public async Task RunAsync()
        {
            // Fetch file
            var enclaveInfo = await EnclaveInfo.CreateFromFileAsync(this.fileName);

            // Send to service for attestation

            string endpoint = "https://" + this.attestDnsName;

            // Send to service for attestation
            var options = new AttestationClientOptions(tokenOptions: new AttestationTokenValidationOptions
            {
                ExpectedIssuer = endpoint,
                ValidateIssuer = true,
            }
                                                       );

            options.TokenOptions.TokenValidated += (args) =>
            {
                // Analyze results
                Logger.WriteBanner("IN VALIDATION CALLBACK, VALIDATING MAA JWT TOKEN - BASICS");
                JwtValidationHelper.ValidateMaaJwt(attestDnsName, args.Token, args.Signer, this.includeDetails);
                args.IsValid = true;
                return(Task.CompletedTask);
            };

            var maaService = new AttestationClient(new Uri(endpoint), new DefaultAzureCredential(), options);

            BinaryData openEnclaveReport = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.QuoteHex));

            BinaryData runtimeData = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.EnclaveHeldDataHex));

            var serviceResponse = await maaService.AttestOpenEnclaveAsync(
                new AttestationRequest
            {
                Evidence    = openEnclaveReport,
                RuntimeData = new AttestationData(runtimeData, false),
            });

            var serviceJwtToken = serviceResponse.Token.ToString();



            Logger.WriteBanner("VALIDATING MAA JWT TOKEN - MATCHES CLIENT ENCLAVE INFO");
            enclaveInfo.CompareToMaaServiceJwtToken(serviceResponse.Value, this.includeDetails);
        }
Example #2
0
        public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails)
        {
            var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1);

            //if (includeDetails)
            //{
            //    Logger.WriteLine("");
            //    Logger.WriteLine("Claims in MAA Service JWT Token");
            //    Logger.WriteLine($"{jwtBody.ToString()}");
            //    Logger.WriteLine("");
            //}

            var isDebuggable = (Attributes & 2) != 0;
            // In SGX DEBUG flag is equal to 0x0000000000000002ULL
            // See https://github.com/intel/linux-sgx/blob/master/common/inc/sgx_attributes.h#L39
            var isd       = jwtBody["is-debuggable"];
            var isdpassed = isDebuggable == (bool)isd;

            Logger.WriteLine($"IsDebuggable match                 : {isdpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {isDebuggable}");
                Logger.WriteLine($"    MAA service: {isd}");
            }

            var mre       = jwtBody["sgx-mrenclave"];
            var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre);

            Logger.WriteLine($"MRENCLAVE match                    : {mrepassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrEnclaveHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {mre}");
            }

            var mrs       = jwtBody["sgx-mrsigner"];
            var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower());

            Logger.WriteLine($"MRSIGNER match                     : {mrspassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrSignerHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {mrs}");
            }

            var pid       = jwtBody["product-id"];
            var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid;

            Logger.WriteLine($"ProductID match                    : {pidpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
                Logger.WriteLine($"    MAA service: {pid}");
            }

            var svn       = jwtBody["svn"];
            var svnPassed = SecurityVersion == (uint)svn;

            Logger.WriteLine($"Security Version match             : {svnPassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {SecurityVersion}");
                Logger.WriteLine($"    MAA service: {svn}");
            }

            var ehd       = jwtBody["maa-ehd"];
            var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd);

            Logger.WriteLine($"Enclave Held Data match            : {ehdPassed}");
            if (includeDetails)
            {
                Logger.WriteLine(17, 100, "    We think   : ", HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex));
                Logger.WriteLine(17, 100, "    MAA service: ", ehd.ToString());
            }

            Logger.WriteLine("");
        }
Example #3
0
        public void CompareToMaaServiceJwtToken(AttestationResult serviceResult, bool includeDetails)
        {
            //if (includeDetails)
            //{
            //    Logger.WriteLine("");
            //    Logger.WriteLine("Claims in MAA Service JWT Token");
            //    Logger.WriteLine($"{jwtBody.ToString()}");
            //    Logger.WriteLine("");
            //}

            var isDebuggable = (Attributes & 1) == 1;
            var isdpassed    = isDebuggable == serviceResult.IsDebuggable;

            Logger.WriteLine($"IsDebuggable match                 : {isdpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {isDebuggable}");
                Logger.WriteLine($"    MAA service: {serviceResult.IsDebuggable}");
            }

            var mrepassed = MrEnclaveHex.ToLower().Equals(serviceResult.MrEnclave);

            Logger.WriteLine($"MRENCLAVE match                    : {mrepassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrEnclaveHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {serviceResult.MrEnclave}");
            }

            var mrspassed = MrSignerHex.ToLower().Equals(serviceResult.MrSigner.ToLower());

            Logger.WriteLine($"MRSIGNER match                     : {mrspassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrSignerHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {serviceResult.MrSigner}");
            }

            var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)serviceResult.ProductId;

            Logger.WriteLine($"ProductID match                    : {pidpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
                Logger.WriteLine($"    MAA service: {serviceResult.ProductId}");
            }

            var svnPassed = SecurityVersion == (uint)serviceResult.Svn;

            Logger.WriteLine($"Security Version match             : {svnPassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {SecurityVersion}");
                Logger.WriteLine($"    MAA service: {serviceResult.Svn}");
            }

            var ehdExpected = HexHelper.ConvertHexToByteArray(EnclaveHeldDataHex);
            var ehdActual   = serviceResult.EnclaveHeldData;
            var ehdPassed   = ehdExpected.SequenceEqual(ehdActual.ToArray());

            Logger.WriteLine($"Enclave Held Data match            : {ehdPassed}");
            if (includeDetails)
            {
                Logger.WriteLine(17, 100, "    We think   : ", Convert.ToBase64String(ehdExpected));
                Logger.WriteLine(17, 100, "    MAA service: ", Convert.ToBase64String(serviceResult.EnclaveHeldData));
            }

            Logger.WriteLine("");
        }
Example #4
0
        public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails)
        {
            var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1);

            //if (includeDetails)
            //{
            //    Logger.WriteLine("");
            //    Logger.WriteLine("Claims in MAA Service JWT Token");
            //    Logger.WriteLine($"{jwtBody.ToString()}");
            //    Logger.WriteLine("");
            //}

            var isDebuggable = (Attributes & 1) == 1;
            var isd          = jwtBody["is-debuggable"];
            var isdpassed    = isDebuggable == (bool)isd;

            Logger.WriteLine($"IsDebuggable match                 : {isdpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {isDebuggable}");
                Logger.WriteLine($"    MAA service: {isd}");
            }

            var mre       = jwtBody["sgx-mrenclave"];
            var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre);

            Logger.WriteLine($"MRENCLAVE match                    : {mrepassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrEnclaveHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {mre}");
            }

            var mrs       = jwtBody["sgx-mrsigner"];
            var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower());

            Logger.WriteLine($"MRSIGNER match                     : {mrspassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {MrSignerHex.ToLower()}");
                Logger.WriteLine($"    MAA service: {mrs}");
            }

            var pid       = jwtBody["product-id"];
            var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid;

            Logger.WriteLine($"ProductID match                    : {pidpassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
                Logger.WriteLine($"    MAA service: {pid}");
            }

            var svn       = jwtBody["svn"];
            var svnPassed = SecurityVersion == (uint)svn;

            Logger.WriteLine($"Security Version match             : {svnPassed}");
            if (includeDetails)
            {
                Logger.WriteLine($"    We think   : {SecurityVersion}");
                Logger.WriteLine($"    MAA service: {svn}");
            }

            var ehd       = jwtBody["maa-ehd"];
            var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd);

            Logger.WriteLine($"Enclave Held Data match            : {ehdPassed}");
            if (includeDetails)
            {
                Logger.WriteLine(17, 124, "    We think   : ", EnclaveHeldDataHex);
                Logger.WriteLine(17, 124, "    MAA service: ", BitConverter.ToString(Base64Url.DecodeBytes(ehd.ToString())).Replace("-", ""));
            }

            Logger.WriteLine("");
        }