- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to use the IAS following the example 3.1.2.1 provided at https://software.intel.com/sites/default/files/managed/3d/c8/IAS_1_0_API_spec_1_1_Final.pdf, but so far at no success.
When I submit an HTTP request exactly as the one provided in the example (with gid=00000010), I get as response "404 Not Found". The same result is obtained if I try gid=00000000 (I tried this other gid since in the remote attestation end-to-end sample code, it is stated that IAS only accepts gid equal to zero).
When I try the request with a gid shorter than 8 digits (e.g. gid=0) the response is a different error "405 Method Not Allowed".
Any tips in what am I doing wrong?
Below you can find the requests and reponses illustrating what I just wrote.
Best regards,
Rodolfo
rodolfoams@badejo:~$ curl -1 --tlsv1.2 -v -E clientconc.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000000 * Hostname was NOT found in DNS cache * Trying 208.39.114.225... * Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=test-as.sgx.trustedservices.intel.com * start date: 2015-05-20 06:42:44 GMT * expire date: 2016-11-10 06:42:44 GMT * subjectAltName: test-as.sgx.trustedservices.intel.com matched * issuer: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=Intel External Basic Issuing CA 3B * SSL certificate verify ok. > GET /attestation/sgx/v1/sigrl/00000000 HTTP/1.1 > User-Agent: curl/7.35.0 > Host: test-as.sgx.trustedservices.intel.com > Accept: */* > < HTTP/1.1 404 Not Found < request-id: 84058baa149f48afbaa529da2f6ba62a < date: Tue, 09 Aug 2016 20:56:19 GMT < transfer-encoding: chunked < Connection: keep-alive < * Connection #0 to host test-as.sgx.trustedservices.intel.com left intact
rodolfoams@badejo:~$ curl -1 --tlsv1.2 -v -E clientconc.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000000 * Hostname was NOT found in DNS cache * Trying 208.39.114.225... * Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS handshake, CERT verify (15): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using ECDHE-RSA-AES128-GCM-SHA256 * Server certificate: * subject: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=test-as.sgx.trustedservices.intel.com * start date: 2015-05-20 06:42:44 GMT * expire date: 2016-11-10 06:42:44 GMT * subjectAltName: test-as.sgx.trustedservices.intel.com matched * issuer: C=US; ST=CA; L=Santa Clara; O=Intel Corporation; CN=Intel External Basic Issuing CA 3B * SSL certificate verify ok. > GET /attestation/sgx/v1/sigrl/00000000 HTTP/1.1 > User-Agent: curl/7.35.0 > Host: test-as.sgx.trustedservices.intel.com > Accept: */* > < HTTP/1.1 404 Not Found < request-id: be2f19cd7f7543f2abdddcec778d8677 < date: Tue, 09 Aug 2016 20:58:10 GMT < transfer-encoding: chunked < Connection: keep-alive < * Connection #0 to host test-as.sgx.trustedservices.intel.com left intact
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rodolfo,
A point to be noted here is that, platform GID is to be sent as part of the GET request to IAS not the Extended GID ( which is 0 for now). The length of the GID is 8 digits and the sample GID which is 00000010 might not be a valid EPID group, hence you see 404 Not Found Error. Try using a valid GID to obtain 200 OK response from IAS.
Thanks and Regards,
Surenthar Selvaraj
Link Copied
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rodolfo,
A point to be noted here is that, platform GID is to be sent as part of the GET request to IAS not the Extended GID ( which is 0 for now). The length of the GID is 8 digits and the sample GID which is 00000010 might not be a valid EPID group, hence you see 404 Not Found Error. Try using a valid GID to obtain 200 OK response from IAS.
Thanks and Regards,
Surenthar Selvaraj
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
Thanks for the reply. So, a valid GID would be one present in the QUOTE?
The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.
Thanks,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rodolfo S. wrote:
Hi Surenthar,
Thanks for the reply. So, a valid GID would be one present in the QUOTE?
The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.
Thanks,
Rodolfo
UPDATE: I was able to retrieve the GID from the sgx_ra_get_msg1() command result, which is a sgx_ra_msg1_t, so I can use that GID to get the SigRL from IAS.
Note: I had to revert the byte order to match the endianness expected by the IAS (e.g: 0x1 0x2 0x3 0x4 would become 0x4 0x3 0x2 0x1).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rodolfo S. wrote:
Hi Surenthar,
Thanks for the reply. So, a valid GID would be one present in the QUOTE?
The description of the QUOTE structure says that the GID is 4-bytes long, so it could possibly contain 10 digits instead of 7.
Thanks,
Rodolfo
Yes, the quote structure contains valid GID (4 bytes) along with many other parameters and also in remote attestation process, before sending GET request for SigRL to IAS, the server receives the GID from the client application as part of Msg1.
The GID should be represented in Little Endian format and each byte is represented with 2 hex digits. Hence 4bytes * 2 = 8 digits
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
do you know if there is anything wrong with the IAS test server? I'm getting 404 NOT FOUND error when making a GET request with a valid GID (this is the same GID that I successfully used before), and a 400 BAD REQUEST when making a POST request with a valid QUOTE (this is the same QUOTE that I successfully used before).
Just to make sure, the GID that I get from Msg1 (when running in HW mode) is 0x4c060000 (Little-Endian), so the request I should make to retrieve the SigRL is: GET https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/0000064c
Am I correct?
Thanks,
Rodolfo Silva
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Which version of SDK are using for this attestation process. Because Intel® SGX Development Services will no longer support remote attestation quotes generated from Intel® Software Guard Extensions SDK v1.1 and associated Platform Software.
The Intel® Software Guard Extensions SDK v1.6 and associated Platform Software continues to support Intel® SGX Development Services since its release on July 07, 2016.
-Surenthar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Surenthar,
As you correctly pointed out, I was using an unsupported version of the SDK and PSW (1.1). After Updating it to the current release, I was able to successfully use the IAS test server again.
Thanks,
Rodolfo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have tested the command for connecting to IAS a few month ago. and it works well for me:
curl -1 --tlsv1.2 -v -E bob_pfx.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sigrl/00000BCD
Today, I test it again, it shows the error:
* Hostname was NOT found in DNS cache
* Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
Anyone know how to handle it, Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am having the same issue as Chao:
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
Is there something going on with the IAS? Thanks a lot!
Kind Regards,
Elephant
chao j. wrote:
Hi
I have tested the command for connecting to IAS a few month ago. and it works well for me:
curl -1 --tlsv1.2 -v -E bob_pfx.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sig...
Today, I test it again, it shows the error:
* Hostname was NOT found in DNS cache
* Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443Anyone know how to handle it, Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The IAS is back accepting connections! at about 4pm GMT +8 (SG) today. What happened? It went down for more than 12 hours!
Kind Regards,
Elephant
Elephant wrote:
Hi,
I am having the same issue as Chao:
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0Is there something going on with the IAS? Thanks a lot!
Kind Regards,
ElephantQuote:
chao j. wrote:
Hi
I have tested the command for connecting to IAS a few month ago. and it works well for me:
curl -1 --tlsv1.2 -v -E bob_pfx.pem https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v1/sig...
Today, I test it again, it shows the error:
* Hostname was NOT found in DNS cache
* Trying 208.39.114.225...
* Connected to test-as.sgx.trustedservices.intel.com (208.39.114.225) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to test-as.sgx.trustedservices.intel.com:443Anyone know how to handle it, Thanks a lot.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page