nitro

package
v1.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 8, 2026 License: MIT Imports: 12 Imported by: 0

Documentation

Overview

Package nitro provides AWS Nitro Enclave attestation validation.

Index

Constants

View Source
const DefaultCARoots = "" /* 792-byte string literal not displayed */

DefaultCARoots is the AWS Nitro Enclaves root certificate. Downloaded from: https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip

Variables

This section is empty.

Functions

func ValidateAttestation

func ValidateAttestation(attestation, expectedUserData, trustedMeasurements []byte) error

ValidateAttestation verifies an AWS Nitro attestation document against expected user data and trusted PCR measurements. Always validates against the AWS Nitro Enclaves root certificate.

For testing with fake enclaves, use ValidateAttestationWithRoots or inject a custom validator function.

func ValidateAttestationWithRoots

func ValidateAttestationWithRoots(attestation, expectedUserData, trustedMeasurements []byte, caRootsPEM string) error

ValidateAttestationWithRoots verifies an AWS Nitro attestation document using a custom CA root certificate. This is primarily for testing with fake enclaves that use self-signed CA roots.

Types

type Document

type Document struct {
	// PCRs holds every platform configuration register present in the
	// attestation, keyed by index. PCR0/1/2 have already been checked against
	// the trusted measurements; higher PCRs (e.g. 3/4/8) are exposed unchecked.
	PCRs map[uint][]byte
	// LeafPublicKey is the SPKI (DER) of the attestation's end-entity
	// certificate public key. AWS rotates the end-entity certificate per
	// enclave instance (roughly every few hours), so this is not a stable
	// identity anchor on its own.
	LeafPublicKey []byte
	// PublicKey is the enclave-supplied public_key field of the attestation
	// (nil if the enclave did not set one). This is the field an enclave can
	// use to publish a long-lived identity key it generated inside the TEE.
	PublicKey []byte
	// UserData is the attestation user_data field. It has already been checked
	// to equal the expectedUserData argument.
	UserData []byte
	// Nonce is the attestation nonce field (nil if the enclave did not set
	// one). ValidateAndParse does NOT check it: callers that want replay
	// protection must compare it against a freshly generated challenge.
	Nonce []byte
	// ModuleID is the attestation module_id field.
	ModuleID string
}

Document holds the validated, parsed fields of a Nitro attestation that a caller needs in order to bind an attestation to a specific enclave identity and to check freshness. A Document is returned only after the full validation chain (certificate chain, COSE signature, expected user data, trusted PCR0/1/2) has passed.

func ValidateAndParse

func ValidateAndParse(attestation, expectedUserData, trustedMeasurements []byte) (*Document, error)

ValidateAndParse runs the same validation as ValidateAttestation and, on success, returns the parsed attestation fields. Callers that need to bind the attestation to a specific enclave identity (via Document.PublicKey or Document.LeafPublicKey) or to check freshness (via Document.Nonce) should use this instead of ValidateAttestation.

func ValidateAndParseWithRoots

func ValidateAndParseWithRoots(attestation, expectedUserData, trustedMeasurements []byte, caRootsPEM string) (*Document, error)

ValidateAndParseWithRoots is ValidateAndParse against a custom CA root certificate. This is primarily for testing with fake enclaves that use self-signed CA roots.

type HexBytes

type HexBytes []byte

HexBytes is a custom type that unmarshals hex strings into a byte slice and marshals byte slices back to hex strings. This allows parsing AWS Nitro measurements, which use hex byte strings in JSON.

func (HexBytes) MarshalJSON

func (h HexBytes) MarshalJSON() ([]byte, error)

func (*HexBytes) UnmarshalJSON

func (h *HexBytes) UnmarshalJSON(b []byte) error

type PCRs

type PCRs struct {
	PCR0 HexBytes `json:"pcr0"`
	PCR1 HexBytes `json:"pcr1"`
	PCR2 HexBytes `json:"pcr2"`
}

PCRs holds Platform Configuration Register values for attestation validation.

Directories

Path Synopsis
Package nitrofake provides an Attestor that produces structurally valid COSE Sign1 attestation documents.
Package nitrofake provides an Attestor that produces structurally valid COSE Sign1 attestation documents.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL