A utility and library for extracting and validating Intel SGX quotes embedded in X.509 certificates. Available as both a C library with command-line tool and a Go library.
This tool and library are designed to:
- Load X.509 certificates that contain SGX quotes
- Extract the SGX quote extension (OID 1.3.6.1.4.1.311.105.1)
- Parse and display key fields from the quote
- Perform complete chain of trust verification, including:
- TLS certificate → SGX enclave (via public key hash in report data)
- SGX enclave → Intel attestation service (via quote signature)
- Intel attestation service → trusted root CAs (via certificate chain)
The primary feature of this library is its comprehensive verification of the entire trust chain:
TLS Certificate ⟶ SGX Enclave ⟶ Intel Attestation Service ⟶ Trusted CA Roots
│ │ │ │
│ │ │ │
Public Key Hash ┌─────────────┐ Quote Signature Certificate Chain
matches Report │ Genuine SGX │ verification verification
Data │ Enclave │ │
│ └─────────────┘ │
└───────────────┬─────────────────────────────────────────
│
VALIDATED
SECURE CHANNEL
This end-to-end verification ensures:
-
TLS Certificate Trust: The public key of the TLS certificate matches the hash in the SGX quote's report data, proving the enclave signed the certificate
-
Enclave Integrity: The enclave's identity (MRENCLAVE/MRSIGNER) is verified and can be validated against expected values
-
Intel Attestation: The quote is properly signed by Intel's Quoting Enclave (QE) using a valid attestation key
-
Root of Trust: The complete certificate chain from the PCK certificates to Intel's trusted CA roots is verified
Intel SGX (Software Guard Extensions) provides a hardware-based trusted execution environment that enables secure code execution, even in untrusted environments. A key feature of SGX is remote attestation, which allows a remote party to verify the identity and integrity of an SGX enclave.
The remote attestation process involves:
- An enclave generates a report that includes its identity (MRENCLAVE, MRSIGNER) and hash of the TLS certificate's public key
- This report is signed by the Intel Quoting Enclave, creating a quote
- The quote is embedded in an X.509 certificate extension
- The certificate is used in a TLS connection
By integrating this verification into a TLS handshake, you can establish a secure, attested connection to an SGX enclave, ensuring that you're communicating with a genuine and unmodified enclave within an SGX-enabled CPU.
./echeck [OPTIONS] <certificate.pem>
Where:
certificate.pem: The X.509 certificate containing an SGX quote to be verified
-h, --help: Display help message-v, --verbose: Enable verbose output (prints detailed verification info)-q, --quiet: Quiet mode (only errors will be printed, success is silent)-r, --raw: Output in machine-readable format (key=value)--mrenclave=<hash>: Verify the SGX quote has the specified MRENCLAVE value (64 hex characters)--mrsigner=<hash>: Verify the SGX quote has the specified MRSIGNER value (64 hex characters)
Standard mode:
$ ./echeck test/sample.pem
SGX quote verification successful
Verbose mode:
$ ./echeck -v test/sample.pem
Certificate public key hash verified: 4f1ea6825b7a95d4dc0f9b6929a91b66c5fcaa9ef3078afe48f0c02cde48b13a
SGX Quote verification successful
MRENCLAVE: df2493c11fc01708af6913323b64e20ae84b12779dbe44ba428da66dfc4488f5
MRSIGNER: 976aa9f931b8a16e01e01895d627e3ee96dce5478ebbbc77e120a25c79fe6016
ISV Product ID: 1
ISV SVN: 1
Raw mode (machine readable):
$ ./echeck -r test/sample.pem
mrenclave=df2493c11fc01708af6913323b64e20ae84b12779dbe44ba428da66dfc4488f5
mrsigner=976aa9f931b8a16e01e01895d627e3ee96dce5478ebbbc77e120a25c79fe6016
version=3
signtype=2
isvprodid=1
isvsvn=1
For detailed C API examples including TLS integration, measurement verification, and error handling, see API_EXAMPLES.md.
go get github.com/KarpelesLab/echeckFor detailed Go API examples including quote extraction, verification, measurement checking, certificate chain validation, and HTTP client integration, see API_EXAMPLES.md.
int echeck_initialize(void)
Initialize the OpenSSL library. Call this before using any other functions.
void* echeck_load_certificate(const char *file_path)
Load an X.509 certificate from a PEM file.
echeck_quote_t* echeck_extract_quote(void *cert)
Extract an SGX quote from a certificate.
int echeck_verify_quote(void *cert, echeck_quote_t *quote, echeck_verification_result_t *result)
Perform full end-to-end chain of trust verification of an SGX quote against its certificate.
int echeck_verify_quote_measurements(echeck_quote_t *quote, const uint8_t *expected_mrenclave, const uint8_t *expected_mrsigner)
Verify the MRENCLAVE and/or MRSIGNER values of a quote against expected values.
QuoteInfo - Contains essential measurements extracted from an SGX quote:
MREnclave [32]byte- MRENCLAVE valueMRSigner [32]byte- MRSIGNER valueISVProdID uint16- ISV Product IDISVSVN uint16- ISV SVN (Security Version Number)ReportData [64]byte- Report data from the quote
Error Types:
ErrReportDataMismatch- Report data doesn't match certificate's public key hashErrInvalidQuoteFormat- Quote format or version is invalidErrCertChainVerification- Certificate chain verification failed
ExtractQuote(cert *x509.Certificate) (*Quote, error)
Extracts an SGX quote from an X.509 certificate.
VerifyQuote(cert *x509.Certificate, quote *Quote) error
Performs comprehensive verification of an SGX quote against its certificate.
GetIntelSGXCertPool() (*x509.CertPool, error)
Returns a certificate pool pre-initialized with Intel's SGX Root CA.
The tool extracts and displays the following fields from SGX quotes:
- Version: The SGX quote format version
- Signature Type: The type of signature used
- QE SVN: Quoting Enclave Security Version Number
- PCE SVN: Provisioning Certification Enclave Security Version Number
- MR_ENCLAVE: A hash of the enclave measurement (code + data)
- MR_SIGNER: A hash of the enclave signer's public key
- ISV Product ID: The Independent Software Vendor's product ID
- ISV SVN: The Independent Software Vendor's Security Version Number
-
Complete End-to-End Chain of Trust Verification:
- TLS certificate to SGX enclave (via report data verification)
- SGX enclave to Intel attestation service (via signature verification)
- Intel attestation service to trusted CA roots (via certificate chain verification)
-
Full ECDSA Signature Verification:
- Complete cryptographic verification of quote signatures
- Attestation key extraction and validation
- Quote hash computation and verification
-
Certificate Chain Verification:
- Complete certificate chain verification against Intel SGX Root CA
- PCK certificate extraction and validation
- Built-in Intel SGX Root CA for certificate chain verification
-
Report Data Validation:
- Cryptographic verification of certificate's public key hash against quote report data
- Zero-padding validation for report data integrity
- C Library: Cross-platform support (Linux, macOS, Windows) with both static and runtime OpenSSL linking
- Go Library: Pure Go implementation with standard library cryptography
- GitHub Actions: Automated builds for all supported platforms
- Verbose mode for detailed output
- Quiet mode for scripting
- Raw output mode for machine parsing
- Verification of specific MRENCLAVE/MRSIGNER values
- BUILD.md - Detailed build instructions for both C and Go libraries
- API_EXAMPLES.md - Comprehensive API examples and usage patterns
The library implements a rigorous multi-step verification process to ensure the complete chain of trust:
- Computes SHA-256 hash of the TLS certificate's public key
- Verifies this hash matches the first 32 bytes of the quote's report data
- Validates zero-padding in remaining report data bytes
- Establishes the link between TLS certificate and SGX enclave
- Validates the quote's structure and format
- Checks MRENCLAVE and MRSIGNER values are properly formed
- Verifies all required fields in the quote structure
- Extracts the attestation public key from the quote
- Computes SHA-256 hash of quote data for signature verification
- Verifies the quote's ECDSA signature using P-256 curve
- Ensures the quote was genuinely signed by Intel's Quoting Enclave
- Extracts the PCK certificate chain from the quote signature data
- Validates the complete chain against Intel's trusted CA roots
- Verifies signatures, validity periods, and certificate purposes
- Establishes root of trust back to Intel CA
- Validates that the attestation key can be properly extracted
- Ensures the key is a valid ECDSA key on the P-256 curve
- Verifies key extractability and format compliance
A quote is only considered valid when ALL verification steps pass, providing cryptographic guarantees at every step of the chain.
The command-line tool follows standard Unix exit code conventions:
0: Success (quote verification passed)1: Error (verification failed, invalid parameters, etc.)
This makes it suitable for use in scripts and automated workflows.
- The tool doesn't verify the quote against Intel Attestation Services (IAS) for online verification
- It doesn't perform revocation checking on certificates
- Currently focuses on ECDSA Quote v3 format
- Integration with Intel Attestation Services for online verification
- Certificate revocation checking via OCSP or CRLs
- Support for custom verification policies
- Expanded API for more fine-grained control over verification process
- Support for additional SGX quote formats and versions
This project is licensed under the MIT License - see the LICENSE file for details.