-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathattestation.go
113 lines (94 loc) · 2.62 KB
/
attestation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
package attestation
import (
"crypto/sha256"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/url"
"slices"
"strings"
)
type PredicateType string
const (
AWSNitroEnclaveV1 PredicateType = "https://tinfoil.sh/predicate/aws-nitro-enclave/v1"
SevGuestV1 PredicateType = "https://tinfoil.sh/predicate/snp-sev-guest/v1"
attestationEndpoint = "/.well-known/tinfoil-attestation"
)
var (
ErrFormatMismatch = errors.New("attestation format mismatch")
ErrMeasurementMismatch = errors.New("measurement mismatch")
)
type Measurement struct {
Type PredicateType
Registers []string
}
type Verification struct {
Measurement *Measurement
CertFP []byte
}
// Fingerprint computes the SHA-256 hash of all measurements, or returns the single measurement if there is only one
func (m *Measurement) Fingerprint() string {
if len(m.Registers) == 1 {
return m.Registers[0]
}
all := string(m.Type) + strings.Join(m.Registers, "")
return fmt.Sprintf("%x", sha256.Sum256([]byte(all)))
}
func (m *Measurement) Equals(other *Measurement) error {
if m.Type != other.Type {
return ErrFormatMismatch
}
if len(m.Registers) != len(other.Registers) || !slices.Equal(m.Registers, other.Registers) {
return ErrMeasurementMismatch
}
return nil
}
// Document represents an attestation document
type Document struct {
Format PredicateType `json:"format"`
Body string `json:"body"`
}
// Verify checks the attestation document against its trust root and returns the inner measurements
func (d *Document) Verify() (*Verification, error) {
switch d.Format {
case AWSNitroEnclaveV1:
return verifyNitroAttestation(d.Body)
case SevGuestV1:
return verifySevAttestation(d.Body)
default:
return nil, fmt.Errorf("unsupported attestation format: %s", d.Format)
}
}
// VerifyAttestationJSON verifies an attestation document in JSON format and returns the inner measurements
func VerifyAttestationJSON(j []byte) (*Verification, error) {
var doc Document
err := json.Unmarshal(j, &doc)
if err != nil {
return nil, err
}
return doc.Verify()
}
// CertFP gets the SHA256 fingerprint of a certificate
func CertFP(c tls.ConnectionState) []byte {
fp := sha256.Sum256(c.PeerCertificates[0].Raw)
return fp[:]
}
// Fetch retrieves the attestation document from a given enclave hostname
func Fetch(host string) (*Document, error) {
var u url.URL
u.Host = host
u.Scheme = "https"
u.Path = attestationEndpoint
resp, err := http.Get(u.String())
if err != nil {
return nil, err
}
defer resp.Body.Close()
var doc Document
if err := json.NewDecoder(resp.Body).Decode(&doc); err != nil {
return nil, err
}
return &doc, nil
}