README
¶
AWS Nitro Enclave Attestation Verifier
A Go library for validating AWS Nitro Enclave attestation documents with complete chain of trust verification against the official AWS Nitro root certificate.
Features
- ✅ AWS Chain of Trust Verification - Validates against official AWS Nitro root certificate
- ✅ Flexible Certificate Validation - Skip timestamp checks for offline/test scenarios
- ✅ PCR Validation - Validate specific PCR values against expected values
- ✅ Data Extraction - Access UserData, PublicKey, and Nonce from attestation
- ✅ Clear Error Handling - Distinguish between malformed input and validation failures
- ✅ Test Fixtures - Embedded example attestations for testing
Installation
go get github.com/anchorageoss/awsnitroverifier
Quick Start
package main
import (
"fmt"
"log"
"github.com/anchorageoss/awsnitroverifier"
)
func main() {
// attestationBytes from AWS Nitro Enclave
verifier := awsnitroverifier.NewVerifier(awsnitroverifier.AWSNitroVerifierOptions{
SkipTimestampCheck: false,
})
result, err := verifier.Validate(attestationBytes)
if err != nil {
log.Fatalf("Malformed attestation: %v", err)
}
if !result.Valid {
fmt.Printf("Validation failed: %v\n", result.Errors)
return
}
fmt.Printf("✅ Attestation valid\n")
fmt.Printf("Root fingerprint: %s\n", result.RootFingerprint)
}
Usage
See USAGE.md for:
- Basic validation
- PCR validation
- Data extraction
- Offline/test mode
- Error handling patterns
- Migration from nitrite
Error Handling
The library distinguishes between two types of errors:
result, err := verifier.Validate(attestationBytes)
// Malformed input - parsing error
if err != nil {
log.Fatalf("Input error: %v", err)
}
// Validation failure - well-formed but invalid
if !result.Valid {
log.Fatalf("Validation error: %v", result.Errors)
}
Malformed Input (err != nil):
- Cannot be parsed as CBOR
- Invalid COSE Sign1 structure
- Malformed attestation document
Validation Failures (Valid=false):
- Certificate chain validation fails
- Signature verification fails
- Certificate expired (unless SkipTimestampCheck=true)
- PCR values don't match expected values
API Reference
- NewVerifier() - Create a verifier with options
- Validate() - Validate attestation bytes
- ValidationResult - Contains validation status and extracted data
- AWSNitroVerifierOptions - Configuration for validation
For complete API documentation: https://pkg.go.dev/github.com/anchorageoss/awsnitroverifier
Testing
# Run tests
go test -v ./...
# Run with coverage
go test -cover ./...
Test fixtures are included in testdata/. See CONTRIBUTING.md for information about obtaining your own attestations.
Security
This library validates AWS Nitro attestations using:
- ECDSA signature verification (only algorithm supported by AWS Nitro)
- X.509 certificate chain validation
- AWS Nitro root certificate fingerprint verification
References
- AWS Nitro Enclaves Documentation
- AWS Nitro Root Certificate Verification
- COSE Sign1 Specification (RFC 8152)
License
Apache License 2.0 - See LICENSE file for details
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AWSNitroVerifierOptions ¶
type AWSNitroVerifierOptions struct {
// SkipTimestampCheck skips certificate timestamp validation.
// Often these certificates need to be validated much later in offline systems,
// so skipping the timestamp check may be necessary.
SkipTimestampCheck bool
// PCRRules defines expected PCR values to validate.
// If provided, the verifier will check that the attestation's PCR values match these rules.
PCRRules []PCRRule
}
AWSNitroVerifierOptions configures the AWS Nitro verifier behavior
type AttestationDocument ¶
type AttestationDocument struct {
ModuleID string `cbor:"module_id"`
Timestamp uint64 `cbor:"timestamp"`
Digest string `cbor:"digest"`
PCRs map[uint][]byte `cbor:"pcrs"`
Certificate []byte `cbor:"certificate"`
CABundle [][]byte `cbor:"cabundle"`
PublicKey []byte `cbor:"public_key,omitempty"`
UserData []byte `cbor:"user_data,omitempty"`
Nonce []byte `cbor:"nonce,omitempty"`
}
AttestationDocument represents a parsed AWS Nitro attestation document
func (*AttestationDocument) Validate ¶
func (a *AttestationDocument) Validate() error
Validate checks for the presence of required fields in the attestation document
type PCRValidationResult ¶
type PCRValidationResult struct {
Index uint // PCR index
Expected []byte // Expected PCR value
Actual []byte // Actual PCR value from attestation
Valid bool // Whether the PCR matches expected value
}
PCRValidationResult represents the result of a single PCR validation
type ValidationResult ¶
type ValidationResult struct {
// Overall validation status - true if all required checks passed
// Valid is true iff all required validations passed, ie.: Errors is empty
Valid bool
// Validation errors - empty if Valid is true
// Each entry describes a specific validation failure
Errors []error
// Certificate chain validation details
ChainTrusted bool // True if certificate chain validated to AWS Nitro root
RootFingerprint string // SHA256 fingerprint of the root certificate (set if ChainTrusted is true)
// Optional fields extracted from attestation document
UserData []byte // Application-specific data included in the attestation
PublicKey []byte // Public key included in the attestation
Nonce []byte // Nonce included in the attestation
// PCR validation results (only set if PCRRules were provided in options)
PCRResults []PCRValidationResult
// Document is added for debugging purposes and for services that may need to inspect it further
Document *AttestationDocument
}
ValidationResult contains the result of AWS Nitro attestation validation
type Verifier ¶
type Verifier interface {
Validate(attestationBytes []byte) (*ValidationResult, error)
}
Verifier defines the interface for verifying AWS Nitro attestation documents
func NewVerifier ¶
func NewVerifier(options AWSNitroVerifierOptions) Verifier
NewVerifier creates a new attestation validator with the given options
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.