Add AWS Nitro

CLAUDE.md

@@ -0,0 +1,48 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+This is a monorepo of a Rust library that implements verification functionalities for various TEE frameworks (currently limited to Intel TDX, but open to expansions).
+
+## Rust Toolchain
+
+This repo is meant to be compiled with a stable Rust toolchain. The nightly toolchain is only used for checking unneeded dependencies with udeps. This is a no_std crate, and to help verify that we are not unintentionally importing indirect std dependencies, we test the compilation on a bare metal configuration.
+
+## Build Commands
+
+```bash
+# Build the library
+cargo build --release
+
+# Build bare metal
+cargo make build-bare-metal
+```
+
+## Formatting and linting
+
+```bash
+cargo fmt
+cargo clippy --release
+```
+
+## Check dependencies
+
+```bash
+cargo make udeps
+```
+
+## Testing
+
+```bash
+cargo test --release
+```
+
+## Development Guidelines
+
+The main usage of this repo is to implement TEE verification pallets in zkVerify (https://github.com/zkVerify/zkVerify, for now only in the `dr/add_tee_verifier_crl` branch.)
+
+In that regard, we want to minimize the size of the resulting runtime wasm, and to minimize the chances of indirectly pulling in dependencies on std, for example caused by shared sub-dependencies with other crates used by zkVerify, where std is not disabled (features are additive!). Long story short, try to minimize the number of external crates imported, and alway try to pick the smallest/simplest external crate when needed.
+
+Always check that the bare metal build works, that tests pass, and that the format/linting is accepted before finishing any coding task.

Cargo.toml

@@ -19,7 +19,10 @@ sha2 = { version = "0.10.9", default-features = false }
 serde = { version = "1.0.228", default-features = false, features = ["derive", "alloc"] }
 serde-json-core = { version = "0.6.0", default-features = false, features = ["heapless"] }
 p256 = { version = "0.13.2", default-features = false, features = ["ecdsa", "alloc"] }
+p384 = { version = "0.13.1", default-features = false, features = ["ecdsa", "alloc"] }
 pem = { version = "3.0.6", default-features = false }
+ciborium = { version = "0.2.2", default-features = false }
+coset = { version = "0.4.1", default-features = false }
 spki = { version = "0.7.3", default-features = false }
 x509-verify = { version = "0.4.8", default-features = false, features = [
   "x509",

README.md

@@ -5,6 +5,7 @@ A Rust library for TEE (Trusted Execution Environment) attestation quote verific
 ## Supported platforms
 
 - **Intel TDX / SGX** — Quote v4 parsing and ECDSA-P256 signature verification, X.509 certificate chain validation with CRL support, TCB collateral verification
+- **AWS Nitro Enclaves** — COSE_Sign1 attestation document parsing with ECDSA-P384 signature verification, certificate chain validation against AWS Nitro root CA
 
 ## Features
 
@@ -20,28 +21,45 @@ Add the dependency to your `Cargo.toml`:
 tee-verifier = { git = "https://github.com/zkVerify/tee-verifier" }
 ```
 
-### Example: Intel TDX/SGX quote verification
+### Intel TDX/SGX quote verification
 
 ```rust
-use tee_verifier::{parse_crl, parse_quote, parse_tcb_response};
+use tee_verifier::{intel_parse_quote, intel_parse_tcb_response, parse_crl_pem};
 
 // 1. Parse the CRL and validate its signature against the certificate chain
-let (crl_issue_time, crl) = parse_crl(
+let (crl_issue_time, crl) = parse_crl_pem(
     &crl_pem,
     &pck_certificate_chain_pem,
     Some(&intel_root_cert_der),
     now_unix_timestamp,
 ).unwrap();
 
 // 2. Parse and verify TCB collateral
-let tcb_response = parse_tcb_response(&tcb_json).unwrap();
+let tcb_response = intel_parse_tcb_response(&tcb_json).unwrap();
 tcb_response.verify(tcb_signing_chain_pem, &crl, now_unix_timestamp).unwrap();
 
 // 3. Parse and verify the attestation quote
-let quote = parse_quote(&raw_quote_bytes).unwrap();
+let quote = intel_parse_quote(&raw_quote_bytes).unwrap();
 quote.verify(&tcb_response.tcb_info, &crl, now_unix_timestamp).unwrap();
 ```
 
+### AWS Nitro Enclaves attestation verification
+
+```rust
+use tee_verifier::nitro_parse_attestation;
+
+// 1. Parse the COSE_Sign1 attestation document
+let attestation = nitro_parse_attestation(&raw_attestation_bytes).unwrap();
+
+// 2. Verify the signature and certificate chain against the AWS Nitro root CA
+attestation.verify(None, now_unix_timestamp).unwrap();
+
+// 3. Access attestation fields
+let module_id = &attestation.module_id;
+let pcrs = &attestation.pcrs;
+let user_data = &attestation.user_data;
+```
+
 ### `no_std`
 
 Disable default features to use in a `no_std` environment: