public void AddOnResultListener(AttestationResult result)
{
if (result != null)
{
AttestationResultEvent += result;
}
}
public static bool ValidateMaaJwt(string attestDnsName, AttestationToken token, AttestationSigner signer, bool includeDetails)
{
var tenantName = attestDnsName.Split('.')[0];
var attestUri = new Uri($"https://{attestDnsName}");
AttestationResult result = token.GetBody <AttestationResult>();
ValidateJwtIssuerIsTenant(result, attestUri, includeDetails);
ValidateSigningCertIssuerMatchesJwtIssuer(result, signer, includeDetails);
X509Certificate2 signingCertificate = signer.SigningCertificates[0];
byte[] certificateBytes = signingCertificate.RawData;
string x5c = Convert.ToBase64String(certificateBytes);
#if LOG_BOUNCY_CASTLE
if (includeDetails)
{
var bouncyCertParser = new X509CertificateParser();
var bouncyCert = bouncyCertParser.ReadCertificate(certificateBytes);
var bouncyAsn1Sequence = (DerSequence)bouncyCert.CertificateStructure.ToAsn1Object();
for (int i = 0; i < bouncyAsn1Sequence.Count; i++)
{
var asn1 = bouncyAsn1Sequence[i];
Logger.WriteLine(53, 128, $"{asn1.GetType().ToString(),50} : ", BitConverter.ToString(asn1.GetEncoded()).Replace("-", ""));
}
}
#endif
Logger.WriteBanner("VALIDATING MAA JWT TOKEN - MAA EMBEDDED QUOTE IN SIGNING CERTIFICATE FOR JWT");
MaaQuoteValidator.ValidateMaaQuote(x5c, includeDetails);
return(true);
}
public static bool ValidateMaaJwt(string attestDnsName, AttestationToken serviceToken, AttestationSigner tokenSigner, bool includeDetails)
{
var tenantName = attestDnsName.Split('.')[0];
var attestUri = new Uri($"https://{attestDnsName}");
AttestationResult result = serviceToken.GetBody <AttestationResult>();
ValidateJwtIssuerIsTenant(result, attestUri, includeDetails);
ValidateSigningCertIssuerMatchesJwtIssuer(result, tokenSigner, includeDetails);
return(true);
}
private static void ValidateJwtIssuerIsTenant(AttestationResult result, Uri tenantAttestUri, bool includeDetails)
{
// Verify that the JWT issuer is indeed the tenantAttestUri (tenant specific URI)
if (Uri.Compare(tenantAttestUri, result.Issuer, UriComponents.AbsoluteUri, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) != 0)
{
throw new ArgumentException("JWT is not valid (iss claim does not match attest URI)");
}
Logger.WriteLine($"JWT issuer claim validation : True");
if (includeDetails)
{
Logger.WriteLine($" JWT Issuer claim value : {result.Issuer}");
}
}
private static void ValidateSigningCertIssuerMatchesJwtIssuer(AttestationResult result, AttestationSigner signer, bool includeDetails)
{
// Ensure that the JWT signing certificate is issued by the same issuer as the JWT itself
var signingCertificate = signer.SigningCertificates[0];
if (!string.Equals(signingCertificate.Issuer, "CN=" + result.Issuer.OriginalString, StringComparison.OrdinalIgnoreCase))
{
throw new ArgumentException("JWT is not valid (signing certificate issuer does not match JWT issuer)");
}
Logger.WriteLine($"JWT signing cert issuer validation : True");
if (includeDetails)
{
Logger.WriteLine($" Signing certificate issuer : {signingCertificate.Issuer}");
}
}
public void CompareToMaaServiceJwtToken(AttestationResult serviceResult, bool includeDetails)
{
//if (includeDetails)
//{
// Logger.WriteLine("");
// Logger.WriteLine("Claims in MAA Service JWT Token");
// Logger.WriteLine($"{jwtBody.ToString()}");
// Logger.WriteLine("");
//}
var isDebuggable = (Attributes & 1) == 1;
var isdpassed = isDebuggable == serviceResult.IsDebuggable;
Logger.WriteLine($"IsDebuggable match : {isdpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {isDebuggable}");
Logger.WriteLine($" MAA service: {serviceResult.IsDebuggable}");
}
var mrepassed = MrEnclaveHex.ToLower().Equals(serviceResult.MrEnclave);
Logger.WriteLine($"MRENCLAVE match : {mrepassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}");
Logger.WriteLine($" MAA service: {serviceResult.MrEnclave}");
}
var mrspassed = MrSignerHex.ToLower().Equals(serviceResult.MrSigner.ToLower());
Logger.WriteLine($"MRSIGNER match : {mrspassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrSignerHex.ToLower()}");
Logger.WriteLine($" MAA service: {serviceResult.MrSigner}");
}
var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)serviceResult.ProductId;
Logger.WriteLine($"ProductID match : {pidpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
Logger.WriteLine($" MAA service: {serviceResult.ProductId}");
}
var svnPassed = SecurityVersion == (uint)serviceResult.Svn;
Logger.WriteLine($"Security Version match : {svnPassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {SecurityVersion}");
Logger.WriteLine($" MAA service: {serviceResult.Svn}");
}
var ehdExpected = HexHelper.ConvertHexToByteArray(EnclaveHeldDataHex);
var ehdActual = serviceResult.EnclaveHeldData;
var ehdPassed = ehdExpected.SequenceEqual(ehdActual.ToArray());
Logger.WriteLine($"Enclave Held Data match : {ehdPassed}");
if (includeDetails)
{
Logger.WriteLine(17, 100, " We think : ", Convert.ToBase64String(ehdExpected));
Logger.WriteLine(17, 100, " MAA service: ", Convert.ToBase64String(serviceResult.EnclaveHeldData));
}
Logger.WriteLine("");
}
