@dashlane/nsm-attestation
v1.0.2
Published
NSM Attestation Module
Downloads
196
Keywords
Readme
NSM Attestation module
This module provides Nitro Enclaves with attestation capability.
Verify a Nitro Security Module (NSM) attestation
Following the steps here: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html
Prerequisites
You must have embedded in your apps:
- the AWS Nitro Root certificate
- the expected PCRs of the enclave (unique measurements that allows to identify a Dashlane enclave)
AWS Nitro uses the elliptic curve P384 to generate keys (secp384r1 on openssl) and SHA384 hash signatures.
Step 1. Decode the CBOR object and map it to a COSE_Sign1 structure
Make sure that the CBOR object you received is signed with COSE. While decoding you must find an array containing 4 parts (see IETF draft):
- protected: the set of protected header parameters wrapped in a bstr
- unprotected: the set of unprotected header parameters as a map
- payload: the serialized content that was signed
- signature: array of signatures (contains the expected COSE_Sign1 signature)
Note: CBOR object of NSM attestation is not tagged (18 for cosesign1).
Step 2. Extract the attestation document from the COSE_Sign1 structure
You must parse the payload of the attestation document and ensure it follows the structure defined by AWS.
You can find the structure here.
Step 3. Verify the certificate's chain
The attestation document contains two important elements:
- a certificate: it's the public key certificate containing the public key that will be used to validate the COSE signature of the attestation
- a cabundle: it contains the certificate chains from the root CA to the intermediate CA that issued the above certificate
The goal of this step is to validate the certificate chain (+ the final certificate) with the root certificate (on production it's the AWS Nitro Root certificate).
Step 4. Ensure the attestation document is properly signed
Now that we know the certificate chain is valid we can extract the public key from the attestation document certificate and use it to verify the COSE signature of the attestation.
Step 5. Ensure the PCRs are matching
We should compare the embedded PCRs in our apps to the ones signed in the attestation document. If they match we know we're talking to the right enclave.
Mock a Nitro Security Module (NSM) attestation
Step 1. Create a certificate chain
Inside the certs
folder you can find:
createRootCA.sh
to generate a root certificate and an intermediate certificate (using secp384r1 algorithm and SHA384)createEnclaveCert.sh
to generate the enclave certificate signed by the intermediate certificate
Step 2. Create an attestation document
Put some sample data in an object following the structure provided by AWS: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html
Step 3. Encode the attestation
Encode the previous object with CBOR.
Step 4. Sign the attestation
Take the private key of your enclave certificate and sign the attestation using COSE with the algorithm ES384 (and remove the COSE tags).