Giters

intel / ehsm

An End-to-End Distributed and Scalable Cloud KMS (Key Management System) built on top of Intel SGX enclave-based HSM (Hardware Security Module), aka eHSM.

Home Page:https://community.intel.com/t5/Blogs/Tech-Innovation/open-intel/An-Intel-SGX-based-Hardware-Security-Module-backed-Key/post/1360130?wapkw=eHSM

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

verify_quote_with_file_and_policyId fails test

delassus opened this issue · comments

commented

Running test_kms_with_cli.py, the last test test_GenerateQuote_and_VerifyQuote() fails.
with error VerifyQuote failed, error message: Server exception
The failure happens in verify_quote_with_file_and_policyId() where requests.post() returns false

resp = requests.post(url=base_url + "VerifyQuote", data=json.dumps(params), headers=utils.headers, verify=utils.use_secure_cert)
if(utils.check_result(resp, 'VerifyQuote') == False):
return
Please not that all other tests in file test_kms_with_cli.py pass successfully.
Machine is ICX server production running ubuntu20.04.
ehsm runs inside docker container
pccs runs inside docker container on same machine as ehsm.
couchdb run inside docker container on same machine as ehsm

commented

uploadQuotePolicy resp:
{"code":200,"message":"Upload quote policy success.","result":{"policyId":"f83f8acf-de50-4c74-8ab4-1dc332ca4b84"}}

commented

==================== test_Verify_Quote_with_file_and_policy=======================
/home/hlassus/venv/lib/python3.9/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 'proxy-chain.intel.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
verify_quote req:
OrderedDict([('appid', '3a41f220-ab79-4572-8818-9cc306c2d6ad'), ('payload', OrderedDict([('quote', 'AwACAAAAAAAHAAwAk5pyM/ecTKmUCg2zlX8GB2Bmg9zGbSyHM/cvjNVyxLgAAAAABQkICf//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwAAAAAAAADnAAAAAAAAAOfITK2YVxO9iNsw1OEF0fZTTvxhvtOAPtSuSrQQi19FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADDBEa0vpuvD2lyhCPqYT74GmPnKs90OfoFSQAf1UgoNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxRAAAJ9/VZ8cxzRaaNx0SN1x7K0+TlubKPYV/4vU0NT8VBdhlp2KToerb3TRpUCmtvUcWIs9IQLDoClaI9ATKPm+Wmo7+uZtg9p+bGasm32WVmgVXe2b+33wpqU44A3bu8gi7bpBuPJocUCHtKWrJIk4otWba7yjwIRv986kq1NXCAmOBQkICf//AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFQAAAAAAAADnAAAAAAAAAK4SPL+pbCaFYN/V3/5IVM5EPeTg+lHSgRhMlCjXo0D7AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACMT1d115ZQPpYTf3fGioKaAFasje1wFAsIGwlEkMV7/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHUCjIDssPogt/Yt4vmyGDGriOe3aebxRo8OUoIrcpagAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0wZ6XiVFZw//xzdlHTUUXtRKraY/zTn3NkvM3lPTXuir4/23R/EN8HaRRi5EXokoDojEzsAlYOW0EdTEQDIEbSAAAAECAwQFBgcICQoLDA0ODxAREhMUFRYXGBkaGxwdHh8FAF0OAAAtLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJRThUQ0NCSmlnQXdJQkFnSVVkYi82aDhtRzFUWko1RUNjYndSeFBjTFJ2NGt3Q2dZSUtvWkl6ajBFQXdJdwpjREVpTUNBR0ExVUVBd3daU1c1MFpXd2dVMGRZSUZCRFN5QlFiR0YwWm05eWJTQkRRVEVhTUJnR0ExVUVDZ3dSClNXNTBaV3dnUTI5eWNHOXlZWFJwYjI0eEZEQVNCZ05WQkFjTUMxTmhiblJoSUVOc1lYSmhNUXN3Q1FZRFZRUUkKREFKRFFURUxNQWtHQTFVRUJoTUNWVk13SGhjTk1qSXhNVEl5TVRjeU9UUTNXaGNOTWpreE1USXlNVGN5T1RRMwpXakJ3TVNJd0lBWURWUVFEREJsSmJuUmxiQ0JUUjFnZ1VFTkxJRU5sY25ScFptbGpZWFJsTVJvd0dBWURWUVFLCkRCRkpiblJsYkNCRGIzSndiM0poZEdsdmJqRVVNQklHQTFVRUJ3d0xVMkZ1ZEdFZ1EyeGhjbUV4Q3pBSkJnTlYKQkFnTUFrTkJNUXN3Q1FZRFZRUUdFd0pWVXpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQk1XMgoyckhoZm95SUozNU5WcDYzbU9YYkRpS0J2K2J3M1Nma0Z3amlKN0tXS2FpL2lhUGh1QzVTMFh2UXNaczhhUXdoCmlxRGZZc1VDa0lnUVpYNG9uK0dqZ2dNT01JSURDakFmQmdOVkhTTUVHREFXZ0JTVmIxM052UnZoNlVCSnlkVDAKTTg0QlZ3dmVWREJyQmdOVkhSOEVaREJpTUdDZ1hxQmNobHBvZEhSd2N6b3ZMMkZ3YVM1MGNuVnpkR1ZrYzJWeQpkbWxqWlhNdWFXNTBaV3d1WTI5dEwzTm5lQzlqWlhKMGFXWnBZMkYwYVc5dUwzWXpMM0JqYTJOeWJEOWpZVDF3CmJHRjBabTl5YlNabGJtTnZaR2x1Wnoxa1pYSXdIUVlEVlIwT0JCWUVGQ21ZNGZQQjM5U203TVhrU3lwaFlraVQKNzFSeU1BNEdBMVVkRHdFQi93UUVBd0lHd0RBTUJnTlZIUk1CQWY4RUFqQUFNSUlDT3dZSktvWklodmhOQVEwQgpCSUlDTERDQ0FpZ3dIZ1lLS29aSWh2aE5BUTBCQVFRUVlCZEN6NFpoWFRJOTYvNHlPK2JDSERDQ0FXVUdDaXFHClNJYjRUUUVOQVFJd2dnRlZNQkFHQ3lxR1NJYjRUUUVOQVFJQkFnRUVNQkFHQ3lxR1NJYjRUUUVOQVFJQ0FnRUUKTUJBR0N5cUdTSWI0VFFFTkFRSURBZ0VETUJBR0N5cUdTSWI0VFFFTkFRSUVBZ0VETUJFR0N5cUdTSWI0VFFFTgpBUUlGQWdJQS96QVJCZ3NxaGtpRytFMEJEUUVDQmdJQ0FQOHdFQVlMS29aSWh2aE5BUTBCQWdjQ0FRQXdFQVlMCktvWklodmhOQVEwQkFnZ0NBUUF3RUFZTEtvWklodmhOQVEwQkFna0NBUUF3RUFZTEtvWklodmhOQVEwQkFnb0MKQVFBd0VBWUxLb1pJaHZoTkFRMEJBZ3NDQVFBd0VBWUxLb1pJaHZoTkFRMEJBZ3dDQVFBd0VBWUxLb1pJaHZoTgpBUTBCQWcwQ0FRQXdFQVlMS29aSWh2aE5BUTBCQWc0Q0FRQXdFQVlMS29aSWh2aE5BUTBCQWc4Q0FRQXdFQVlMCktvWklodmhOQVEwQkFoQUNBUUF3RUFZTEtvWklodmhOQVEwQkFoRUNBUXN3SHdZTEtvWklodmhOQVEwQkFoSUUKRUFRRUF3UC8vd0FBQUFBQUFBQUFBQUF3RUFZS0tvWklodmhOQVEwQkF3UUNBQUF3RkFZS0tvWklodmhOQVEwQgpCQVFHQUdCcUFBQUFNQThHQ2lxR1NJYjRUUUVOQVFVS0FRRXdIZ1lLS29aSWh2aE5BUTBCQmdRUXNwM2hpZWNYCi9uUWc3azhaeU5tZEpEQkVCZ29xaGtpRytFMEJEUUVITURZd0VBWUxLb1pJaHZoTkFRMEJCd0VCQWY4d0VBWUwKS29aSWh2aE5BUTBCQndJQkFmOHdFQVlMS29aSWh2aE5BUTBCQndNQkFmOHdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnWitSMXZmdDBPczk2dGNkYjFpeXN5TjFUbW1vNlhqbWFYK0tRWDlQWW8vUUNJR2tiaDRETlVhQWgwWVZqCkxjY1JUWk04aGcyTEFIemJ5WUFUMFdjSUM1VVIKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0KTUlJQ2xqQ0NBajJnQXdJQkFnSVZBSlZ2WGMyOUcrSHBRRW5KMVBRenpnRlhDOTVVTUFvR0NDcUdTTTQ5QkFNQwpNR2d4R2pBWUJnTlZCQU1NRVVsdWRHVnNJRk5IV0NCU2IyOTBJRU5CTVJvd0dBWURWUVFLREJGSmJuUmxiQ0JECmIzSndiM0poZEdsdmJqRVVNQklHQTFVRUJ3d0xVMkZ1ZEdFZ1EyeGhjbUV4Q3pBSkJnTlZCQWdNQWtOQk1Rc3cKQ1FZRFZRUUdFd0pWVXpBZUZ3MHhPREExTWpFeE1EVXdNVEJhRncwek16QTFNakV4TURVd01UQmFNSEF4SWpBZwpCZ05WQkFNTUdVbHVkR1ZzSUZOSFdDQlFRMHNnVUd4aGRHWnZjbTBnUTBFeEdqQVlCZ05WQkFvTUVVbHVkR1ZzCklFTnZjbkJ2Y21GMGFXOXVNUlF3RWdZRFZRUUhEQXRUWVc1MFlTQkRiR0Z5WVRFTE1Ba0dBMVVFQ0F3Q1EwRXgKQ3pBSkJnTlZCQVlUQWxWVE1Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5TQi83dDIxbFhTTwoyQ3V6cHh3NzRlSkI3MkV5REdnVzVyWEN0eDJ0VlRMcTZoS2s2eitVaVJaQ25xUjdwc092Z3FGZVN4bG1UbEpsCmVUbWkyV1l6M3FPQnV6Q0J1REFmQmdOVkhTTUVHREFXZ0JRaVpReldXcDAwaWZPRHRKVlN2MUFiT1NjR3JEQlMKQmdOVkhSOEVTekJKTUVlZ1JhQkRoa0ZvZEhSd2N6b3ZMMk5sY25ScFptbGpZWFJsY3k1MGNuVnpkR1ZrYzJWeQpkbWxqWlhNdWFXNTBaV3d1WTI5dEwwbHVkR1ZzVTBkWVVtOXZkRU5CTG1SbGNqQWRCZ05WSFE0RUZnUVVsVzlkCnpiMGI0ZWxBU2NuVTlEUE9BVmNMM2xRd0RnWURWUjBQQVFIL0JBUURBZ0VHTUJJR0ExVWRFd0VCL3dRSU1BWUIKQWY4Q0FRQXdDZ1lJS29aSXpqMEVBd0lEUndBd1JBSWdYc1ZraTB3K2k2VllHVzNVRi8yMnVhWGUwWUpEajFVZQpuQStUakQxYWk1Y0NJQ1liMVNBbUQ1eGtmVFZwdm80VW95aVNZeHJEV0xtVVI0Q0k5Tkt5ZlBOKwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlDanpDQ0FqU2dBd0lCQWdJVUltVU0xbHFkTkluemc3U1ZVcjlRR3prbkJxd3dDZ1lJS29aSXpqMEVBd0l3CmFERWFNQmdHQTFVRUF3d1JTVzUwWld3Z1UwZFlJRkp2YjNRZ1EwRXhHakFZQmdOVkJBb01FVWx1ZEdWc0lFTnYKY25CdmNtRjBhVzl1TVJRd0VnWURWUVFIREF0VFlXNTBZU0JEYkdGeVlURUxNQWtHQTFVRUNBd0NRMEV4Q3pBSgpCZ05WQkFZVEFsVlRNQjRYRFRFNE1EVXlNVEV3TkRVeE1Gb1hEVFE1TVRJek1USXpOVGsxT1Zvd2FERWFNQmdHCkExVUVBd3dSU1c1MFpXd2dVMGRZSUZKdmIzUWdRMEV4R2pBWUJnTlZCQW9NRVVsdWRHVnNJRU52Y25CdmNtRjAKYVc5dU1SUXdFZ1lEVlFRSERBdFRZVzUwWVNCRGJHRnlZVEVMTUFrR0ExVUVDQXdDUTBFeEN6QUpCZ05WQkFZVApBbFZUTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFQzZuRXdNRElZWk9qL2lQV3NDemFFS2k3CjFPaU9TTFJGaFdHamJuQlZKZlZua1k0dTNJamtEWVlMME14TzRtcXN5WWpsQmFsVFZZeEZQMnNKQks1emxLT0IKdXpDQnVEQWZCZ05WSFNNRUdEQVdnQlFpWlF6V1dwMDBpZk9EdEpWU3YxQWJPU2NHckRCU0JnTlZIUjhFU3pCSgpNRWVnUmFCRGhrRm9kSFJ3Y3pvdkwyTmxjblJwWm1sallYUmxjeTUwY25WemRHVmtjMlZ5ZG1salpYTXVhVzUwClpXd3VZMjl0TDBsdWRHVnNVMGRZVW05dmRFTkJMbVJsY2pBZEJnTlZIUTRFRmdRVUltVU0xbHFkTkluemc3U1YKVXI5UUd6a25CcXd3RGdZRFZSMFBBUUgvQkFRREFnRUdNQklHQTFVZEV3RUIvd1FJTUFZQkFmOENBUUV3Q2dZSQpLb1pJemowRUF3SURTUUF3UmdJaEFPVy81UWtSK1M5Q2lTRGNOb293THVQUkxzV0dmL1lpN0dTWDk0Qmd3VHdnCkFpRUE0SjBsckhvTXMrWG81by9zWDZPOVFXeEhSQXZaVUdPZFJRN2N2cVJYYXFJPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=='), ('nonce', 'bm9uY2UxMjM0NQ=='), ('policyId', '9579bd0b-989b-4707-bca1-e7323bf7cae4')])), ('timestamp', '1669158781595'), ('sign', '7I9AZkaUA96+MCkaOVcN/eH5yibo2K+8X2cjOUZX8L0=')])
VerifyQuote failed, error message: Server exception.

====================test_GenerateQuote_and_VerifyQuote end========================

commented

More traces (printf added by me in the code)
c_ehsm_all | INFO [App/ehsm_napi.cpp(1558) -> NAPI_VerifyQuote]: NAPI_VerifyQuote
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_napi.cpp(1579) -> NAPI_VerifyQuote]: NAPI_VerifyQuote call VerifyQuote
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(960) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(997) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote call enclave_get_target_info()
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1006) -> VerifyQuote]: get target info successfully returned.
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1009) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote call sgx_qv_set_enclave_load_policy()
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1016) -> VerifyQuote]: sgx_qv_set_enclave_load_policy successfully returned.
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1019) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote call sgx_qv_get_quote_supplemental_data_size()
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1026) -> VerifyQuote]: sgx_qv_get_quote_supplemental_data_size successfully returned.
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1036) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote #1 call enclave_verify_quote_policy()
c_ehsm_all |
c_ehsm_all | INFO [App/ehsm_provider.cpp(1039) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote #2 call enclave_verify_quote_policy()
c_ehsm_all |
c_ehsm_all | mr_signer or mr_enclave is invalid!
c_ehsm_all | ERROR [App/ehsm_provider.cpp(1048) -> VerifyQuote]: core/App/ehsm_provider.cpp VerifyQuote #3 enclave_verify_quote_policy() return NOT_SGX_SUCCESS

commented

For verify_quote_with_file_and_policyId, mr_signer and/or mr_enclave are invalid.
For verify_quote_with_file, mr_signer and mr_enclave were valid.

commented

After adding more traces I figured out that mr_signer is valid but mr_enclave is invalid.

mr_enclave is invalid! 62305561dc6cbf05cb4fddead7a78f5d4cb74fbda395c07f4d5b537a511b25f3

commented

The fix was merged several days ago.
Please sync the latest code and try again.
Thanks.