fix(teeattestation/nitro): enforce max age on attestation timestamp [CL112-10]#2170
Open
nadahalli wants to merge 3 commits into
Open
fix(teeattestation/nitro): enforce max age on attestation timestamp [CL112-10]#2170nadahalli wants to merge 3 commits into
nadahalli wants to merge 3 commits into
Conversation
…CL112-10] verifyAttestationDocument only checked the attestation timestamp was non-zero; currentTime was used solely for cert validity (a 1-2 year window). A valid attestation therefore stayed valid until the leaf cert expired. Reject attestations older than MaxAttestationAge (5m), since the protocol produces them immediately before consumption. Add a test that a fresh attestation verifies and a stale one is rejected.
|
👋 nadahalli, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
📊 API Diff Results
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens AWS Nitro attestation verification by enforcing a maximum allowable age for the attestation’s embedded timestamp, preventing old attestations from remaining valid solely due to long-lived certificate validity.
Changes:
- Introduces
MaxAttestationAge(5 minutes) and rejects attestations older than that window. - Adds a new error (
errStaleAttestation) surfaced when attestations exceed the allowed age. - Adds a unit test validating acceptance of a fresh attestation and rejection of a stale one while the cert remains valid.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
pkg/teeattestation/nitro/verify.go |
Adds max-age enforcement during attestation verification and introduces the stale-attestation error/constant. |
pkg/teeattestation/nitro/validate_test.go |
Adds a regression test covering acceptance/rejection based on attestation age. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+122
to
+126
| // doc.Timestamp is epoch milliseconds (already validated non-zero). | ||
| issued := time.UnixMilli(int64(doc.Timestamp)) //nolint:gosec // timestamp is positive and within int64 | ||
| if currentTime.Sub(issued) > MaxAttestationAge { | ||
| return nil, errStaleAttestation | ||
| } |
Comment on lines
+24
to
+26
| errBadDigest = errors.New("attestation digest is not SHA384") | ||
| errBadTimestamp = errors.New("attestation timestamp is 0") | ||
| errStaleAttestation = errors.New("attestation is older than the max allowed age") |
Comment on lines
+40
to
+41
| // MaxAttestationAge rejects attestations not consumed promptly after issuance. [CL112-10] | ||
| const MaxAttestationAge = 5 * time.Minute |
- Unexport maxAttestationAge (in-package use only). - Bound doc.Timestamp to int64 before time.UnixMilli; broaden errBadTimestamp. - Reject far-future timestamps too via absolute skew; reword errStaleAttestation. - Add a future-timestamp test case.
prashantkumar1982
approved these changes
Jun 19, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
verifyAttestationDocumentonly checked the attestation timestamp was non-zero;currentTimewas used solely for cert validity (a 1-2 year window). A valid attestation therefore stayed accepted until the leaf cert expired, even though our protocol produces attestations immediately before consumption.Adds
MaxAttestationAge(5 min) and rejects attestations older than that. Test covers a fresh attestation verifying and a stale one being rejected while the cert is still valid.Audit finding CL112-10 / PRIV-438.