turnkey_proofs 0.6.2

Utilities to parse and verify Turnkey secure enclave proofs
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

//! Attestation specific logic

#![forbid(unsafe_code)]
#![deny(clippy::all)]
#![warn(missing_docs, clippy::pedantic)]
#![allow(clippy::missing_errors_doc, clippy::module_name_repetitions)]

use crate::types;

/// Attestation error.
#[derive(Debug)]
pub enum AttestError {
    /// `webpki::Error` wrapper.
    WebPki(webpki::Error),
    /// Invalid certificate chain.
    InvalidCertChain(webpki::Error),
    /// `aws_nitro_enclaves_nsm_api::api::Error` wrapper.
    Nsm(aws_nitro_enclaves_nsm_api::api::Error),
    /// Invalid end entity certificate. In the case of Nitro this means the
    /// NSM's certificate was invalid.
    InvalidEndEntityCert,
    /// Invalid COSE Sign1 structure signature. In the case of Nitro this means
    /// the end entitys signature of the attestation doc was invalid.
    InvalidCOSESign1Signature,
    /// Invalid COSE Sign1 structure.
    InvalidCOSESign1Structure,
    /// Invalid hash digest.
    InvalidDigest,
    /// Invalid NSM module id.
    InvalidModuleId,
    /// Invalid PCR.
    InvalidPcr,
    /// Invalid certificate authority bundle.
    InvalidCABundle,
    /// Invalid time.
    InvalidTimeStamp,
    /// Invalid public key.
    InvalidPubKey,
    /// Invalid bytes.
    InvalidBytes,
    /// The NSM returned an unexpected response when queried
    UnexpectedNsmResponse(types::NsmResponse),
    /// Error while decoding the attestation document (base64 encoded).
    Base64DecodingError(String),
    /// Error while decoding PEM.
    PemDecodingError,
    /// Error trying to decode the public key in a cert.
    FailedDecodeKeyFromCert,
    /// Error while trying to parse a cert.
    FailedToParseCert,
    /// User data is missing in the attestation doc.
    MissingUserData,
    /// User data (normally manifest hash) does not match the attestation doc.
    DifferentUserData,
    /// The attestation doc has a nonce when none was expected.
    UnexpectedAttestationDocNonce,
    /// The attestation doc does not contain a pcr0.
    MissingPcr0,
    /// The pcr3 in the attestation doc does not match.
    DifferentPcr0,
    /// The attestation doc does not have a pcr1.
    MissingPcr1,
    /// The attestation doc has a different pcr1.
    DifferentPcr1,
    /// The attestation doc does not have a pcr2.
    MissingPcr2,
    /// The attestation doc has a different pcr2.
    DifferentPcr2,
    /// The attestation doc does not have a pcr3.
    MissingPcr3,
    /// The attestation doc has a different pcr3.
    DifferentPcr3,
}

/// `AppProof` error.
#[derive(Debug)]
pub enum AppProofError {
    /// Invalid signature scheme
    InvalidSignatureScheme,
    /// Invalid public key.
    InvalidPublicKey(String),
    /// Invalid signing public key.
    InvalidSigningPublicKeyBytes(String),
    /// Failed signature verification.
    FailedSignatureVerification(String),
    /// Invalid signature.
    InvalidSignature(String),
    /// Invalid proof payload.
    InvalidProofPayload(String),
    /// Missing timestamp.
    MissingTimestamp,
    /// Invalid timestamp.
    InvalidTimestamp(String),
}

/// `BootProofError`
#[derive(Debug)]
pub enum BootProofError {
    /// Invalid timestamp.
    InvalidTimestamp(String),
    /// Missing timestamp.
    MissingTimestamp,
}

/// Verify error.
#[derive(Debug)]
pub enum VerifyError {
    /// Invalid app proof.
    InvalidAppProof(String),
    /// Invalid attestation doc.
    InvalidAttestation(String),
    /// Invalid boot proof.
    InvalidBootProof(String),
    /// Ephemeral keys did not match.
    DifferentEphemeralKey(String),
    /// Manifest digests did not match.
    DifferentManifest(String),
}

impl From<webpki::Error> for AttestError {
    fn from(e: webpki::Error) -> Self {
        Self::WebPki(e)
    }
}

impl From<aws_nitro_enclaves_nsm_api::api::Error> for AttestError {
    fn from(e: aws_nitro_enclaves_nsm_api::api::Error) -> Self {
        Self::Nsm(e)
    }
}

impl std::fmt::Display for AttestError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{self:?}")
    }
}

impl std::fmt::Display for AppProofError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{self:?}")
    }
}

impl std::fmt::Display for VerifyError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{self:?}")
    }
}

impl std::fmt::Display for BootProofError {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{self:?}")
    }
}