public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated)
{
// Reset the current attestation policy to a known state. Necessary if there were previous runs that failed.
await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated);
string originalPolicy = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
X509Certificate2 x509Certificate;
RSA rsaKey;
if (isIsolated)
{
x509Certificate = TestEnvironment.PolicyManagementCertificate;
rsaKey = TestEnvironment.PolicyManagementKey;
}
else
{
x509Certificate = TestEnvironment.PolicyCertificate0;
rsaKey = TestEnvironment.PolicySigningKey0;
}
byte[] disallowDebuggingHash;
{
var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, disallowDebugging, new TokenSigningKey(rsaKey, x509Certificate));
var shaHasher = SHA256Managed.Create();
var policySetToken = new AttestationToken(
new StoredAttestationPolicy {
AttestationPolicy = disallowDebugging
}, new TokenSigningKey(rsaKey, x509Certificate));
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution);
CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash);
Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
Assert.AreEqual(disallowDebugging, policyResult.Value);
}
{
var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, new TokenSigningKey(rsaKey, x509Certificate));
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
// And when we're done, policy should be reset to the original value.
Assert.AreEqual(originalPolicy, policyResult.Value);
}
}
public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value.AttestationPolicy;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
var policyTokenSigner = TestEnvironment.PolicyCertificate0;
AttestationToken policySetToken = new SecuredAttestationToken(
new StoredAttestationPolicy {
AttestationPolicy = Base64Url.EncodeString(attestationPolicy),
},
TestEnvironment.PolicySigningKey0,
policyTokenSigner);
var setResult = client.SetPolicy(AttestationType.SgxEnclave, policySetToken);
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
new SecuredAttestationToken(TestEnvironment.PolicySigningKey0, policyTokenSigner));
return;
}
public async Task GetAttestationPolicy()
{
var client = new AttestationAdministrationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential());
var attestClient = new AttestationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential(),
new AttestationClientOptions(validationCallback: (attestationToken, signer) => true));
IReadOnlyList <AttestationSigner> signingCertificates = attestClient.GetSigningCertificates().Value;
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value;
}
public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
//@@ X509Certificate2 policyTokenCertificate = new X509Certificate2(<Attestation Policy Signing Certificate>);
//@@ AsymmetricAlgorithm policyTokenKey = <Attestation Policy Signing Key>;
/*@@*/ var policyTokenCertificate = TestEnvironment.PolicyCertificate0;
/*@@*/ var policyTokenKey = TestEnvironment.PolicySigningKey0;
var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, new TokenSigningKey(policyTokenKey, policyTokenCertificate));
#endregion
#region Snippet:VerifySigningHash
// The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
// To verify that the policy specified by the caller was received by the service inside the enclave, we
// verify that the hash of the policy document returned from the Attestation Service matches the hash
// of an attestation token created locally.
//@@ TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
/*@@*/ TokenSigningKey signingKey = new TokenSigningKey(policyTokenKey, policyTokenCertificate);
var policySetToken = new AttestationToken(
new StoredAttestationPolicy {
AttestationPolicy = attestationPolicy
},
signingKey);
using var shaHasher = SHA256Managed.Create();
var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash));
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
new TokenSigningKey(TestEnvironment.PolicySigningKey0, policyTokenCertificate));
return;
}
public async Task GetAttestationPolicy()
{
var tokenOptions = new AttestationTokenValidationOptions();
tokenOptions.TokenValidated += (AttestationTokenValidationEventArgs args) => { args.IsValid = true; return(Task.CompletedTask); };
var client = new AttestationAdministrationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential());
var attestClient = new AttestationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential(),
new AttestationClientOptions(tokenOptions: tokenOptions));
;
IReadOnlyList <AttestationSigner> signingCertificates = attestClient.GetSigningCertificates().Value;
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value;
}
public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
var policyTokenSigner = TestEnvironment.PolicyCertificate0;
var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, TestEnvironment.PolicySigningKey0, policyTokenSigner);
#endregion
#region Snippet:VerifySigningHash
// The SetPolicyAsync API will create a SecuredAttestationToken to transmit the policy.
var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy {
AttestationPolicy = attestationPolicy
}, TestEnvironment.PolicySigningKey0, policyTokenSigner);
var shaHasher = SHA256Managed.Create();
var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
CollectionAssert.AreEqual(attestationPolicyHash, setResult.Value.PolicyTokenHash);
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
TestEnvironment.PolicySigningKey0, policyTokenSigner);
return;
}