Solved: Hello user14,

user14 · ‎06-10-2020

I'm implementing a basic remote attestation, but getting the 400 Bad request from IAS. I am using a valid SPID from IAS. What might be the issue here?

+++ IAS Primary Subscription Key set to '1479........................35a9'
+++ IAS Secondary Subscription Key set to 'd51e........................389c'
+++ Using default CA bundle /etc/ssl/certs/ca-certificates.crt
Using default private key
+++ using private key:
+++ IAS Subscription Key[0]:   '1479..............................35a9'
+++ IAS Subscription Key[0] (Hex):   31343..................6433356139
+++ One-time pad:           00538...................................bd4d5
+++ Encrypted Subscription Key[0]:   3167bad215............................8eb5ec

+++ IAS Subscription Key[1]:   'd51ef315................7dc389c'
+++ IAS Subscription Key[1] (Hex):   64353165..............353137646333383963
+++ One-time pad:           f894c3691...................b4660ea9d3
+++ Encrypted Subscription Key[1]:   9ca1f20c7................aaa4cff2f3d7553690b0
Listening for connections on port 7777
Waiting for a client to connect...
Connection from 127.0.0.1
Waiting for msg0||msg1
+++ read 145 bytes from socket
---- read buffer -----------------------------------------------------------
0000000098c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea513da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9df0a0000
----------------------------------------------------------------------------
---- Msg0 Details (from Client) --------------------------------------------
msg0.extended_epid_group_id = 0
----------------------------------------------------------------------------
---- Msg1 Details (from Client) --------------------------------------------
msg1.g_a.gx = 98c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea51
msg1.g_a.gy = 3da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9
msg1.gid = df0a0000
----------------------------------------------------------------------------
+++ generating session key Gb
+++ deriving KDK
+++ shared secret= e930773f9d30d422865b128a41a49f6785ab8c224d764b69d215040c72110722
+++ reversed = 220711720c0415d2694b764d228cab85679fa4418a125b8622d4309d3f7730e9
+++ KDK = e44fc365fa24046d02e759b6b492aeb5
+++ deriving SMK
+++ SMK = bc2c9846a515cc47bce7a0c29e52e3d4
+++ Trying agent_wget
---- IAS sigrl HTTP Request ------------------------------------------------
HTTP GET https://api.trustedservices.intel.com/sgx/dev/attestation/v3/sigrl/00000adf
----------------------------------------------------------------------------
+++ Reconstructed Subscription Key:   '1479e....................35a9'
+++ IAS Subscription Key (Hex):       3134373965........................433356139
+++ One-time pad:           40a509c38...................a1d1a0786
+++ Encrypted SubscriptionKey:       71913efa............................bd5f6e2e2f66bf
+++ Exec: wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key: 1479e.................d35a9 https://api.trustedservices.intel.com/sgx/dev/attestation/v3/sigrl/00000adf
--2020-06-10 17:31:37-- https://api.trustedservices.intel.com/sgx/dev/attestation/v3/sigrl/00000adf
Resolving api.trustedservices.intel.com (api.trustedservices.intel.com)... 40.87.90.88
Connecting to api.trustedservices.intel.com (api.trustedservices.intel.com)|40.87.90.88|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0
Saving to: ‘STDOUT’
- [ <=> ] 0 --.-KB/s in 0s
2020-06-10 17:31:37 (0.00 B/s) - written to stdout [0/0]

---- IAS sigrl HTTP Response -----------------------------------------------
HTTP/1.1 200 OK
Content-Length: 0
Request-ID: 8edc242e5b964f02b923c6485457aaf6
Date: Wed, 10 Jun 2020 23:31:37 GMT
Connection: close

----------------------------------------------------------------------------
+++ RET = 94673368359048
, ret+++ SubscriptionKeyID = 0
+++ GbGa = fb1440155c43a34c2bcb2783c443343976c2766fc20fbeeabef876d4a2fe6ad72961e3c8d7b2633cf324fc2f3c0048a97844353577961ae7ee29530bcf2e44d198c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea513da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9
+++ sha256(GbGa) = 9dc9d5f08514d5720198af6e1a377f8033f880cf058e77202afd2ff3485cdecf
+++ r = 68903a85627d0e68a173d00d4c203a5683022b7a68aca65866be6dd0dc61df40
+++ s = f52db39c222ed09ab2bde97516d66f8c738be65bcbaff262f2e66a9361030793
---- Msg2 Details ----------------------------------------------------------
msg2.g_b.gx = fb1440155c43a34c2bcb2783c443343976c2766fc20fbeeabef876d4a2fe6ad7
msg2.g_b.gy = 2961e3c8d7b2633cf324fc2f3c0048a97844353577961ae7ee29530bcf2e44d1
msg2.spid = 60bf489aefae6bf6d996ba26e9ff9f6f
msg2.quote_type = 0000
msg2.kdf_id = 0100
msg2.sign_ga_gb = 40df61dcd06dbe6658a6ac687a2b0283563a204c0dd073a1680e7d62853a906893070361936ae6f262f2afcb5be68b738c6fd61675e9bdb29ad02e229cb32df5
msg2.mac = 32ab29ca5187e05c4aa5c1a6a06d22fb
msg2.sig_rl_size = 00000000
----------------------------------------------------------------------------
---- Copy/Paste Msg2 Below to Client ---------------------------------------
fb1440155c43a34c2bcb2783c443343976c2766fc20fbeeabef876d4a2fe6ad72961e3c8d7b2633cf324fc2f3c0048a97844353577961ae7ee29530bcf2e44d160bf489aefae6bf6d996ba26e9ff9f6f0000010040df61dcd06dbe6658a6ac687a2b0283563a204c0dd073a1680e7d62853a906893070361936ae6f262f2afcb5be68b738c6fd61675e9bdb29ad02e229cb32df532ab29ca5187e05c4aa5c1a6a06d22fb00000000
----------------------------------------------------------------------------
Waiting for msg3
+++ read 2905 bytes from socket
---- read buffer -----------------------------------------------------------
6e2b2185a196610b52698faf9fc171a298c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea513da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db90000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000df0a0000080007000000000060bf489aefae6bf6d996ba26e9ff9f6f6b5347d0e2ff7011fbd496fab452a558040effffff020000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000070000000000000019b1acb2f7df16b641abb764363ebd237fd31168dae8b319408ba5619ce0227a000000000000000000000000000000000000000000000000000000000000000083d719e77deaca1470f6baf62a4d774303c899db69020f9c70ee1dfc08c7ce9e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000efee3534426770f9655c71e2adce102c284691d4f6a54d4bbc5ca958476347100000000000000000000000000000000000000000000000000000000000000000a802000000bb4e7540d74711881e67a8ae0831ca3737ce4ad51a2422277f06c07903ee978ff374c7cb030adb3d24054b258946e405e2a1a8901de89323a93204f8cca9ddfc839a4574d894ca84e7a56b5409f8ae224759b303b2903983ace8702cf1a21dccb023930560541ad30278ad835a0e95ca30eef1c0cee517fa7244edec03e5e0bbc241e8165964f56b9d9615737a090c51e9f0ed78e811604786a3ccc6800dd5dbb2ad196eaad4e55d5d2fcd30eb60621ed032ba547f536cc432d4eca300d9ab0a4839aa51c0a87b976165277a6c873022310a84897897fcd2a1303dfd1d80de43606a839232d8dad4f96b325737edc867701ace8dc03455f82ba235711582c84b90215e60eae3272aa6c8e365ed93d18190e29248fc4573202158b862b12627129a48d0163b3874a32021bf68010000e493f257beca1018861a378ec0bbe34bda982630fcc9048301f86535e2a57f8e3138a1cf916ee6a7a12b944f9312e2771ab36b2e75a8da7890f353688021c37bf7c0bd44f489fdccc0b1b0ba287a2062843251f1290aac93f9d6b7da7e3d387b19ee9db890abb42e5bce0a3c7285480aaf282123ccf125af7178e94c616f6195a592ba51a362dc9a2e0ca75584cdcfc56c6e9d25a3a1848f4c5cd98d561f827e7bd3bdf1a3d75ea89be76abb78fa56757498fbcbcafa62db651b534bcf6fbba780be0872f02887e86d8e532aeadfedc01271676ba97b18e0fcd7a376e69601fcde1eddd3d0cf71f5f061d8490e5a49db6e22778168fcf94af79c19b43a5c02e6a7f2c42fa6a8a12fa7fceb7ad75619e5d9fa958d87d8f9ca54b78beefdc3ad537fe1f9ded97a044f2fd321a321babbf8e6791571936d6e3a9ea2194ac1d10e0bf88695f57258ac31f9c60e421fad969faa4517845c22b804e5c3956177b21ca07d5f3bb4d8f3996fcd79a36ca6e3555a53b8bd78e8f72c28
----------------------------------------------------------------------------
+++ read 2904 bytes
+++ quote_sz= 1116 bytes
+++ Verifying msg3.g_a matches msg1.g_a
msg1.g_a.gx = 98c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea51
msg1.g_a.gy = 3da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9
msg3.g_a.gx = 98c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea51
msg3.g_a.gy = 3da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9
+++ Validating MACsmk(M)
msg3.mac = 6e2b2185a196610b52698faf9fc171a2
calculated = 6e2b2185a196610b52698faf9fc171a2
---- Msg3 Details (from Client) --------------------------------------------
msg3.mac = 6e2b2185a196610b52698faf9fc171a2
msg3.g_a.gx = 98c8f2ee693b4f4b82bc25a2e95a91a60696156c1227445092a128f67c75ea51
msg3.g_a.gy = 3da2ec2be70497b5d54c66eba80e06f87bd988b46ee9e0c3f3954fd1392c2db9
msg3.ps_sec_prop = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
msg3.quote.version = 0200
msg3.quote.sign_type = 0000
msg3.quote.epid_group_id = df0a0000
msg3.quote.qe_svn = 0800
msg3.quote.pce_svn = 0700
msg3.quote.xeid = 00000000
msg3.quote.basename = 60bf489aefae6bf6d996ba26e9ff9f6f6b5347d0e2ff7011fbd496fab452a558
msg3.quote.report_body = 040effffff020000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000070000000000000019b1acb2f7df16b641abb764363ebd237fd31168dae8b319408ba5619ce0227a000000000000000000000000000000000000000000000000000000000000000083d719e77deaca1470f6baf62a4d774303c899db69020f9c70ee1dfc08c7ce9e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000efee3534426770f9655c71e2adce102c284691d4f6a54d4bbc5ca958476347100000000000000000000000000000000000000000000000000000000000000000
msg3.quote.signature_len = a8020000
msg3.quote.signature = 00bb4e7540d74711881e67a8ae0831ca3737ce4ad51a2422277f06c07903ee978ff374c7cb030adb3d24054b258946e405e2a1a8901de89323a93204f8cca9ddfc839a4574d894ca84e7a56b5409f8ae224759b303b2903983ace8702cf1a21dccb023930560541ad30278ad835a0e95ca30eef1c0cee517fa7244edec03e5e0bbc241e8165964f56b9d9615737a090c51e9f0ed78e811604786a3ccc6800dd5dbb2ad196eaad4e55d5d2fcd30eb60621ed032ba547f536cc432d4eca300d9ab0a4839aa51c0a87b976165277a6c873022310a84897897fcd2a1303dfd1d80de43606a839232d8dad4f96b325737edc867701ace8dc03455f82ba235711582c84b90215e60eae3272aa6c8e365ed93d18190e29248fc4573202158b862b12627129a48d0163b3874a32021bf68010000e493f257beca1018861a378ec0bbe34bda982630fcc9048301f86535e2a57f8e3138a1cf916ee6a7a12b944f9312e2771ab36b2e75a8da7890f353688021c37bf7c0bd44f489fdccc0b1b0ba287a2062843251f1290aac93f9d6b7da7e3d387b19ee9db890abb42e5bce0a3c7285480aaf282123ccf125af7178e94c616f6195a592ba51a362dc9a2e0ca75584cdcfc56c6e9d25a3a1848f4c5cd98d561f827e7bd3bdf1a3d75ea89be76abb78fa56757498fbcbcafa62db651b534bcf6fbba780be0872f02887e86d8e532aeadfedc01271676ba97b18e0fcd7a376e69601fcde1eddd3d0cf71f5f061d8490e5a49db6e22778168fcf94af79c19b43a5c02e6a7f2c42fa6a8a12fa7fceb7ad75619e5d9fa958d87d8f9ca54b78beefdc3ad537fe1f9ded97a044f2fd321a321babbf8e6791571936d6e3a9ea2194ac1d10e0bf88695f57258ac31f9c60e421fad969faa4517845c22b804e5c3956177b21ca07d5f3bb4d8f3996fcd79a36ca6e3555a53b8bd78e8f72c28
---- Enclave Quote (base64) ==> Send to IAS --------------------------------
AgAAAN8KAAAIAAcAAAAAAGC/SJrvrmv22Za6Jun/n29rU0fQ4v9wEfvUlvq0UqVYBA7///8CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAAAAAAHAAAAAAAAABmxrLL33xa2Qau3ZDY+vSN/0xFo2uizGUCLpWGc4CJ6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACD1xnnferKFHD2uvYqTXdDA8iZ22kCD5xw7h38CMfOngAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADv7jU0Qmdw+WVcceKtzhAsKEaR1PalTUu8XKlYR2NHEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAqAIAAAC7TnVA10cRiB5nqK4IMco3N85K1RokIid/BsB5A+6Xj/N0x8sDCts9JAVLJYlG5AXioaiQHeiTI6kyBPjMqd38g5pFdNiUyoTnpWtUCfiuIkdZswOykDmDrOhwLPGiHcywI5MFYFQa0wJ4rYNaDpXKMO7xwM7lF/pyRO3sA+Xgu8JB6BZZZPVrnZYVc3oJDFHp8O146BFgR4ajzMaADdXbsq0ZbqrU5V1dL80w62BiHtAyulR/U2zEMtTsowDZqwpIOapRwKh7l2FlJ3pshzAiMQqEiXiX/NKhMD39HYDeQ2Bqg5Iy2NrU+WsyVzftyGdwGs6NwDRV+CuiNXEVgshLkCFeYOrjJyqmyONl7ZPRgZDikkj8RXMgIVi4YrEmJxKaSNAWOzh0oyAhv2gBAADkk/JXvsoQGIYaN47Au+NL2pgmMPzJBIMB+GU14qV/jjE4oc+RbuanoSuUT5MS4ncas2sudajaeJDzU2iAIcN798C9RPSJ/czAsbC6KHogYoQyUfEpCqyT+da32n49OHsZ7p24kKu0LlvOCjxyhUgKryghI8zxJa9xeOlMYW9hlaWSulGjYtyaLgynVYTNz8Vsbp0lo6GEj0xc2Y1WH4J+e9O98aPXXqib52q7ePpWdXSY+8vK+mLbZRtTS89vu6eAvghy8CiH6G2OUyrq3+3AEnFna6l7GOD816N25pYB/N4e3dPQz3H18GHYSQ5aSdtuIneBaPz5SvecGbQ6XALmp/LEL6aooS+n/Ot611YZ5dn6lY2H2PnKVLeL7v3DrVN/4fne2XoETy/TIaMhurv45nkVcZNtbjqeohlKwdEOC/iGlfVyWKwx+cYOQh+tlp+qRReEXCK4BOXDlWF3shygfV87tNjzmW/NeaNspuNVWlO4vXjo9ywo
----------------------------------------------------------------------------
+++ Validating quote's epid_group_id against msg1
msg1.egid = df0a0000
msg3.quote.epid_group_id = df0a0000
+++ Trying agent_wget
---- IAS report HTTP Request -----------------------------------------------
HTTP POST https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
----------------------------------------------------------------------------
+++ POST data written to /tmp/wgetpostd9DUSM
+++ Reconstructed Subscription Key:   '1479e.................cd35a9'
+++ IAS Subscription Key (Hex):       31343...........636433356139
+++ One-time pad:           40a509c3.............0a1d1a0786
+++ Encrypted SubscriptionKey:       71913efaed..................cbd5f6e2e2f66bf
+++ Exec: wget --output-document=- --save-headers --content-on-error --no-http-keep-alive --header=Ocp-Apim-Subscription-Key: 1479e...............cd35a9 --header=Content-Type: application/json --post-file=/tmp/wgetpostd9DUSM https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
--2020-06-10 17:31:37-- https://api.trustedservices.intel.com/sgx/dev/attestation/v3/report
Resolving api.trustedservices.intel.com (api.trustedservices.intel.com)... 40.87.90.88
Connecting to api.trustedservices.intel.com (api.trustedservices.intel.com)|40.87.90.88|:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
Saving to: ‘STDOUT’
- [ <=> ] 0 --.-KB/s in 0s
2020-06-10 17:31:38 ERROR 400: Bad Request.

---- IAS report HTTP Response ----------------------------------------------
HTTP/1.1 400 Bad Request
Content-Length: 0
Request-ID: 2206cea68bcb4cd8be2347d000172a4a
Date: Wed, 10 Jun 2020 23:31:37 GMT
Connection: close

----------------------------------------------------------------------------
attestation query returned 400:
Invalid payload
Attestation failed
error processing msg3
Waiting for a client to connect...

JesusG_Intel · ‎06-24-2020

Hello Tarun,

The reason you are getting the 400 bad request error is that you are using a Linkable Attestation Service subscription with an unlinkable quote. You need to generate the same type of quote as the subscription SPID/Key out at IAS. When you subscribe to IAS, you choose one other the other. You are generating one type, but trying to verify using a subscription SPID/Key to the other type.

Check the API for sgx_get_quote in the Intel SGX Developer Reference Guide for your OS.

sgx_get_quote

sgx_get_quote generates a linkable or un-linkable QUOTE.

Syntax

sgx_status_t sgx_get_quote(

const sgx_report_t *p_report,

sgx_quote_sign_type_t quote_type,

const sgx_spid_t *p_spid,

const sgx_quote_nonce_t *p_nonce,

const uint8_t *p_sig_rl,

uint32_t sig_rl_size,

sgx_report_t *p_qe_report,

sgx_quote_t *p_quote,

uint32_t quote_size

);

quote_type [in]

SGX_UNLINKABLE_SIGNATURE for unlinkable quote or SGX_LINKABLE_

SIGNATURE for linkable quote.

View solution in original post

JesusG_Intel · ‎06-11-2020

Hello user14,

We need to check the Intel backend for why your transaction is failing. Unfortunately, we will not be able to get you a response until next week. Please stay tuned and I'll get back to you as soon as I have an answer.

Regards,

user14 · ‎06-21-2020

A gentle reminder. Let me know when you have an answer.

JesusG_Intel · ‎06-24-2020