This article explains how to validate attestation documents produced by AWS Nitro Enclaves, which provide isolated environments for security-critical applications.

• Attestation documents use CBOR format wrapped in COSE_Sign1 protocol with headers, payload, and signature
• Syntactic validation checks document structure: array of 4 items, protected headers, payload, and 96-byte signature
• Semantic validation verifies certificate authenticity using AWS Nitro Enclaves' PKI root certificate and CA bundle
• Cryptographic validation proves document integrity using P-384 elliptic curve signature verification
• Payload contains NSM info, timestamp, Platform Configuration Registers (PCRs), x509 certificate, and optional custom parameters
• Certificate expires three hours after issuance; includes NSM details in common name field
• Example C code provided using libcbor and OpenSSL libraries for complete validation workflow

The post provides a comprehensive guide for validating Nitro Enclaves attestation documents through three validation layers to establish cryptographic trust.