{"id":45261786,"url":"https://github.com/yawn/nitro-attest","last_synced_at":"2026-02-21T00:28:18.748Z","repository":{"id":272333149,"uuid":"915990430","full_name":"yawn/nitro-attest","owner":"yawn","description":"Parse and validate Nitro Enclave attestation documents","archived":false,"fork":false,"pushed_at":"2025-03-19T07:57:07.000Z","size":56,"stargazers_count":0,"open_issues_count":6,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-19T08:34:39.766Z","etag":null,"topics":["aws-nitro","trusted-computing"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yawn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2025-01-13T08:45:48.000Z","updated_at":"2025-03-19T07:57:05.000Z","dependencies_parsed_at":"2025-01-13T19:25:38.049Z","dependency_job_id":"d1f2dbd5-152b-4a5d-b58e-365f9b6cb62e","html_url":"https://github.com/yawn/nitro-attest","commit_stats":null,"previous_names":["yawn/nitro-attest"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/yawn/nitro-attest","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yawn%2Fnitro-attest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yawn%2Fnitro-attest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yawn%2Fnitro-attest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yawn%2Fnitro-attest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yawn","download_url":"https://codeload.github.com/yawn/nitro-attest/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yawn%2Fnitro-attest/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29668686,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-21T00:11:43.526Z","status":"ssl_error","status_checked_at":"2026-02-20T23:52:33.807Z","response_time":59,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-nitro","trusted-computing"],"created_at":"2026-02-21T00:28:18.037Z","updated_at":"2026-02-21T00:28:18.742Z","avatar_url":"https://github.com/yawn.png","language":"Rust","readme":"# nitro-attest\n\n[![Rust](https://github.com/yawn/nitro-attest/actions/workflows/rust.yml/badge.svg)](https://github.com/yawn/nitro-attest/actions/workflows/rust.yml)\n\nAttestation document builder, parser and verifier for AWS Nitro Enclaves. Tested to work also in `wasm32-unknown-unknown`.\n\nIt performs the following verifications, following the guidance in [AWS Nitro Enclaves documentation](https://docs.aws.amazon.com/enclaves/latest/user/verify-root.html#validation-process):\n\n- Verify root certificate fingerprint is correct, using the official G1 certificate bundle (see `build.rs` for bootstrapping)\n- Verify certificate chain signatures\n- Verify usage of correct signing algorithm (pinned to `ECDSA_WITH_SHA384`) for certificate chain\n- Verify validity fields (not before, not after)\n- Verify COSE signature\n\nThe crate uses `tracing` with fields appropriate for usage in web contexts such as e.g. logging to end users with `console.log`.  \n\n## Usage for verification\n\n```rust\nuse nitro_attest::{AttestationDoc, UnparsedAttestationDoc};\nuse time::OffsetDateTime;\n\n...\n\nlet doc: \u0026[u8] = ...;\nlet doc: UnparsedAttestationDoc = doc.into();\nlet doc = doc.parse_and_verify(OffsetDateTime::now_utc()).unwrap();\n\nprintln!(\"{:?}\", doc.public_key);\n\n```\n## Usage for testing\n\nWhen building with the `builder` feature, the crate can generate synthetic attestation documents for testing purposes.\n\nCertificate chains in test attestation documents originate from the \"eu-central-1\" region. Certificate chains have the following differences when compared to the official certificates:\n\n### Keys and fingerprints\n\n- The root certificate is (obviously) not official and has no matching fingerprints\n- Key material is available for all certificates to create valid signatures\n\n### Serial numbers \n\n- Serial numbers are randomized\n\n### Distinguished names\n\n- All elements in the distinguished name named \"aws\" or \"Amazon\" are prefixed with \"not-\"\n- Host and enclave names (in zonal or instance-specific) CN's are randomized\n- Distinguished name order can be slightly different due to constraints of the `rcgen` crate\n\nNote: starting from the instance-level certificate, the state name is \"Washington\" instead of \"WA\". This is an official inconsistency.\n\n### Validity\n\n- Certificate validity is set to roughly the same ranges as the official certificates\n- Validity always starts with \"now\" as their respective anchor point: the root certificate for example is still valid for 30 years but was created 15 years ago and so forth\n\n### X509v3 extensions\n\n- Extension order can be slightly different due to constraints of the `rcgen` crate\n- CRL URIs are subject to the same rules as distinguished names and also have their TLD (\".com\") replaced by .test\n- CRL URI UUIDs are randomized\n\nIn leaf certificate the following differences apply:\n\n- Subject Key Identifier extensions are present\n- The key usage is marked as \"critical\"\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyawn%2Fnitro-attest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyawn%2Fnitro-attest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyawn%2Fnitro-attest/lists"}