npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@dashlane/nsm-attestation

v1.0.2

Published

NSM Attestation Module

Downloads

196

Readme

NSM Attestation module

This module provides Nitro Enclaves with attestation capability.

Verify a Nitro Security Module (NSM) attestation

Following the steps here: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html

Prerequisites

You must have embedded in your apps:

  • the AWS Nitro Root certificate
  • the expected PCRs of the enclave (unique measurements that allows to identify a Dashlane enclave)

AWS Nitro uses the elliptic curve P384 to generate keys (secp384r1 on openssl) and SHA384 hash signatures.

Step 1. Decode the CBOR object and map it to a COSE_Sign1 structure

Make sure that the CBOR object you received is signed with COSE. While decoding you must find an array containing 4 parts (see IETF draft):

  1. protected: the set of protected header parameters wrapped in a bstr
  2. unprotected: the set of unprotected header parameters as a map
  3. payload: the serialized content that was signed
  4. signature: array of signatures (contains the expected COSE_Sign1 signature)

Note: CBOR object of NSM attestation is not tagged (18 for cosesign1).

Step 2. Extract the attestation document from the COSE_Sign1 structure

You must parse the payload of the attestation document and ensure it follows the structure defined by AWS.

You can find the structure here.

Step 3. Verify the certificate's chain

The attestation document contains two important elements:

  • a certificate: it's the public key certificate containing the public key that will be used to validate the COSE signature of the attestation
  • a cabundle: it contains the certificate chains from the root CA to the intermediate CA that issued the above certificate

The goal of this step is to validate the certificate chain (+ the final certificate) with the root certificate (on production it's the AWS Nitro Root certificate).

Step 4. Ensure the attestation document is properly signed

Now that we know the certificate chain is valid we can extract the public key from the attestation document certificate and use it to verify the COSE signature of the attestation.

Step 5. Ensure the PCRs are matching

We should compare the embedded PCRs in our apps to the ones signed in the attestation document. If they match we know we're talking to the right enclave.

Mock a Nitro Security Module (NSM) attestation

Step 1. Create a certificate chain

Inside the certs folder you can find:

  • createRootCA.sh to generate a root certificate and an intermediate certificate (using secp384r1 algorithm and SHA384)
  • createEnclaveCert.sh to generate the enclave certificate signed by the intermediate certificate

Step 2. Create an attestation document

Put some sample data in an object following the structure provided by AWS: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html

Step 3. Encode the attestation

Encode the previous object with CBOR.

Step 4. Sign the attestation

Take the private key of your enclave certificate and sign the attestation using COSE with the algorithm ES384 (and remove the COSE tags).