$ dd if=/dev/urandom of=nonce.bin bs=32 count=1
$ cargo run --package verifier -- $INTERFACE attest nonce.bin > attest.bin
$ cargo run --package verifier -- $INTERFACE log > log.bin
$ cargo run --package verifier -- $INTERFACE cert-chain > cert-chain.pem
# split the certificate chain into individual files
csplit --quiet --elide-empty-files \
--prefix cert- \
--suffix-format %01d.pem \
cert-chain.pem \
'/-----BEGIN CERTIFICATE-----/' '{*}'
# the cert for the alias key is the leaf / first cert in the chain that we
# just split
cargo run --package verifier -- $INTERFACE verify-attestation \
--alias-cert cert-0.pem \
--log log.bin \
--nonce nonce.bin \
attest.bin
cargo run --package verifier -- $INTERFACE verify-cert-chain \
--ca-cert $CERT_ROOT \
cert-chain.pem
We should have a one-shot version as well. It should leave behind files / an archive of artifacts sufficient to reproduce the verification. This is something that the mfg stations will likely want to persist.
flihp
commented
10 months ago
verification currently takes a shell script like:
We should have a one-shot version as well. It should leave behind files / an archive of artifacts sufficient to reproduce the verification. This is something that the mfg stations will likely want to persist.