Closed fabienpe closed 1 year ago
The PCR registers start in a known zero state and each extend operation does a hash between the previous state and the data. So for PCR8, the extend operation looks like:
#!/usr/bin/env python3
from cryptography import x509
from cryptography.hazmat.primitives import hashes
with open("cert.pem", "rb") as f:
cert = x509.load_pem_x509_certificate(f.read())
cert_hash = cert.fingerprint(hashes.SHA384())
print(cert_hash.hex())
hasher = hashes.Hash(hashes.SHA384())
hash_size = int(384 / 8)
hasher.update(b'\0' * hash_size)
hasher.update(cert_hash)
print(hasher.finalize().hex())
This should give you the same value as nitro-cli
and the NitroSecureModule.
Indeed! Thank you for clarification! Is there Python code available to verify the signatures of the EIF?
I don't know of any.
FYI I created a simple Python script https://github.com/fabienpe/aws-nitro-verify-pcr-signature
In aws/aws-nitro-cli/docs/image_signing.md, it is stated that PCR8 "is the SHA384 hash of the signing certificate's fingerprint".
I have built an EIF file with my own
certificate.pem
andkey.pem
files, generated with openssl.After the creation I get a PCR8 value provided by the nitro-cli. Unfortunately the value is not the same as the one I get if I do:
openssl x509 -in certificate.pem -noout -sha384 -fingerprint
or using equivalent method in Python.