID is 8 digits and the sample GID which is 00000010 might not be a valid EPID group, hence you see 404 Not Found Error. Try using a valid GID to obtain 200 OK response from IAS.

Thanks and Regards,
Surenthar Selvaraj

View solution in original post

0 Kudos
10 Replies
Surenthar_S_Intel
1,004 Views

Hi Rodolfo,

A point to be noted here is that, platform GID is to be sent as part of the GET request to IAS not the Extended GID ( which is 0 for now). The length of the GID is 8 digits and the sample GID which is 00000010 might not be a valid EPID group, hence you see 404 Not Found Error. Try using a valid GID to obtain 200 OK response from IAS.

Thanks and Regards,
Surenthar Selvaraj

0 Kudos
Rodolfo_S_
New Contributor III
1,003 Views

Hi Surenthar,

Thanks for the reply. So, a valid GID would be one present in the QUOTE?

The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.

Thanks,

Rodolfo

0 Kudos
Rodolfo_S_
New Contributor III
1,003 Views

Rodolfo S. wrote:

Hi Surenthar,

Thanks for the reply. So, a valid GID would be one present in the QUOTE?

The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.

Thanks,

Rodolfo

UPDATE: I was able to retrieve the GID from the sgx_ra_get_msg1() command result, which is a sgx_ra_msg1_t, so I can use that GID to get the SigRL from IAS.

Note: I had to revert the byte order to match the endianness expected by the IAS (e.g: 0x1 0x2 0x3 0x4 would become 0x4 0x3 0x2 0x1).

0 Kudos
Surenthar_S_Intel
1,003 Views

Rodolfo S. wrote:

Hi Surenthar,

Thanks for the reply. So, a valid GID would be one present in the QUOTE?

The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.

Thanks,

Rodolfo

Yes, the quote structure contains valid GID (4 bytes) along with many other parameters and also in remote attestation process, before sending GET request for SigRL to IAS, the server receives the GID from the client application as part of Msg1.

The GID should be represented in Little Endian format and each byte is represented with 2 hex digits. Hence 4bytes * 2 = 8 digits

0 Kudos
Rodolfo_S_
New Contributor III
1,003 Views

Hi Surenthar,

do you know if there is anything wrong with the IAS test server? I'm getting 404 NOT FOUND error when making a GET request with a valid GID (this is the same GID that I successfully used before), and a 400 BAD REQUEST when making a POST request with a valid QUOTE (this is the same QUOTE that I successfully used before).

Just to make sure, the GID that I get from Msg1 (when running in HW mode) is 0x4c060000 (Little-Endian), so the request I should make to retrieve the SigRL is: GET https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/0000064c

Am I correct?

Thanks,

Rodolfo Silva

0 Kudos
Surenthar_S_Intel
1,003 Views

Hi,

Which version of SDK are using for this attestation process. Because  Intel® SGX Development Services will no longer support remote attestation quotes generated from Intel® Software Guard Extensions SDK v1.1 and associated Platform Software.

The Intel® Software Guard Extensions SDK v1.6 and associated Platform Software continues to support Intel® SGX Development Services since its release on July 07, 2016.

-Surenthar

0 Kudos
Rodolfo_S_
New Contributor III
1,003 Views

Hi Surenthar,

As you correctly pointed out, I was using an unsupported version of the SDK and PSW (1.1). After Updating it to the current release, I was able to successfully use the IAS test server again.

Thanks,

Rodolfo

0 Kudos
jiang__chao
Beginner
1,003 Views

Hi

I have tested the command for connecting to IAS a few month ago. and it works well for me:

curl -1 --tlsv1.2 -v -E bob_pfx.pem  https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000BCD

Today, I test it again, it shows the error:

* Hostname was NOT found in DNS cache
*   Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443

Anyone know how to handle it, Thanks a lot.

0 Kudos
Elephant
Beginner
1,003 Views

Hi,

I am having the same issue as Chao:

* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443 
* Closing connection 0

Is there something going on with the IAS?  Thanks a lot!

Kind Regards,
Elephant


chao j. wrote:

Hi

I have tested the command for connecting to IAS a few month ago. and it works well for me:

curl -1 --tlsv1.2 -v -E bob_pfx.pem  https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sig...

Today, I test it again, it shows the error:

* Hostname was NOT found in DNS cache
*   Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443

Anyone know how to handle it, Thanks a lot.

0 Kudos
Elephant
Beginner
1,003 Views

Hi,

The IAS is back accepting connections!  at about 4pm GMT +8 (SG) today.  What happened?  It went down for more than 12 hours! 

Kind Regards,
Elephant

 

Elephant wrote:

Hi,

I am having the same issue as Chao:

* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443 
* Closing connection 0

Is there something going on with the IAS?  Thanks a lot!

Kind Regards,
Elephant

Quote:

chao j. wrote:

 

Hi

I have tested the command for connecting to IAS a few month ago. and it works well for me:

curl -1 --tlsv1.2 -v -E bob_pfx.pem  https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sig...

Today, I test it again, it shows the error:

* Hostname was NOT found in DNS cache
*   Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443

Anyone know how to handle it, Thanks a lot.

 

 

0 Kudos
Reply