Skip to content

Tee audit 2 fixes#251

Open
roger-bai-coinbase wants to merge 5 commits intomainfrom
tee-audit-2-fixes
Open

Tee audit 2 fixes#251
roger-bai-coinbase wants to merge 5 commits intomainfrom
tee-audit-2-fixes

Conversation

@roger-bai-coinbase
Copy link
Copy Markdown
Contributor

@roger-bai-coinbase roger-bai-coinbase commented Apr 13, 2026

Summary

Hardens NitroEnclaveVerifier journal verification around certificate expiry and audit follow-ups.

Changes

  • After trusted-prefix checks, reject verification when any remaining certificate in the journal chain has a notAfter before block.timestamp (audit finding 1).
  • Remove stale or misleading comments (finding 3).
  • Document that a revoked intermediate can become trusted again if re-added with a new expiry (finding 5).
  • Add a test that an expired leaf past trustedCertsPrefixLen yields InvalidTimestamp and is not cached.

@cb-heimdall
Copy link
Copy Markdown
Collaborator

cb-heimdall commented Apr 13, 2026

🟡 Heimdall Review Status

Requirement Status More Info
Reviews 🟡 0/1
Denominator calculation
Show calculation
1 if user is bot 0
1 if user is external 0
2 if repo is sensitive 0
From .codeflow.yml 1
Additional review requirements
Show calculation
Max 0
0
From CODEOWNERS 0
Global minimum 0
Max 1
1
1 if commit is unverified 0
Sum 1

@roger-bai-coinbase roger-bai-coinbase marked this pull request as ready for review April 13, 2026 19:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leopoldjoy leopoldjoy Awaiting requested review from leopoldjoy

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@roger-bai-coinbase @cb-heimdall