public async Task SettingAttestationPolicy() { var endpoint = TestEnvironment.AadAttestationUrl; #region Snippet:GetPolicy var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential()); var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave); var result = policyResult.Value.AttestationPolicy; #endregion #region Snippet:SetPolicy string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};"; var policyTokenSigner = TestEnvironment.PolicyCertificate0; AttestationToken policySetToken = new SecuredAttestationToken( new StoredAttestationPolicy { AttestationPolicy = Base64Url.EncodeString(attestationPolicy), }, TestEnvironment.PolicySigningKey0, policyTokenSigner); var setResult = client.SetPolicy(AttestationType.SgxEnclave, policySetToken); #endregion var resetResult = client.ResetPolicy(AttestationType.SgxEnclave); // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user. var resetResult2 = client.ResetPolicy( AttestationType.SgxEnclave, new SecuredAttestationToken(TestEnvironment.PolicySigningKey0, policyTokenSigner)); return; }
private async Task ResetAttestationPolicy(AttestationAdministrationClient adminClient, AttestationType attestationType, bool isSecuredToken, bool isIsolated) { AttestationToken policyResetToken; if (isSecuredToken) { X509Certificate2 x509Certificate; RSA rsaKey; if (isIsolated) { x509Certificate = TestEnvironment.PolicyManagementCertificate; rsaKey = TestEnvironment.PolicyManagementKey; } else { x509Certificate = TestEnvironment.PolicyCertificate0; rsaKey = TestEnvironment.PolicySigningKey0; } policyResetToken = new SecuredAttestationToken(rsaKey, x509Certificate); } else { policyResetToken = new UnsecuredAttestationToken(); } var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution); }
public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated) { // Reset the current attestation policy to a known state. Necessary if there were previous runs that failed. await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated); string originalPolicy = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); X509Certificate2 x509Certificate; RSA rsaKey; if (isIsolated) { x509Certificate = TestEnvironment.PolicyManagementCertificate; rsaKey = TestEnvironment.PolicyManagementKey; } else { x509Certificate = TestEnvironment.PolicyCertificate0; rsaKey = TestEnvironment.PolicySigningKey0; } byte[] disallowDebuggingHash; { var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, disallowDebugging, rsaKey, x509Certificate); var shaHasher = SHA256Managed.Create(); var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy { AttestationPolicy = disallowDebugging }, rsaKey, x509Certificate); disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString())); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution); CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash); Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]); } { var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); Assert.AreEqual(disallowDebugging, policyResult.Value); } { var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, rsaKey, x509Certificate); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution); } { var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); // And when we're done, policy should be reset to the original value. Assert.AreEqual(originalPolicy, policyResult.Value); } }
public async Task SettingAttestationPolicy() { var endpoint = TestEnvironment.AadAttestationUrl; #region Snippet:GetPolicy var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential()); var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave); var result = policyResult.Value; #endregion #region Snippet:SetPolicy string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};"; var policyTokenSigner = TestEnvironment.PolicyCertificate0; var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, TestEnvironment.PolicySigningKey0, policyTokenSigner); #endregion #region Snippet:VerifySigningHash // The SetPolicyAsync API will create a SecuredAttestationToken to transmit the policy. var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy { AttestationPolicy = attestationPolicy }, TestEnvironment.PolicySigningKey0, policyTokenSigner); var shaHasher = SHA256Managed.Create(); var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString())); CollectionAssert.AreEqual(attestationPolicyHash, setResult.Value.PolicyTokenHash); #endregion var resetResult = client.ResetPolicy(AttestationType.SgxEnclave); // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user. var resetResult2 = client.ResetPolicy( AttestationType.SgxEnclave, TestEnvironment.PolicySigningKey0, policyTokenSigner); return; }
public async Task AddRemovePolicyManagementCertificate() { var adminClient = GetIsolatedAdministrationClient(); var x509Certificate = TestEnvironment.PolicyManagementCertificate; var rsaKey = TestEnvironment.PolicyManagementKey; { PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2); var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate); var modificationResult = await adminClient.AddPolicyManagementCertificateAsync(policySetToken); Assert.AreEqual(CertificateModification.IsPresent, modificationResult.Value.CertificateResolution); Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint); // Verify that the certificate we got back was in fact added. var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync(); bool foundAddedCertificate = false; foreach (var cert in certificateResult.Value.GetPolicyCertificates()) { if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint) { foundAddedCertificate = true; break; } } Assert.IsTrue(foundAddedCertificate); } // Add the same certificate a second time, that should generate the same result. { PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2); var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate); var modificationResult = await adminClient.AddPolicyManagementCertificateAsync(policySetToken); Assert.AreEqual(CertificateModification.IsPresent, modificationResult.Value.CertificateResolution); Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint); // Verify that the certificate we got back was in fact added. var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync(); bool foundAddedCertificate = false; foreach (var cert in certificateResult.Value.GetPolicyCertificates()) { if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint) { foundAddedCertificate = true; break; } } Assert.IsTrue(foundAddedCertificate); } { PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2); var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate); var modificationResult = await adminClient.RemovePolicyManagementCertificateAsync(policySetToken); Assert.AreEqual(CertificateModification.IsAbsent, modificationResult.Value.CertificateResolution); Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint); // Verify that the certificate we got back was in fact added. var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync(); bool foundAddedCertificate = false; foreach (var cert in certificateResult.Value.GetPolicyCertificates()) { if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint) { foundAddedCertificate = true; break; } } Assert.IsFalse(foundAddedCertificate); } }