public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value.AttestationPolicy;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
var policyTokenSigner = TestEnvironment.PolicyCertificate0;
AttestationToken policySetToken = new SecuredAttestationToken(
new StoredAttestationPolicy {
AttestationPolicy = Base64Url.EncodeString(attestationPolicy),
},
TestEnvironment.PolicySigningKey0,
policyTokenSigner);
var setResult = client.SetPolicy(AttestationType.SgxEnclave, policySetToken);
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
new SecuredAttestationToken(TestEnvironment.PolicySigningKey0, policyTokenSigner));
return;
}
private async Task ResetAttestationPolicy(AttestationAdministrationClient adminClient, AttestationType attestationType, bool isSecuredToken, bool isIsolated)
{
AttestationToken policyResetToken;
if (isSecuredToken)
{
X509Certificate2 x509Certificate;
RSA rsaKey;
if (isIsolated)
{
x509Certificate = TestEnvironment.PolicyManagementCertificate;
rsaKey = TestEnvironment.PolicyManagementKey;
}
else
{
x509Certificate = TestEnvironment.PolicyCertificate0;
rsaKey = TestEnvironment.PolicySigningKey0;
}
policyResetToken = new SecuredAttestationToken(rsaKey, x509Certificate);
}
else
{
policyResetToken = new UnsecuredAttestationToken();
}
var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken);
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
}
public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated)
{
// Reset the current attestation policy to a known state. Necessary if there were previous runs that failed.
await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated);
string originalPolicy = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
X509Certificate2 x509Certificate;
RSA rsaKey;
if (isIsolated)
{
x509Certificate = TestEnvironment.PolicyManagementCertificate;
rsaKey = TestEnvironment.PolicyManagementKey;
}
else
{
x509Certificate = TestEnvironment.PolicyCertificate0;
rsaKey = TestEnvironment.PolicySigningKey0;
}
byte[] disallowDebuggingHash;
{
var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, disallowDebugging, rsaKey, x509Certificate);
var shaHasher = SHA256Managed.Create();
var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy {
AttestationPolicy = disallowDebugging
}, rsaKey, x509Certificate);
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution);
CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash);
Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
Assert.AreEqual(disallowDebugging, policyResult.Value);
}
{
var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, rsaKey, x509Certificate);
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
// And when we're done, policy should be reset to the original value.
Assert.AreEqual(originalPolicy, policyResult.Value);
}
}
public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.Value;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
var policyTokenSigner = TestEnvironment.PolicyCertificate0;
var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, TestEnvironment.PolicySigningKey0, policyTokenSigner);
#endregion
#region Snippet:VerifySigningHash
// The SetPolicyAsync API will create a SecuredAttestationToken to transmit the policy.
var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy {
AttestationPolicy = attestationPolicy
}, TestEnvironment.PolicySigningKey0, policyTokenSigner);
var shaHasher = SHA256Managed.Create();
var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
CollectionAssert.AreEqual(attestationPolicyHash, setResult.Value.PolicyTokenHash);
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
TestEnvironment.PolicySigningKey0, policyTokenSigner);
return;
}
public async Task AddRemovePolicyManagementCertificate()
{
var adminClient = GetIsolatedAdministrationClient();
var x509Certificate = TestEnvironment.PolicyManagementCertificate;
var rsaKey = TestEnvironment.PolicyManagementKey;
{
PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2);
var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate);
var modificationResult = await adminClient.AddPolicyManagementCertificateAsync(policySetToken);
Assert.AreEqual(CertificateModification.IsPresent, modificationResult.Value.CertificateResolution);
Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint);
// Verify that the certificate we got back was in fact added.
var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync();
bool foundAddedCertificate = false;
foreach (var cert in certificateResult.Value.GetPolicyCertificates())
{
if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint)
{
foundAddedCertificate = true;
break;
}
}
Assert.IsTrue(foundAddedCertificate);
}
// Add the same certificate a second time, that should generate the same result.
{
PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2);
var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate);
var modificationResult = await adminClient.AddPolicyManagementCertificateAsync(policySetToken);
Assert.AreEqual(CertificateModification.IsPresent, modificationResult.Value.CertificateResolution);
Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint);
// Verify that the certificate we got back was in fact added.
var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync();
bool foundAddedCertificate = false;
foreach (var cert in certificateResult.Value.GetPolicyCertificates())
{
if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint)
{
foundAddedCertificate = true;
break;
}
}
Assert.IsTrue(foundAddedCertificate);
}
{
PolicyCertificateModification modification = new Models.PolicyCertificateModification(TestEnvironment.PolicyCertificate2);
var policySetToken = new SecuredAttestationToken(modification, rsaKey, x509Certificate);
var modificationResult = await adminClient.RemovePolicyManagementCertificateAsync(policySetToken);
Assert.AreEqual(CertificateModification.IsAbsent, modificationResult.Value.CertificateResolution);
Assert.AreEqual(TestEnvironment.PolicyCertificate2.Thumbprint, modificationResult.Value.CertificateThumbprint);
// Verify that the certificate we got back was in fact added.
var certificateResult = await adminClient.GetPolicyManagementCertificatesAsync();
bool foundAddedCertificate = false;
foreach (var cert in certificateResult.Value.GetPolicyCertificates())
{
if (cert.Thumbprint == TestEnvironment.PolicyCertificate2.Thumbprint)
{
foundAddedCertificate = true;
break;
}
}
Assert.IsFalse(foundAddedCertificate);
}
}
