TEE Verifier Tester

A simple command-line tool that runs in AWS Nitro Enclaves to test the TEE (Trusted Execution Environment) attestation verifier service.

Overview

This binary retrieves an AWS Nitro Enclaves attestation document (from the NSM device when available, otherwise a mock for local testing), sends it to a verifier over vsock, and validates the returned EIP-712 signature locally.

It is both:

• a minimal tester for a TEE attestation verifier, and
• a runnable example showing how to interact with a verifier service from inside an enclave.

Requirements

• Build environment for Linux AMD64.
• Running inside AWS Nitro Enclaves for real attestation (NSM). For local/dev, the app falls back to a mock attestation document.
• A verifier service listening on the parent (CID 3) vsock port 8001 with endpoint POST /v1/attestations.

Environment Variables

• USER_PUBLIC_KEY: The user public key to embed in the attestation request (string bytes passed to NSM as PublicKey).
• SIGNER_PUBLIC_KEY: Hex-encoded uncompressed ECDSA public key of the verifier signer (used to verify the EIP-712 signature). Example: 0x04....

See .env.example for a template.

Request/Response Schema (to verifier)

Request (JSON):

{
  "data": {
    "type": "attestations",
    "attributes": {
      "attestation": "<base64 attestation document>",
      "domain": { "name": "TEE-Verifier-Tester", "version": "1" },
      "primary_type": "Register",
      "fields_to_sign": ["pcr0", "public_key"]
    }
  }
}

Response (JSON):

{
  "data": {
    "type": "attestations",
    "attributes": { "signature": "<base64 65-byte signature>" }
  }
}

Quick Start

1 Test and verify the signature (on an AWS Nitro-capable machine)

• Clone the repo:

git clone https://github.com/EspressoSystems/tee-verifier-tester.git
cd ./tee-verifier-tester

2 Set environment variables

Copy the example and edit it:

cp .env.example .env

Edit .env and set the keys:

# User's Public Key (to be included in the attestation document)
# This is YOUR public key that will be attested
USER_PUBLIC_KEY=0x89c0f5e272BE0DfBc1fe738209b45f06e1040219

# Signer's Public Key (for signature verification)
# This is the public key of the attestation verifier service
# Format: uncompressed ECDSA public key (64 bytes, hex-encoded)
# Example: 0x04[64 hex chars]
SIGNER_PUBLIC_KEY=0x14d85b7f750456a2a50017d5f6b99a9b9a7a2adf4e420101f9a424aa87ce083230fe47953fb408639cd9d0a5aad575ccd7644f2b651754af6153acbf1f27fbc86c

Notes:

• SIGNER_PUBLIC_KEY should be the public key of the verifier you obtained earlier.
• USER_PUBLIC_KEY can be an address-like string (as shown above); it is passed into the NSM as report data.

3 Bridge vsock to the verifier server

Run socat on the parent instance to forward vsock port 8001 to the verifier's TCP endpoint:

sudo socat -d -d VSOCK-LISTEN:8001,fork,reuseaddr TCP:13.214.208.180:8000 &

Explanation:

• 13.214.208.180 is the public IP where the Attestation Verifier is running.
• 8000 is the verifier's TCP port.

4 Build the EIF file

docker build . -t tee-verifier-tester && \
nitro-cli build-enclave --docker-uri tee-verifier-tester:latest --output-file tee-verifier-tester.eif

5 Run the enclave and print the output (single command)

Run the enclave and attach the console in one line:

nitro-cli run-enclave \
  --eif-path tee-verifier-tester.eif \
  --cpu-count 2 \
  --memory 512 \
  --enclave-cid 16 \
  --debug-mode \
  --enclave-name tee-verifier-tester && \
nitro-cli console --enclave-name tee-verifier-tester

Notes:

• The program inside the enclave connects via vsock to the parent at CID 3 and port 8001 (which you bridged with socat).
• Adjust cpu-count, memory, or enclave-cid as needed for your environment.