ok,thank you @Kaleb,I have tested it, and i tried with your cer, but the wolfSSL_CTX_use_certificate_buffer function returned value was -4(WOLFSSL_BAD_FILE). and i tested the wolfSSL_CTX_load_verify_buffer,its returned value was -372(SSL_NO_PEM_HEADER            = -372,   /* no PEM header found */).

And i checked the manual, i found that the function named wolfSSL_X509_verify_cert can verifies certificate chain in ctx ,and i tried tested the function after i loaded the ca chain with function wolfSSL_CTX_use_certificate_chain_buffer_format, but the function returned value was WOLFSSL_FATAL_ERROR,the method i load the ca chain ,is right?if not right ,when and how can i load the ca chain?

The same code out enclave executed success, but in enclave executed failed. In enclave, it reported " No PEM Header Error ".
and i found a new problem, when i executed the function which named wolfSSL_check_domain_name, no matter what the Dn is,the returned value is ssl_success.

Hi，@Kaleb, thank your response.There is no formal business projects.Maybe many of my questions i asked not clear.Let me summarize.Now,I'm learning sgx and wolfssl， i want to try to use the wolfssl to implement mutual verification,and i learned this by sgx-ra-tls.Now the main problem is that i want verify the client certificate,the server is in sgx enclave with wolfssl , the main funuctions that i wanted verify client certificate in sgx enclave were: wolfSSL_get_peer_certificate，wolfSSL_X509_verify_cert,wolfSSL_get_verify_result,etc.Except thease functions, i tested other function in sgx enclave too,such as:wolfSSL_CertManagerVerifyBuffer,wolfSSL_get_peer_chain,wolfSSL_check_domain_name,wolfSSL_X509_notAfter etc.I'm always asking questions about the testing process.I learned the manual of wolfssl. I knew the function named wolfSSL_get_verify_result is used to get the results after trying to verify the peer's certificate,the function named wolfSSL_X509_verify_cert is used to verifies certificate chain in ctx.My main tested fuction were wolfSSL_get_verify_result and  wolfSSL_X509_verify_cert,but the two functions were executed failed. the client main code which used openssl as flows:

    SSL_load_error_strings();
    ERR_load_crypto_strings();
    OpenSSL_add_all_algorithms();
    SSL_library_init();
    const SSL_METHOD *meth = NULL;
    meth = TLSv1_2_client_method();

    SSL_CTX *ctx = SSL_CTX_new(meth);
    assert(ctx != NULL);
 
    if (SSL_CTX_use_certificate_chain_file(ctx,CA_CHAIN_FILE) != 1){
        SSL_CTX_free(ctx);
        printf("Failed to load client certificate from %s", CA_CHAIN_FILE);
    }   
    if (SSL_CTX_load_verify_locations(ctx, CA_FILE, NULL) != 1) {
        SSL_CTX_free(ctx);
        printf("Failed to load CA file %s", CA_FILE);
    }
    if (SSL_CTX_set_default_verify_paths(ctx) != 1) {
        SSL_CTX_free(ctx);
        printf("Call to SSL_CTX_set_default_verify_paths failed");
    }
    if (SSL_CTX_use_certificate_file(ctx, CLIENT_CERT, SSL_FILETYPE_PEM) != 1) {
        SSL_CTX_free(ctx);
        printf("Failed to load client certificate from %s\n", CLIENT_KEY);
    }
    if (SSL_CTX_use_PrivateKey_file(ctx, CLIENT_KEY, SSL_FILETYPE_PEM) != 1) {
        SSL_CTX_free(ctx);
        printf("Failed to load client private key from %s\n", CLIENT_KEY);
    }
    if (SSL_CTX_check_private_key(ctx) != 1) {
         SSL_CTX_free(ctx);
         printf("SSL_CTX_check_private_key failed");
    }   
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, &verify_callback);
    In server, The main code which used wolfssl is :
    1)wolfSSL_X509_verify_cert, i write it in verifyCallback function as flows:
    int verifyCallback(int preverify, WOLFSSL_X509_STORE_CTX* store){
        (void) preverify; // unused
        int ret = WOLFSSL_SUCCESS; 
       
        ret = wolfSSL_X509_verify_cert(store);//This function verifies certificate chain in ctx.
        if (ret == WOLFSSL_FATAL_ERROR){
            printf("Verifies certificate chain in ctx failed!!\n");
        }
        else{
            printf("Verifies certificate chain in ctx success!!\n");
        }   
        return ret;
    }
    2)wolfSSL_get_verify_result,i write like this:
    int enc_verifyCertificate(WOLFSSL* ssl){
        long ret;
        if (sgx_is_within_enclave(ssl, sizeof(int)) != 1)
            abort();
        ret = wolfSSL_get_verify_result(ssl);//error info refrenced:https://linux.die.net/man/1/verify x509_v_ok = 0
        if( ret != X509_V_OK){
           printf("\tClient Authentication error, and the return value is %d\n",ret);
           return ret;
        }
        else
           return ret;
    }//The certificate chain i have tested the client certificate ok by openssl verify
   
    Please help me checked it, Is there something wrong with it?.

I know your mean. In server side,my code in enclave is as flows:
void testwolfSSL_CTX_load_verify_buffer(){
    WOLFSSL_METHOD* method = wolfTLSv1_2_server_method();
    WOLFSSL_CTX* ctx= wolfSSL_CTX_new(method);
    const unsigned char caCertBuf[] = {
    "-----BEGIN CERTIFICATE-----\
    MIIFizCCA3OgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwXTELMAkGA1UEBhMCQ04x\
    EDAOBgNVBAgMB0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxETAPBgNVBAoMCE1Z\
    Uk9PVENBMRcwFQYDVQQDDA4xMC4xMTMuMjE1LjE1NDAeFw0xOTA1MjUwOTQxMTVa\
    Fw0yOTA1MjIwOTQxMTVaMFIxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5n\
    MREwDwYDVQQKDAhNWVJPT1RDQTEeMBwGA1UEAwwVd3d3LnpoYW5naHVpcWlhbmcu\
    Y29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjHfrT6cQOShjI7a\
    HZr33BwEnKNiH//5+FceWY+AsKIXXRp/FD3UolCdP6od1hqQl5fhOLCgJdczMXXj\
    bYB9EtgatB0Ubd6EPfGC4+zkry7CDGVnJof3Ss2DRrSV3HzBum3yUzvTooczLkgy\
    PteldNGmK9KMxe2KG5bTSE72rszhVsvIEXwk/AOSp5xaCSo+wBPaOExpvpHUerrG\
    oJS/Q13L17PcHLgnq6F8fr4ZaCQzBp8RYtkfvzJOu9z3JYHLLMeeFa5+Sn48HrVj\
    H+szXgQHTn1Bigb0vJ7P7z3mckjqoKLtTI4LKitmRR8+7SSrEbRA+Gx57aohi6LN\
    68t8GrxXYJdlQW0y/QICSBo0gP8da117Yf8Gg7GJLCjB3yCXhrVRmV0mAsiTQEEE\
    9Q7HnXQNp/HCzrwV2R7B9mP2L1sVc8mZNoguPKTuTIchtuM/yF7kn6DuXa21WEWE\
    04entNv7vbkmUe+zUovuLPIsoLPf60JSQKc2nriNml0mEwxNxrdR3nfKZPbd4UIX\
    WWiCs2afZaBBsz2NgGMyv498QjP6OrFyR4Van14i2OrnCZ/ifSvTh7ohWTGnvf47\
    5/WG5gORYq5q7KXNxvAsSH0ulVZQqPYeyrWD0X0z7V1T/18+hXMQ//bWiYCP4nDX\
    8/zPXN3Tc/LexVErVo0fPBIEP8UCAwEAAaNgMF4wHQYDVR0OBBYEFNXtGFGQ3om1\
    ChmDRfcUviVbD4MAMB8GA1UdIwQYMBaAFAFF39PlvqEOu4FXIySHWeOiQ1K3MA8G\
    A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBv\
    mKyrDwavrXJrAKbEP+ytctivp6D6NTaGZgmTVOKFfteHXBlO/IJm3ycPu2i/bppL\
    T2L63NZjXpxSV6tUdsab13xHiA7g2e4iajwztdvkscim1vydeNJsf5KAkMguu/e+\
    n3Vqo55xEmbpf6JQAt5s5qjCrp5PrcvGb0tIrLraHf/z6AvEWtRZv5HnRkwCc4W7\
    /d3QX+B0JFiOhsL3mzdvcjg3Bd6mu3wsrOHcH+ziZuH74z991S30u93PK/r1A8Tx\
    pPZdm3OOkT99+r8/+D0xjnXusJfCHQFapVRMnB/Gy2teleRqs5rhPwo5A9N2z69+\
    GmzRBi4nD6/sc+COYBWhZwqXSgHLVYpDWnaBM69jqbrg1MnIcrpbHb8RAt4mTRwT\
    P3oVsLaP0OOvCGngqxCCcKG54PpG0QlGaV1GMSk4b2AFXc3zBvuZcaBxGuJ+f6m+\
    NuT6JPT1/oNHV9VRXsVt/EW7daBghjgQmQLlh1T6JhU8lTXcQZAx9gAgqpi27EtW\
    KbSrFPQS6YZuBaH1U+fCAG7PIPFHIEhPdiXH1XyYxtLgazqN1iOLPm8DQ/RsTesm\
    k4Efd4ZgQcoNnuzNhanTGW/SPG8+hw0Jw2sC9qA60x3JFj4V5di/HYy4H/zk0DPt\
    H8V+fsb+K41kSwM28SsGJC6mgoMPtJrjRWVPoJkovQ==\
    -----END CERTIFICATE-----\
    "};
    const int certBufSz = (int) sizeof(caCertBuf);
    int ret = wolfSSL_CTX_load_verify_buffer(ctx,caCertBuf, certBufSz ,SSL_FILETYPE_PEM);//-372,   // no PEM header found /
    if (ret == SSL_SUCCESS){
      printf("test wolfSSL_CTX_load_verify_buffer success.\n");
    }
    else
       printf("test wolfSSL_CTX_load_verify_buffer ret=%d\t%s\t%d\n",ret,wolfSSL_ERR_reason_error_string(ret),__LINE__);
}
this code was executed out enclave success, but when executed in enclave,it reported the error code is -372.
Best Regards
zhq0918

@Kaleb, i have tried the two formats that you gave me,they all success out enclave, unfortunately , in enclave,all reported "-372 no pem header".And i tested the function which name wolfSSL_CTX_trust_peer_buffer,the same result as wolfSSL_CTX_load_verify_buffer.
Best Regards
zhq0918

Hi,@Kaleb, I have tried ,I checked the variable in three file you mentioned,I modified the Wolfssl_C_Extra_Flags in sgx_t_static.mk as flows:
Wolfssl_C_Extra_Flags := -DWOLFSSL_SGX
Wolfssl_C_Extra_Flags += -DWOLFSSL_SGX_ATTESTATION
Wolfssl_C_Extra_Flags += -DUSER_TIME
Wolfssl_C_Extra_Flags += -DWOLFSSL_CERT_EXT
Wolfssl_C_Extra_Flags += -DKEEP_PEER_CERT
Wolfssl_C_Extra_Flags += -DSESSION_CERTS
Wolfssl_C_Extra_Flags += -DSHOW_CERTS
Wolfssl_C_Extra_Flags += -DKEEP_OUR_CERT
Wolfssl_C_Extra_Flags += -DOPENSSL_EXTRA
Wolfssl_C_Extra_Flags += -DHAVE_LIGHTY
Wolfssl_C_Extra_Flags += -DWOLFSSL_TRUST_PEER_CERT
Wolfssl_C_Extra_Flags += -DHAVE_THREAD_LS
Wolfssl_C_Extra_Flags += -DHAVE_WRITE_DUP
Wolfssl_C_Extra_Flags += -DWOLFSSL_SHA512
Wolfssl_C_Extra_Flags += -DHAVE_ONE_TIME_AUTH
Wolfssl_C_Extra_Flags += -DHAVE_CHACHA
Wolfssl_C_Extra_Flags += -DHAVE_HASHDRBG
Wolfssl_C_Extra_Flags += -DHAVE_TLS_EXTENSIONS
Wolfssl_C_Extra_Flags += -DHAVE_SUPPORTED_CURVES
Wolfssl_C_Extra_Flags += -DHAVE_EXTENDED_MASTER
Wolfssl_C_Extra_Flags += -D_POSIX_THREADS
Wolfssl_C_Extra_Flags += -DWOLFSSL_SHA384
Wolfssl_C_Extra_Flags += -DNO_DSA
Wolfssl_C_Extra_Flags += -DTFM_ECC256
Wolfssl_C_Extra_Flags += -DECC_SHAMIR
Wolfssl_C_Extra_Flags += -DWOLFSSL_BASE64_ENCODE
Wolfssl_C_Extra_Flags += -DWOLFSSL_ALLOW_TLSV10
Wolfssl_C_Extra_Flags += -DNO_RC4
Wolfssl_C_Extra_Flags += -DNO_HC128
Wolfssl_C_Extra_Flags += -DNO_RABBIT
Wolfssl_C_Extra_Flags += -DWOLFSSL_SHA224
Wolfssl_C_Extra_Flags += -DWOLFSSL_SHA3
Wolfssl_C_Extra_Flags += -DHAVE_POLY1305
Wolfssl_C_Extra_Flags += -DNO_PSK
Wolfssl_C_Extra_Flags += -DNO_MD4
Wolfssl_C_Extra_Flags += -DNO_PWDBASED
Wolfssl_C_Extra_Flags += -DWOLFSSL_X86_64_BUILD
Wolfssl_C_Extra_Flags += -DWC_NO_ASYNC_THREADING
Wolfssl_C_Extra_Flags += -DNO_DES3

I modified the Wolfssl_C_Extra_Flags in sgx_t.mk and sgx_u.mk all as flows:
Wolfssl_C_Extra_Flags := -DSGX_SDK -DWOLFSSL_SGX -DWOLFSSL_SGX_ATTESTATION -DUSER_TIME -DWOLFSSL_CERT_EXT -DKEEP_PEER_CERT -DSESSION_CERTS -DSHOW_CERTS -DKEEP_OUR_CERT -DOPENSSL_EXTRA -DHAVE_LIGHTY -DWOLFSSL_TRUST_PEER_CERT -DHAVE_THREAD_LS -DHAVE_WRITE_DUP -DWOLFSSL_SHA512 -DHAVE_ONE_TIME_AUTH -DHAVE_CHACHA -DHAVE_HASHDRBG -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES -DHAVE_EXTENDED_MASTER -D_POSIX_THREADS -DWOLFSSL_SHA384 -DNO_DSA -DTFM_ECC256 -DECC_SHAMIR -DWOLFSSL_BASE64_ENCODE -DWOLFSSL_ALLOW_TLSV10 -DNO_RC4 -DNO_HC128 -DNO_RABBIT -DWOLFSSL_SHA224 -DWOLFSSL_SHA3 -DHAVE_POLY1305 -DNO_PSK -DNO_MD4 -DNO_PWDBASED -DWOLFSSL_X86_64_BUILD -DWC_NO_ASYNC_THREADING -DNO_DES3
I added the other macro variable in wolfssl/options.h to the variable which named Wolfssl_C_Extra_Flags,when i builded, it would reported warning such as :.../wolfssl/wolfcrypt/settings.hwarning:1217:0:warning:"HAVE_ECC" redefined",so i didn't the macro like "HAVE_ECC"、"ECC_TIMING_RESISTANT"、"WC_RSA_BLINDING"、"HAVE_AESGCM" etc. 

Unfortunately，when i executed the app,the function wolfSSL_CTX_load_verify_buffer reported the same error:-372 No PEM Header Error.what i did was missing?
    Can you test the function which named enc_wolfSSL_CTX_load_verify_buffer in wolfssl_enclave.c in the project sgx-ra-tls ?

Best Regards
zhq0918

@zhq0918,

Can you please reach out to Rich Kelm (rich@wolfssl.com) directly to discuss how we can best continue supporting your efforts.

Thanks!

Regards,

K