Document Signature Verification

This section introduces the verification process of the attestation document. When you request an attestation document from the QingTian Hypervisor, you will receive a binary blob containing the signed attestation document. The signed attestation document is encoded in CBOR and signed in COSE. The verification process is as follows:

1. Decode the CBOR object and map it to the COSE_Sign1 structure.

2. Extract the attestation document from the COSE_Sign1 structure.

3. Verify the validity of the CA certificate chain in the attestation document.

4. Verify the validity of the digital signature of the attestation document.

The attestation document is signed by the Huawei Cloud QingTian Attestation PKI. The QingTian Enclave's root certificate can be downloaded at https://qingtian-enclave.obs.myhuaweicloud.com/huawei_qingtian-enclaves_root-G1.zip. The SHA-256 hash value of the compressed file is as follows:

99e9203a64cfb0c6495afd815051e97bea8a37895dc083d715674af64adeadfe

The root certificate of the QingTian Attestation PKI can be valid for up to 30 years. The subject of the root certificate is in the following format:

CN=huaweicloud.qingtian-enclaves, C=CN, O=Huawei Technologies, OU=Huawei Cloud

COSE and CBOR

The COSE_Sign1 signature structure is usually used to sign a single signature for a message. The content and signature parameters are placed in the protected header. The COSE_Sign1 data structure is a CBOR array that includes the following fields:

[
    protected header;        // Protected header information
    unprotected header;  // Unprotected header information
    payload;             // Signed data and attestation document's CBOR encapsulation data
    signature;           // Signature
]

In the context of the attestation document, an example array is as follows:

18(                     // COSE_Sign1 CBOR tag
  {1: -35},              // Algorithm: ECDS 384
  {},                    // Empty
  attestation doc,       // Attestation document
  signature,                 // Signature
)

Certificate Verification

Verifying the certificate chain is an indispensable phase of the certificate verification. The CA bundle in the attestation document contains a list of root and intermediate certificates which are sequenced as follows:

[ ROOT_CERT - INTERM_1 - INTERM_2 ... -INTERM_N ]
     0              1            2                N

To verify the validity of the target certificate (certificate in the attestation document) using certain certificate verification tools, you may need to verify the certificates in the following sequence:

[ TARGET_CERT - INTERM_N - INTERM_N-1 ... - ROOT_CERT]

Parent topic: Cryptographic Attestation

Previous topic: Attestation Document

Next topic: Integration with Huawei Cloud KMS

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot