Add AWS Nitro attestation verification module#971
Open
mskd12 wants to merge 5 commits into
Open
Conversation
Port of sui-types' nitro_attestation: COSE_Sign1 parsing, attestation document validation and certificate chain verification against the AWS Nitro root of trust. Moved here so consumers don't need the sui repo. Changes from the sui original: SuiError plumbing replaced with NitroAttestationVerifyError as the public error type; let-chains rewritten for edition 2021. API and verification logic are unchanged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Replace the hand-written Display impl with a thiserror derive (identical output strings) and bridge into FastCryptoError::GeneralError so the module composes with FastCryptoResult APIs. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Switch parse_nitro_attestation/verify_nitro_attestation to FastCryptoResult so the public API matches the rest of the crate. The NitroAttestationVerifyError enum stays public and is produced by the private helpers; the From bridge into FastCryptoError now carries the conversion at the entry-point boundary. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Moves AWS Nitro enclave attestation verification out of the sui monorepo (
crates/sui-types/src/nitro_attestation.rs) into the corefastcryptocrate, so other consumers can use it without cloning sui. Verification covers COSE_Sign1 (RFC 8152) CBOR parsing, attestation-document validation, and X.509 chain verification against the AWS Nitro root CA with P-384 ECDSA.The port is intentionally minimal — this is consensus-critical verification code, so the diff against the sui original is kept to mechanical changes only:
scripts/license_check.sh); added a module doc comment.SuiError/SuiErrorKind/SuiResultremoved. TheNitroAttestationVerifyErrorenum is retained (now athiserrorderive with byte-identical Display strings) and stays public.FastCryptoResult, matching the rest of the crate; private helpers still produce the typedNitroAttestationVerifyError, bridged at the boundary viaFrom<NitroAttestationVerifyError> for FastCryptoError.ifs (fastcrypto is edition 2021).nitro_root_certificate.pemcopied byte-for-byte.The public API (including the three parsing bool flags
is_upgraded_parsing/include_all_nonzero_pcrs/always_include_required_pcrs) is kept verbatim so the sui-side migration is a pure re-export + deletion.Test plan
cargo test -p fastcrypto nitro_attestation— 7/7 pass (parse/verify round-trips on real attestations, cert expiry windows, malformed CBOR, mutation tests).cargo xclippyandcargo fmt --all --check— clean.Follow-up (separate sui PR, out of scope)
After this merges and sui bumps its fastcrypto pin: replace
crates/sui-types/src/nitro_attestation.rswithpub use fastcrypto::nitro_attestation::*;, drop the orphanedFrom<NitroAttestationVerifyError> for SuiErrorimpl, and move the unit tests over. The move-native callers matchErr(_)and compile unchanged.🤖 Generated with Claude Code