Add AWS Nitro attestation verification module#971
Conversation
Port of sui-types' nitro_attestation: COSE_Sign1 parsing, attestation document validation and certificate chain verification against the AWS Nitro root of trust. Moved here so consumers don't need the sui repo. Changes from the sui original: SuiError plumbing replaced with NitroAttestationVerifyError as the public error type; let-chains rewritten for edition 2021. API and verification logic are unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the hand-written Display impl with a thiserror derive (identical output strings) and bridge into FastCryptoError::GeneralError so the module composes with FastCryptoResult APIs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Switch parse_nitro_attestation/verify_nitro_attestation to FastCryptoResult so the public API matches the rest of the crate. The NitroAttestationVerifyError enum stays public and is produced by the private helpers; the From bridge into FastCryptoError now carries the conversion at the entry-point boundary. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
joyqvq
left a comment
joyqvq
left a comment
There was a problem hiding this comment.
added more validation and tests. lgtm!
i added two additional validations: 1) timestamp should be nonzero 2) pcrs array length is longer than 1. either cases they would have been invalid before, so no protocol config is needed. what's the intention for this? if the goal is to eventually upstream to use this version to sui, then yes we should consider protocol config. |
yes, we should eventually have only one impl. |
joyqvq
force-pushed
the
nitro-attestation
branch
from
9b8a938 to
df9f17c
Compare
3 participants
Summary
Moves AWS Nitro enclave attestation verification out of the sui monorepo (
crates/sui-types/src/nitro_attestation.rs) into the corefastcryptocrate, so other consumers can use it without cloning sui. Verification covers COSE_Sign1 (RFC 8152) CBOR parsing, attestation-document validation, and X.509 chain verification against the AWS Nitro root CA with P-384 ECDSA.The port is intentionally minimal — this is consensus-critical verification code, so the diff against the sui original is kept to mechanical changes only:
scripts/license_check.sh); added a module doc comment.SuiError/SuiErrorKind/SuiResultremoved. TheNitroAttestationVerifyErrorenum is retained (now athiserrorderive with byte-identical Display strings) and stays public.FastCryptoResult, matching the rest of the crate; private helpers still produce the typedNitroAttestationVerifyError, bridged at the boundary viaFrom<NitroAttestationVerifyError> for FastCryptoError.ifs (fastcrypto is edition 2021).nitro_root_certificate.pemcopied byte-for-byte.The public API (including the three parsing bool flags
is_upgraded_parsing/include_all_nonzero_pcrs/always_include_required_pcrs) is kept verbatim so the sui-side migration is a pure re-export + deletion.Test plan
cargo test -p fastcrypto nitro_attestation— 7/7 pass (parse/verify round-trips on real attestations, cert expiry windows, malformed CBOR, mutation tests).cargo xclippyandcargo fmt --all --check— clean.Follow-up (separate sui PR, out of scope)
After this merges and sui bumps its fastcrypto pin: replace
crates/sui-types/src/nitro_attestation.rswithpub use fastcrypto::nitro_attestation::*;, drop the orphanedFrom<NitroAttestationVerifyError> for SuiErrorimpl, and move the unit tests over. The move-native callers matchErr(_)and compile unchanged.🤖 Generated with Claude Code