Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Beginner
17 Views

sgx_ecc256_check_point - not valid

Hey,

i have a problem with Ecc-crypto. I generate a public key, signature etc. with a TPM. The TPM can verify that signature, and everything works fine. In SGX i cant verify this signature. So i checked the output of the sgx_ecc256_check_point command and its saying "not valid". Anyone a idea it is not valid or whats the main error sources in the case. I read the public key px and py from a file in the untrusted app and transfer it to the enclave. The TPM uses the exactly same x and y internally and it works. Also a sample code for the ECDSA commands would be helpful!

 

Thanks

0 Kudos
4 Replies
Highlighted
17 Views

Hi,

sgx_ecc256_check_point validates whether the input point is a valid point on the ECC curve for the given cryptographic system. sgx_ecc256_open_ context must be called to allocate and initialize the ECC context prior to making this call. The typical validation result is one of the two values:

  • 1 - The input point is valid
  • 0 – The input point is not valid

So your input point is not valid on the ECC curve for the given cryptographic system. For more information please check the user guide Page-251 in https://software.intel.com/sites/default/files/managed/b4/cf/Intel-SGX-SDK-Developer-Reference-for-W...

-Surenthar

- Surenthar Selvaraj
0 Kudos
Highlighted
Beginner
17 Views

Yes, i know the docu :) Have solved the problem on my own. TPM, saves some data as little endian and some data als big endian. Have to convert to big endian in little because SGX whats little endian.

0 Kudos
Highlighted
17 Views

Hi,

I would suggest that check the endianness of the px and py retrieved from the TPM.  The sgx_ecc256_check_point expects the inputs in little endian.  If the TPM outputs as big endian, you need the byte order reversed:

 

    /** Checks whether the input point is a valid point on the given elliptic curve.

  • Parameters:

  • Return: sgx_status_t - SGX_SUCCESS or failure as defined sgx_error.h

  • Inputs: sgx_ecc_state_handle_t ecc_handle - Handle to ECC crypto system

  •          sgx_ec256_public_t *p_point - Pointer to perform validity check on - LITTLE ENDIAN

  • Output: int *p_valid - Return 0 if the point is an invalid point on ECC curve

     */

-Surenthar

- Surenthar Selvaraj
0 Kudos
Highlighted
Beginner
17 Views

Selvaraj, Surenthar wrote:

Hi,

I would suggest that check the endianness of the px and py retrieved from the TPM.  The sgx_ecc256_check_point expects the inputs in little endian.  If the TPM outputs as big endian, you need the byte order reversed

 

Yes, right. Now p_public, p_private, p_data are the right values. I can sign something with that structs as input and verify it as valid (with sgx commands). But i wanna verify the TPMs signature and not sgx-generated. The problem is: if i import that signature and put it to the verify function, i get SGX_EC_INVALID_SIGNATURE. So i think my import mechanism from my signature-file to the sgx_ec256_signature_t (x, y)-array is not correct. The difference between something like p_public (respectively sgx_ec256_public_t) and p_signature (resp. sgx_ec256_signature_t) is that x and y (gx gy) are uint32_t on the signature struct (on p_public unit8_t)

 

 

So my question is: i have i big-endian coded file, how can i import it correct to that uint32_t type?

Here is a code example for p_signature:

sgx_ec256_signature_t *p_signature = (sgx_ec256_signature_t *) malloc(sizeof(sgx_ec256_signature_t));
data = fopen("/home/xxxxxxxxxxxxx/signature-X-big-endian.txt", "rb");
fseek(data, 0, SEEK_SET);
fread(signature.x, 32, 1, data);
fclose(data);

big_to_little_endian(signature.x) //32 bytes order reversed

//same for signature.y.....

//verify....

 

 

0 Kudos