search

aws / aws-nitro-enclaves-nsm-api

This provides a library for interacting with the Nitro Secure Module, which provides Nitro Enclaves with attestation capability.
Apache License 2.0
67 stars 43 forks source link

Unclear on COSE_Sign1 generation (tag 18) #7

Open stormouse opened 3 years ago

stormouse commented 3 years ago

https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/main/docs/attestation_process.md Section 3.3 of the page above mentioned tag 18 will be present or not according to "context". My tests using aws-nitro-enclaves-nsm-api have the tag missing. Could you make it more clear on when or if this tag will ever present?

petreeftime commented 3 years ago

Based on RFC 8152 Section 4.2, the tag is contextual, to prevent confusion between multiple structures. Since in the context of the Signed Attestation Document, it's clear that the object refers to a COSE_Sign1 object, then this tag can be elided without inducing such confusion. However, the expectation is that a conforming reader should be able to verify the tag, if it is exists. It seems that the documentation suggests that this will always be present, but I can confirm that it's currently not emitted.

petreeftime commented 3 years ago

Either the code needs to be updated to emit a tag so that it matches the documentation, or the documentation needs to be updated to clarify that the tag might be missing.