Standalone tool to verify AWS Nitro Enclave attestation documents from Epsilon
Project description
Epsilon Attestation Verifier
Verify AWS Nitro Enclave attestation documents. No AWS account or Nitro hardware required.
Install
pip install epsilon-attestation-verifier
Usage
from epsilon_verifier import verify_attestation
result = verify_attestation(
attestation_doc="<base64 attestation>",
expected_pcr0="abc123...", # Optional: verify enclave image
expected_output="Hello", # Optional: verify output hash
allow_expired=True # For historical attestations (~3hr cert lifetime)
)
if result.valid:
print(f"Verified: PCR0={result.pcr0}, AWS signature={result.aws_signature_valid}")
else:
print(f"Failed: {result.error}")
CLI
epsilon-verify verify attestation.json
epsilon-verify verify attestation.json --pcr0 abc123... --output output.txt --json
epsilon-verify extract attestation.json
What It Checks
- COSE signature — signed by genuine AWS Nitro hardware (ECDSA P-384)
- Certificate chain — valid chain to AWS Nitro root CA
- PCR values — enclave ran expected code (image hash match)
- Output hash — output integrity (SHA-256)
Attestation Structure
COSE_Sign1 (CBOR):
├── module_id Enclave instance ID
├── pcrs PCR0 (image), PCR1 (kernel), PCR2 (app)
├── certificate Enclave certificate (DER)
├── cabundle Chain to AWS root
├── user_data Job ID, script hash, dataset hash, output hash
├── nonce Replay protection
└── timestamp Execution time (ms)
Trust Model
You trust: AWS Nitro Attestation PKI (hardware root of trust) You verify: COSE signature, certificate chain, PCR values, output hash
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file epsilon_attestation_verifier-1.1.0.tar.gz.
File metadata
- Download URL: epsilon_attestation_verifier-1.1.0.tar.gz
- Upload date:
- Size: 20.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c166727cc9c02e5412275b35987e27cfcaa03d8ccaa229b15ca691797042073
|
|
| MD5 |
cbf477fc8449794b1839100eb0e39307
|
|
| BLAKE2b-256 |
7203aaf5ee67ab07c1addeaf2bbb94e7e437b026857ffad043374a6c60d42986
|
File details
Details for the file epsilon_attestation_verifier-1.1.0-py3-none-any.whl.
File metadata
- Download URL: epsilon_attestation_verifier-1.1.0-py3-none-any.whl
- Upload date:
- Size: 17.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
775423fd4c4a0df4d8019e21a6a3e04fa50f631e2b406e165e9dd2ea141bbad4
|
|
| MD5 |
c036589b316f41263e4f64ef704ed02b
|
|
| BLAKE2b-256 |
a1326859745a83ba74f0466445765a3180b78000c8f3cb275f876ddb21975b5f
|
