search

richardfan1126 / nitro-enclave-python-demo

Using Python to implement basic features on AWS Nitro Enclaves
Apache License 2.0
32 stars 9 forks source link

ACM for Nitro Enclaves #12

Closed msnitish closed 2 years ago

msnitish commented 2 years ago

In the nitro-enclave-python-demo/attestation_verifier/client/client.py file, there seems to be no function which is validating the Attestation Document by checking the validity of certificate chain or which uses Nitro ACM.

  1. Does the validation of Attestation document happen using the ACM for Nitro enclaves ?
  2. If not, how exactly should the external service check the authenticity of the Enclave based on the received Attestation report ? (I am assuming that the after extracting the signed Attestation Document from the COSE_Sign1 file, we would have to validate the signature present in it after validating the certificate chain)

Thank you.

richardfan1126 commented 2 years ago

Hi @msnitish

The attestation process doesn't involve ACM.

The entire validation process is inside attestation_verifier.py

https://github.com/richardfan1126/nitro-enclave-python-demo/blob/c4f5dc2f3cb6c5bbd2f6a64f8d0d9ea9e029f6d1/attestation_verifier/secretstore/attestation_verifier.py#L13-L98

The process is based on the description which AWS provided: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html

msnitish commented 2 years ago

@richardfan1126 Thank you. This made things clear regarding the validation process.