Updated on 2024-10-18 GMT+08:00

Document Signature Verification

This section introduces the verification process of the attestation document. When you request an attestation document from the QingTian Hypervisor, you will receive a binary blob containing the signed attestation document. The signed attestation document is encoded in CBOR and signed in COSE. The verification process is as follows:

1. Decode the CBOR object and map it to the COSE_Sign1 structure.

2. Extract the attestation document from the COSE_Sign1 structure.

3. Verify the validity of the CA certificate chain in the attestation document.

4. Verify the validity of the digital signature of the attestation document.

The attestation document is signed by the Huawei Cloud QingTian Attestation PKI. The QingTian Enclave's root certificate can be downloaded at https://qingtian-enclave.obs.myhuaweicloud.com/huawei_qingtian-enclaves_root-G1.zip. The SHA-256 hash value of the compressed file is as follows:

99e9203a64cfb0c6495afd815051e97bea8a37895dc083d715674af64adeadfe

The root certificate of the QingTian Attestation PKI can be valid for up to 30 years. The subject of the root certificate is in the following format:

CN=huaweicloud.qingtian-enclaves, C=CN, O=Huawei Technologies, OU=Huawei Cloud

COSE and CBOR

The COSE_Sign1 signature structure is usually used to sign a single signature for a message. The content and signature parameters are placed in the protected header. The COSE_Sign1 data structure is a CBOR array that includes the following fields:

[
    protected header;        // Protected header information
    unprotected header;  // Unprotected header information
    payload;             // Signed data and attestation document's CBOR encapsulation data
    signature;           // Signature
]

In the context of the attestation document, an example array is as follows:

18(                     // COSE_Sign1 CBOR tag
  {1: -35},              // Algorithm: ECDS 384
  {},                    // Empty
  attestation doc,       // Attestation document
  signature,                 // Signature
)

Certificate Verification

Verifying the certificate chain is an indispensable phase of the certificate verification. The CA bundle in the attestation document contains a list of root and intermediate certificates which are sequenced as follows:

[ ROOT_CERT - INTERM_1 - INTERM_2 ... -INTERM_N ]
     0              1            2                N

To verify the validity of the target certificate (certificate in the attestation document) using certain certificate verification tools, you may need to verify the certificates in the following sequence:

[ TARGET_CERT - INTERM_N - INTERM_N-1 ... - ROOT_CERT]