From 9a3626e348a787e4c0d5f44b022c3656aa9a3fe7 Mon Sep 17 00:00:00 2001
From: Michael de Hoog <michael.dehoog@coinbase.com>
Date: Mon, 2 Dec 2024 16:46:00 -1000
Subject: [PATCH] Add README

---
 README.md | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..50386f7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,60 @@
+# Solidity AWS Nitro Attestation validator
+
+This repo provides solidity contracts for the verification of attestations generated by AWS Nitro Enclaves, as outlined in
+[this doc](https://github.com/aws/aws-nitro-enclaves-nsm-api/blob/4b851f3006c6fa98f23dcffb2cba03b39de9b8af/docs/attestation_process.md#3-attestation-document-validation).
+
+Note it costs around 63m gas to validate an attestation with no prior verified certs.
+You can break this up into smaller transactions by verifying each cert in the chain separately.
+You can call `CertManager.verifyCert` for each cert in the attestation `cabundle`.
+
+## Usage
+
+1. Deploy the `CertManager` separately.
+2. Validate Nitro attestation in your contract:
+
+```solidity
+pragma solidity ^0.8.0;
+
+import {NitroValidator} from "@nitro-validator/NitroValidator.sol";
+import {CborDecode} from "@nitro-validator/CborDecode.sol";
+import {CertManager} from "@nitro-validator/CertManager.sol";
+
+contract Validator is NitroValidator {
+    using CborDecode for bytes;
+
+    uint256 public constant MAX_AGE = 60 minutes;
+    bytes32 public constant PCR0 = keccak256("some PCR0 value");
+    
+    constructor(CertManager certManager) NitroValidator(certManager) {}
+
+    function registerSigner(bytes calldata attestationTbs, bytes calldata signature) external onlyOwner {
+        Ptrs memory ptrs = validateAttestation(attestationTbs, signature);
+        bytes32 pcr0 = attestationTbs.keccak(ptrs.pcrs[0]);
+        require(pcr0 == PCR0, "invalid pcr0 in attestation");
+        require(ptrs.timestamp + MAX_AGE > block.timestamp, "attestation too old");
+
+        bytes memory publicKey = attestationTbs.slice(ptrs.publicKey);
+        // do something with the public key, user data, etc
+    }
+}
+```
+3. Convert an attestation document to a attestationTbs / signature (TBS means to-be-signed).
+Note it's cheaper to perform this conversion offchain (e.g. using `cast call`).
+```solidity
+bytes memory attestation = hex"84..";
+(bytes memory attestationTbs, bytes memory signature) = validator.decodeAttestationTbs(attestation);
+validator.validateAttestation(attestationTbs, signature);
+```
+
+## Build
+
+```sh
+forge install
+forge build
+```
+
+## Test
+
+```sh
+forge test
+```