1.0.2 • Published 1 year ago

@dashlane/nsm-attestation v1.0.2

Weekly downloads
-
License
PROPRIETARY
Repository
gitlab
Last release
1 year ago

NSM Attestation module

This module provides Nitro Enclaves with attestation capability.

Verify a Nitro Security Module (NSM) attestation

Following the steps here: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html

Prerequisites

You must have embedded in your apps:

  • the AWS Nitro Root certificate
  • the expected PCRs of the enclave (unique measurements that allows to identify a Dashlane enclave)

AWS Nitro uses the elliptic curve P384 to generate keys (secp384r1 on openssl) and SHA384 hash signatures.

Step 1. Decode the CBOR object and map it to a COSE_Sign1 structure

Make sure that the CBOR object you received is signed with COSE. While decoding you must find an array containing 4 parts (see IETF draft):

  1. protected: the set of protected header parameters wrapped in a bstr
  2. unprotected: the set of unprotected header parameters as a map
  3. payload: the serialized content that was signed
  4. signature: array of signatures (contains the expected COSE_Sign1 signature)

Note: CBOR object of NSM attestation is not tagged (18 for cosesign1).

Step 2. Extract the attestation document from the COSE_Sign1 structure

You must parse the payload of the attestation document and ensure it follows the structure defined by AWS.

You can find the structure here.

Step 3. Verify the certificate's chain

The attestation document contains two important elements:

  • a certificate: it's the public key certificate containing the public key that will be used to validate the COSE signature of the attestation
  • a cabundle: it contains the certificate chains from the root CA to the intermediate CA that issued the above certificate

The goal of this step is to validate the certificate chain (+ the final certificate) with the root certificate (on production it's the AWS Nitro Root certificate).

Step 4. Ensure the attestation document is properly signed

Now that we know the certificate chain is valid we can extract the public key from the attestation document certificate and use it to verify the COSE signature of the attestation.

Step 5. Ensure the PCRs are matching

We should compare the embedded PCRs in our apps to the ones signed in the attestation document. If they match we know we're talking to the right enclave.

Mock a Nitro Security Module (NSM) attestation

Step 1. Create a certificate chain

Inside the certs folder you can find:

  • createRootCA.sh to generate a root certificate and an intermediate certificate (using secp384r1 algorithm and SHA384)
  • createEnclaveCert.sh to generate the enclave certificate signed by the intermediate certificate

Step 2. Create an attestation document

Put some sample data in an object following the structure provided by AWS: https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html

Step 3. Encode the attestation

Encode the previous object with CBOR.

Step 4. Sign the attestation

Take the private key of your enclave certificate and sign the attestation using COSE with the algorithm ES384 (and remove the COSE tags).

pemcborcose-js
1.0.2

1 year ago

1.0.1

1 year ago

1.0.0

1 year ago