Intel SGX Attestation Service Utilizing EPID

The Attestation API exposed by the Intel® SGX attestation service is a programming interface for service providers to verify attestation evidence of SGX enabled enclaves. View the Intel SGX EPID API Specification.

Download the Attestation Report Root CA Certificate here:
DER PEM

Intel SGX Provisioning Certification Service for ECDSA Attestation

Get PCK Certificate V2

Retrieve X.509 SGX Provisioning Certification Key (PCK) certificate for SGX-enabled platform on specified TCB level. Subscription Required

GET https://api.trustedservices.intel.com/sgx/certification/v2/pckcert

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. Found in your Profile.
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
cpusvn String Query True ^[0-9a-fA-F]{32}$ Base16-encoded CPUSVN value (16 bytes, byte array)
pcesvn String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCESVN value (2 bytes, little endian)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/pckcert?encrypted_ppid={}&cpusvn={}&pcesvn={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

Response

Model

PckCert (X-PEM-FILE) - PEM-encoded representation of SGX PCK Certificate in case of success (200 HTTP status code)

Example Response
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
                            
Status Codes
Code Model Headers Description
200 PckCert

Content-Type (String) - application/x-pem-file

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain (String) - URL-encoded Issuer Certificate chain for SGX PCK Certificate in PEM format. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA).

SGX-TCBm (String) - Hex-encoded string representation of concatenation of CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in corresponding SGX PCK Certificate

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

PCK Certificate for provided {ppid}, {cpusvn}, {pcesvn} and {pceid} cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get PCK Certificates V2

Retrieve X.509 SGX Provisioning Certification Key (PCK) certificates for SGX-enabled platform for all configured TCB levels. Subscription Required

GET https://api.trustedservices.intel.com/sgx/certification/v2/pckcerts

Request

Name Type Request Type Required Pattern Description
Ocp-Apim-Subscription-Key String Header True Subscription key which provides access to this API. Found in your Profile.
encrypted_ppid String Query True ^[0-9a-fA-F]{768}$ Base16-encoded PPID encrypted with PPIDEK (384 bytes, byte array)
pceid String Query True ^[0-9a-fA-F]{4}$ Base16-encoded PCE-ID value (2 bytes, little endian)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/pckcerts?encrypted_ppid={}&pceid={}" -H "Ocp-Apim-Subscription-Key: {subscription key}" 

Response

Model

PckCerts (JSON) - Array of data structures consisting of tcb, tcbm and certificate encoded as JSON string in case of success (200 HTTP status code)

PckCerts:
        type: array
        description: >-
            Array of data structures consisting of tcb, tcbm and certificate
            encoded as JSON string in case of success (200 HTTP status code)
        items:
            type: object
            properties:
                tcb:
                    type: object
                    properties:
                        sgxtcbcomp01svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp02svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp03svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp04svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp05svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp06svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp07svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp08svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp09svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp10svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp11svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp12svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp13svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp14svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp15svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        sgxtcbcomp16svn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 255
                        pcesvn:
                            type: integer
                            example: 0
                            minimum: 0
                            maximum: 65535
                tcbm:
                    type: string
                    description: >-
                        Hex-encoded string representation of concatenation of
                        CPUSVN (16 bytes) and PCESVN (2 bytes) as returned in
                        corresponding SGX PCK Certificate
                    pattern: '^[0-9a-fA-F]{36}$'
                    example: '000000000000000000000000000000000000'
                cert:
                    type: string
                            
Example Response
[
   {
	  "tcb":{
		 "sgxtcbcomp01svn":0,
		 "sgxtcbcomp02svn":0,
		 "sgxtcbcomp03svn":0,
		 "sgxtcbcomp04svn":0,
		 "sgxtcbcomp05svn":0,
		 "sgxtcbcomp06svn":0,
		 "sgxtcbcomp07svn":0,
		 "sgxtcbcomp08svn":0,
		 "sgxtcbcomp09svn":0,
		 "sgxtcbcomp10svn":0,
		 "sgxtcbcomp11svn":0,
		 "sgxtcbcomp12svn":0,
		 "sgxtcbcomp13svn":0,
		 "sgxtcbcomp14svn":0,
		 "sgxtcbcomp15svn":0,
		 "sgxtcbcomp16svn":0,
		 "pcesvn":0
	  },
	  "tcbm":"000000000000000000000000000000000000",
	  "cert":"string"
   }
]
                            
Status Codes
Code Model Headers Description
200 PckCerts

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-Certificate-Issuer-Chain (String) - Issuer Certificate chain for SGX PCK Certificates. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA).

Operation successful.
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

No PCK Certificate for provided {ppid} and {pceid} cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Revocation List V2

Retrieve X.509 Certificate Revocation List with revoked SGX PCK Certificates. CRL is issued by Intel SGX Processor CA.

GET https://api.trustedservices.intel.com/sgx/certification/v2/pckcrl

Request

Name Type Request Type Required Pattern Description
ca String Query True Enum: processor Identifier of the CA that issued the requested CRL Allowed value is “processor” indicates CRL issued by Intel SGX Processor CA
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/pckcrl?ca={}" 

Response

Model

PckCrl (X-PEM-FILE) - PEM-encoded representation of SGX Processor CA CRL in case of success (200 HTTP status code)

Example Response
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
                            
Status Codes
Code Model Headers Description
200 PckCrl

Content-Type (String) - application/x-pem-file

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-PCK-CRL-Issuer-Chain (String) - Issuer Certificate chain for SGX PCK CRL. It consists of SGX Root CA Certificate and SGX Intermediate CA Certificate (Processor CA).

Operation successful.
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get TCB Info V2

Retrieve SGX TCB information for given FMSPC

Determining the status of a TCB level for a given platform needs to be done using TCB information according to the following algorithm:

  1. Retrieve FMSPC value from SGX PCK Certificate assigned to a given platform.
  2. Retrieve TCB Info matching the FMSPC value.
  3. Go over the sorted collection of TCB Levels retrieved from TCB Info starting from the first item on the list:
    1. Compare all of the SGX TCB Comp SVNs retrieved from the SGX PCK Certificate (from 01 to 16) with the corresponding values in the TCB Level. If all SGX TCB Comp SVNs in the certificate are greater or equal to the corresponding values in TCB Level, go to 3.b, otherwise move to the next item on TCB Levels list.
    2. Compare PCESVN value retrieved from the SGX PCK certificate with the corresponding value in the TCB Level. If it is greater or equal to the value in TCB Level, read status assigned to this TCB level. Otherwise, move to the next item on TCB Levels list.
  4. If no TCB level matches your SGX PCK Certificate, your TCB Level is not supported.

GET https://api.trustedservices.intel.com/sgx/certification/v2/tcb

Request

Name Type Request Type Required Pattern Description
fmspc String Query True ^[0-9a-fA-F]{12}$ Base16-encoded FMSPC value (6 bytes, byte array)
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/tcb?fmspc={}" 

Response

Model

TcbInfoV2 (JSON) - SGX TCB Info encoded as JSON string in case of success (200 HTTP status code)

TcbInfoV2:
	type: object
	description: >-
		SGX TCB Info encoded as JSON string in case of success (200 HTTP
		status code)
	properties:
		tcbInfo:
			type: object
			properties:
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the TCB information
						was created. The time shall be in UTC and the
						encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next TCB
						information will be issued. The time shall be in UTC
						and the encoding shall be compliant to ISO 8601
						standard (YYYY-MM-DDThh:mm:ssZ)
				fmspc:
					type: string
					pattern: ^[0-9a-fA-F]{12}$
					example: '000000000000'
					description: >-
						Base 16-encoded string representation of FMSPC
						(Family-Model-Stepping-Platform-CustomSKU)
				pceId:
					type: string
					pattern: ^[0-9a-fA-F]{4}$
					example: '0000'
					description: Base 16-encoded string representation of PCE identifier
				tcbType:
					type: integer
					example: 0
					description: >-
						Type of TCB level composition that determines TCB
						level comparison logic
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				tcbLevels:
					type: array
					description: >-
						Sorted list of supported TCB levels for given FMSPC
						encoded as a JSON array of TCB level objects
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									pcesvn:
										type: integer
										example: 0
										minimum: 0
										maximum: 65535
									sgxtcbcomp01svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp02svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp03svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp04svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp05svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp06svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp07svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp08svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp09svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp10svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp11svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp12svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp13svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp14svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp15svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
									sgxtcbcomp16svn:
										type: integer
										example: 0
										minimum: 0
										maximum: 255
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								description: TCB level status
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: >-
				Base 16-encoded string representation of signature calculated over tcbInfo
				body without whitespaces using TCB Signing Key
				i.e:
				{"version":2,"issueDate":"2019-07-30T12:00:00Z","nextUpdate":"2019-08-30T12:00:00Z",...}
                            
Example Response
{
   "tcbInfo":{
	  "version":2,
	  "issueDate":"2019-07-30T12:00:00Z",
	  "nextUpdate":"2019-08-30T12:00:00Z",
	  "fmspc":"000000000000",
	  "pceId":"0000",
	  "tcbType": 0,
	  "tcbEvaluationDataNumber": 2,
	  "tcbLevels":[
		 {
			"tcb":{
			   "sgxtcbcomp01svn":0,
			   "sgxtcbcomp02svn":0,
			   "sgxtcbcomp03svn":0,
			   "sgxtcbcomp04svn":0,
			   "sgxtcbcomp05svn":0,
			   "sgxtcbcomp06svn":0,
			   "sgxtcbcomp07svn":0,
			   "sgxtcbcomp08svn":0,
			   "sgxtcbcomp09svn":0,
			   "sgxtcbcomp10svn":0,
			   "sgxtcbcomp11svn":0,
			   "sgxtcbcomp12svn":0,
			   "sgxtcbcomp13svn":0,
			   "sgxtcbcomp14svn":0,
			   "sgxtcbcomp15svn":0,
			   "sgxtcbcomp16svn":0,
			   "pcesvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		 }
	  ]
   },
   "signature":"string"
}
                            
Status Codes
Code Model Headers Description
200 TcbInfoV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-TCB-Info-Issuer-Chain (String) - Issuer Certificate chain for SGX TCB Info in PEM format. It consists of SGX TCB Signing Certificate and SGX Root CA Certificate.

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

TCB information for provided {fmspc} cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Quoting Enclave Identity V2

Retrieve Quote Identity information for Quoting Enclave issued by Intel.

GET https://api.trustedservices.intel.com/sgx/certification/v2/qe/identity

Request

Name Type Request Type Required Pattern Description
Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/qe/identity" 

Response

Model

QEIdentityV2 (JSON) - QE Identity data structure encoded as JSON string in case of success (200 HTTP status code)

QEIdentityV2:
	type: object
	description: >-
		QE Identity data structure encoded as JSON string in case of success
		(200 HTTP status code)
	properties:
		enclaveIdentity:
			type: object
			properties:
				id:
					type: string
					description: Identifier of the SGX Enclave issued by Intel. Supported values are QE and QVE
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the QE Identity information
						was created. The time shall be in UTC and the encoding shall
						be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next QE
						identity information will be issued. The time shall be in
						UTC and the encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				miscselect:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
				miscselectMask:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
				attributes:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
				attributesMask:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
				mrsigner:
					type: string
					pattern: ^[0-9a-fA-F]{64}$
					example: '0000000000000000000000000000000000000000000000000000000000000000'
					description: Base 16-encoded string representing mrsigner hash.
				isvprodid:
					type: integer
					example: 0
					maximum: 65535
					minimum: 0
					description: Enclave Product ID.
				tcbLevels:
					type: array
					description: >-
						Sorted list of supported Enclave TCB levels for given
						QE encoded as a JSON array of Enclave TCB level objects.
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									isvnsvn:
										description: SGX Enclave’s ISV SVN
										type: integer
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								description: TCB level status
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: >-
				Hex-encoded string representation of a signature calculated
				over qeIdentity body (without whitespaces) using TCB Info Signing Key.
                            
Example Response
{
	"enclaveIdentity":{
		"id":"QE"
		"version":2,
		"issueDate":"2018-08-30T11:03:32Z",
		"nextUpdate":"2018-09-30T11:03:32Z",
		"tcbEvaluationDataNumber":2,
		"miscselect":"00000000",
		"miscselectMask":"00000000",
		"attributes":"00000000000000000000000000000000",
		"attributesMask":"00000000000000000000000000000000",
		"mrsigner":"0000000000000000000000000000000000000000000000000000000000000000",
		"isvprodid":0,
		"tcbLevels": [
		  {
			"tcb": {
			  "isvsvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		  }
		]
	},
	"signature":"string"
}
                            
Status Codes
Code Model Headers Description
200 QEIdentityV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-Enclave-Identity-Issuer-Chain (String) - URL encoded issuer chain for SGX QE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

QE Identity information cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

Get Quote Verification Enclave Identity V2

Retrieve Identity information for Quote Verification Enclave issued by Intel.

GET https://api.trustedservices.intel.com/sgx/certification/v2/qve/identity

Request

No parameters

Example Request
curl -v -X GET "https://api.trustedservices.intel.com/sgx/certification/v2/qve/identity" 

Response

Model

QVEIdentityV2 (JSON) - QVE Identity data structure encoded as JSON string in case of success (200 HTTP status code)

QVEIdentityV2:
	type: object
	description: QVE Identity data structure encoded as JSON string in case of success
		(200 HTTP status code)
	properties:
		enclaveIdentity:
			type: object
			properties:
				id:
					type: string
					description: Identifier of the SGX Enclave issued by Intel. Supported values are QE and QVE
				version:
					type: integer
					example: 2
					description: Version of the structure
				issueDate:
					type: string
					format: date-time
					description: >-
						Representation of date and time the QVE Identity information
						was created. The time shall be in UTC and the encoding shall
						be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ)
				nextUpdate:
					type: string
					format: date-time
					description: >-
						Representation of date and time by which next QVE
						identity information will be issued. The time shall be in
						UTC and the encoding shall be compliant to ISO 8601 standard
						(YYYY-MM-DDThh:mm:ssZ)
				tcbEvaluationDataNumber:
					type: integer
					example: 2
					description: >-
						A monotonically increasing sequence number changed
						when Intel updates the content of the TCB evaluation data
						set: TCB Info, QE Idenity and QVE Identity. The tcbEvaluationDataNumber
						update is synchronized across TCB Info for all flavors of
						SGX CPUs (Family-Model-Stepping-Platform-CustomSKU) and QE/QVE
						Identity. This sequence number allows users to easily determine
						when a particular TCB Info/QE Idenity/QVE Identiy superseedes
						another TCB Info/QE Identity/QVE Identity (value: current
						TCB Recovery event number stored in the database).
				miscselect:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing miscselect "golden" value (upon applying mask).
				miscselectMask:
					type: string
					pattern: ^[0-9a-fA-F]{8}$
					example: '00000000'
					description: Base 16-encoded string representing mask to be applied to miscselect value retrieved from the platform.
				attributes:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing attributes "golden" value (upon applying mask).
				attributesMask:
					type: string
					pattern: ^[0-9a-fA-F]{32}$
					example: '00000000000000000000000000000000'
					description: Base 16-encoded string representing mask to be applied to attributes value retrieved from the platform.
				mrsigner:
					type: string
					pattern: ^[0-9a-fA-F]{64}$
					example: '0000000000000000000000000000000000000000000000000000000000000000'
					description: Base 16-encoded string representing mrsigner hash.
				isvprodid:
					type: integer
					example: 0
					minimum: 0
					maximum: 65535
					description: Enclave Product ID.
				tcbLevels:
					description: >-
						Sorted list of supported Enclave TCB levels for given
						QVE encoded as a JSON array of Enclave TCB level objects.
					type: array
					items:
						type: object
						properties:
							tcb:
								type: object
								properties:
									isvnsvn:
										description: SGX Enclave’s ISV SVN
										type: integer
							tcbDate:
								type: string
								format: date-time
								description: >-
									Representation of date and time when
									the TCB level was certified not to be vulnerable
									to any issues described in SAs that were published
									on or prior to this date.

									The time shall be in UTC and the encoding shall
									be compliant to ISO 8601 standard (YYYY-MM-DDThh:mm:ssZ).
							tcbStatus:
								type: string
								description: TCB level status
							advisoryIDs:
								type: array
								description: >-
									Array of Advisory IDs describing vulnerabilities
									that this TCB level is vulnerable to.

									Note: The value can be different for different
									FMSPCs.

									This field is optional. It will be present only
									if the list of Advisory IDs is not empty.
								items:
									type: string
		signature:
			type: string
			description: Hex-encoded string representation of a signature calculated
				over qeIdentity body (without whitespaces) using TCB Info Signing Key.
                            
Example Response
{
	"enclaveIdentity":{
		"id":"QVE"
		"version":2,
		"issueDate":"2018-08-30T11:03:32Z",
		"nextUpdate":"2018-08-30T11:03:32Z",
		"tcbEvaluationDataNumber":2,
		"miscselect":"00000000",
		"miscselectMask":"00000000",
		"attributes":"00000000000000000000000000000000",
		"attributesMask":"00000000000000000000000000000000",
		"mrsigner":"0000000000000000000000000000000000000000000000000000000000000000",
		"isvprodid":0,
		"tcbLevels": [
		  {
			"tcb": {
			  "isvsvn":0
			},
			"tcbDate":"2019-07-11T12:00:00Z",
			"tcbStatus": "UpToDate",
			"advisoryIDs": ["INTEL-SA-00079", "INTEL-SA-00076"]
		  }
		]
	},
	"signature":"string"
}
                            
Status Codes
Code Model Headers Description
200 QVEIdentityV2

Content-Type (String) - application/json

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

SGX-Enclave-Identity-Issuer-Chain (String) - URL encoded issuer chain for SGX QVE Identity in PEM format (all certificates in the chain, appended to each other in the following order: <Signing Certificate><Root CA Certificate>).

Operation successful
400

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Invalid request parameters.
401

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Failed to authenticate or authorize the request
404

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

QVE Identity information cannot be found.
500

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Internal server error occurred
503

Request-ID (String) - Randomly generated identifier for each request (for troubleshooting purposes)

Server is currently unable to process the request

PCK Certificate and CRL Specification

This document specifies the hierarchy and format of X.509 v3 certificates and X.509 v2 Certificate Revocation Lists (CRLs) issued by Intel for Provisioning Certification Keys.