verification failed because collateral is out of date

Question

verification failed because collateral is out of date

sho4510 opened this issue 9 months ago · 1 comments

I ran Attest enclave but it failed

[ using our own SGX-measurement verification callback (via command line options) ]
  - ignoring ISV_PROD_ID
  - ignoring ISV_SVN

  . Seeding the random number generator... ok
  . Connecting to tcp/localhost/8552... ok
  . Setting up the SSL/TLS structure... ok
 ok
  . Installing RA-TLS callback ... ok
  . Performing the SSL/TLS handshake...WARNING: The ra_tls_verify_callback_der() API is deprecated in favor of the ra_tls_verify_callback_extended_der() version of API.
Azure Quote Provider: libdcap_quoteprov.so [ERROR]: Could not retrieve environment variable for 'AZDCAP_DEBUG_LOG_LEVEL'
WARNING: The collateral is out of date.
ra_tls_verify_callback: Quote: verification failed because collateral is out of date
 failed
  ! mbedtls_ssl_handshake returned -0x3000

Is it the same as the problem below?
"DCAP returns outdated collateral for Azure DCsv2/v3 machines"
microsoft/Azure-DCAP-Client#154

Answer 1 · 2024-01-10T07:27:44.000Z

Looks like that issue. Never had an issue with out of date collateral, as it was just a warning. It should be an error though. If none of the fixes in that issue work, you should verify against Intel directly instead of going through MS. Basically remove az-dcap-client from the attestation verification instance and install all packets required to verify attestation with intel. Sadly, If I recount correctly, you need a full PCCS setup for that as well. There's also onchain DCAP attestation: https://github.com/automata-network/automata-dcap-v3-attestation