Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Question on the verification of x-iasreport-signature

Eliad_T_
Beginner
499 Views

Hi,
I'm trying to communicate with IAS (version 2) and to verify the signature of the IAS response.
In the response I received, I got response status 200 (operation successful) and I looked on the header field x-iasreport-signature which should be a base64 encoded signature over the body.  The length of the encoded signature I received was 344 bytes => the length of the signature (after the base64 decoding) is 256 bytes.
Now, I want to verify the signature using the public key in AttestationReportSigningCACert.pem. Using the commands
openssl x509 -in AttestationReportSigningCACert.pem -pubkey -noout > key.pem 
openssl rsa -in key.pem -pubin -text -noout
I saw that your public key is 3072 bits (384 bytes) => I expect that the signature will also be 384 bytes, but the signature is only 256 bytes.
What am I missing?

Thanks,
Eliad.

0 Kudos
2 Replies
Eliad_T_
Beginner
499 Views

Eventually I understood what I did wrong.

The 3072 bit public key in AttestationReportSigningCACert.pem is only intended for verifiying x-iasreport-signing-certificate, which is another header field of the IAS response. The public key in x-iasreport-signing-certificate is 2048 bit (i.e 256 bytes) and this should be the public key that needed for verifying x-iasreport-signature.

Eliad.

0 Kudos
Hoang_N_Intel
Employee
499 Views

This is correct. Thanks for a clear summary.

0 Kudos
Reply