Enable new key formats on gramine-ratls

[dzobbe]

Hi folks,

Just a minor thing. I have been struggling with Vault in letting it loading certs generated by gramine-ratls. At the end I discovered that it didn't like the enhanced cert format (i.e., "BEGIN TRUSTED CERTIFICATE"). I tried with DER but it didn't help. At the end, I discovered that by just changing the header (using the typical "BEGIN CERTIFICATE") Vault was able to load the certificate and the ratls-mbedtls client was also able to verify the quote.
Maybe you can enable an option to generate certs by keeping the standard header.

Cheers

[dimakuv]

According to this SO answer, Gramine's RA-TLS must generate the BEGIN TRUSTED CERTIFICATE line, because RA-TLS always generates self-signed certificates.

Gramine's RA-TLS uses mbedTLS to generate the self-signed X.509 certificate. The "self-signedness" is achieved by specifying the issuer that is the same as the subject:

gramine/tools/sgx/ra-tls/ra_tls_attest.c

Lines 82 to 84 in d8d4344

	/* generated certificate is self-signed, so declares itself both a subject and an issuer */
	mbedtls_x509write_crt_set_subject_key(writecrt, pk);
	mbedtls_x509write_crt_set_issuer_key(writecrt, pk);

IIUC, this logic forces mbedTLS to mark the certificate as "trusted certificate" and thus start the cert with BEGIN TRUSTED CERTIFICATE.

In other words, this is actually how it should be. This is not a bug, this is a feature.

Regarding your particular problem: a quick google search didn't give an answer on how to "load a self-signed certificate into Hashicorp Vault". What is the exact issue that Vault reports? Maybe you just need to add a parameter to the API that you use when loading the certificate; there must be something like self-signed or insecure argument I guess, which disables this Hashicorp's verification.

[dzobbe]

Sorry I forgot to reply @dimakuv . I am not saying it is a bug. Just saying that it would have been useful for situations where the BEGIN TRUSTED CERTIFICATE label creates issues. Vault returns this error:

Error initializing listener of type tcp: error loading TLS cert: tls: failed to find "CERTIFICATE" 
PEM block in certificate input after skipping PEM blocks of the following types: [TRUSTED CERTIFICATE]

I didn't find any solution for this except for changing the label.

[dimakuv]

@dzobbe Could it be a bug in Vault? Maybe you should post an issue on their GitHub (and link to our discussions here)?

I still don't think there is anything to be done on the Gramine/RA-TLS side.