Documentation
¶
Overview ¶
Package nitro provides AWS Nitro Enclave attestation validation.
Index ¶
Constants ¶
const DefaultCARoots = "" /* 792-byte string literal not displayed */
DefaultCARoots is the AWS Nitro Enclaves root certificate. Downloaded from: https://aws-nitro-enclaves.amazonaws.com/AWS_NitroEnclaves_Root-G1.zip
Variables ¶
This section is empty.
Functions ¶
func ValidateAttestation ¶
ValidateAttestation verifies an AWS Nitro attestation document against expected user data and trusted PCR measurements. Always validates against the AWS Nitro Enclaves root certificate.
For testing with fake enclaves, use ValidateAttestationWithRoots or inject a custom validator function.
func ValidateAttestationWithRoots ¶
func ValidateAttestationWithRoots(attestation, expectedUserData, trustedMeasurements []byte, caRootsPEM string) error
ValidateAttestationWithRoots verifies an AWS Nitro attestation document using a custom CA root certificate. This is primarily for testing with fake enclaves that use self-signed CA roots.
Types ¶
type Document ¶
type Document struct {
// PCRs holds every platform configuration register present in the
// attestation, keyed by index. PCR0/1/2 have already been checked against
// the trusted measurements; higher PCRs (e.g. 3/4/8) are exposed unchecked.
PCRs map[uint][]byte
// LeafPublicKey is the SPKI (DER) of the attestation's end-entity
// certificate public key. AWS rotates the end-entity certificate per
// enclave instance (roughly every few hours), so this is not a stable
// identity anchor on its own.
LeafPublicKey []byte
// PublicKey is the enclave-supplied public_key field of the attestation
// (nil if the enclave did not set one). This is the field an enclave can
// use to publish a long-lived identity key it generated inside the TEE.
PublicKey []byte
// UserData is the attestation user_data field. It has already been checked
// to equal the expectedUserData argument.
UserData []byte
// Nonce is the attestation nonce field (nil if the enclave did not set
// one). ValidateAndParse does NOT check it: callers that want replay
// protection must compare it against a freshly generated challenge.
Nonce []byte
// ModuleID is the attestation module_id field.
ModuleID string
}
Document holds the validated, parsed fields of a Nitro attestation that a caller needs in order to bind an attestation to a specific enclave identity and to check freshness. A Document is returned only after the full validation chain (certificate chain, COSE signature, expected user data, trusted PCR0/1/2) has passed.
func ValidateAndParse ¶
ValidateAndParse runs the same validation as ValidateAttestation and, on success, returns the parsed attestation fields. Callers that need to bind the attestation to a specific enclave identity (via Document.PublicKey or Document.LeafPublicKey) or to check freshness (via Document.Nonce) should use this instead of ValidateAttestation.
func ValidateAndParseWithRoots ¶
func ValidateAndParseWithRoots(attestation, expectedUserData, trustedMeasurements []byte, caRootsPEM string) (*Document, error)
ValidateAndParseWithRoots is ValidateAndParse against a custom CA root certificate. This is primarily for testing with fake enclaves that use self-signed CA roots.
type HexBytes ¶
type HexBytes []byte
HexBytes is a custom type that unmarshals hex strings into a byte slice and marshals byte slices back to hex strings. This allows parsing AWS Nitro measurements, which use hex byte strings in JSON.