public async Task RunAsync()
{
// Fetch file
var enclaveInfo = await EnclaveInfo.CreateFromFileAsync(this.fileName);
// Send to service for attestation
string endpoint = "https://" + this.attestDnsName;
// Send to service for attestation
var options = new AttestationClientOptions(tokenOptions: new AttestationTokenValidationOptions
{
ExpectedIssuer = endpoint,
ValidateIssuer = true,
}
);
options.TokenOptions.TokenValidated += (args) =>
{
// Analyze results
Logger.WriteBanner("IN VALIDATION CALLBACK, VALIDATING MAA JWT TOKEN - BASICS");
JwtValidationHelper.ValidateMaaJwt(attestDnsName, args.Token, args.Signer, this.includeDetails);
args.IsValid = true;
return(Task.CompletedTask);
};
var maaService = new AttestationClient(new Uri(endpoint), new DefaultAzureCredential(), options);
BinaryData openEnclaveReport = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.QuoteHex));
BinaryData runtimeData = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.EnclaveHeldDataHex));
var serviceResponse = await maaService.AttestOpenEnclaveAsync(
new AttestationRequest
{
Evidence = openEnclaveReport,
RuntimeData = new AttestationData(runtimeData, false),
});
var serviceJwtToken = serviceResponse.Token.ToString();
Logger.WriteBanner("VALIDATING MAA JWT TOKEN - MATCHES CLIENT ENCLAVE INFO");
enclaveInfo.CompareToMaaServiceJwtToken(serviceResponse.Value, this.includeDetails);
}
public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails)
{
var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1);
//if (includeDetails)
//{
// Logger.WriteLine("");
// Logger.WriteLine("Claims in MAA Service JWT Token");
// Logger.WriteLine($"{jwtBody.ToString()}");
// Logger.WriteLine("");
//}
var isDebuggable = (Attributes & 2) != 0;
// In SGX DEBUG flag is equal to 0x0000000000000002ULL
// See https://github.com/intel/linux-sgx/blob/master/common/inc/sgx_attributes.h#L39
var isd = jwtBody["is-debuggable"];
var isdpassed = isDebuggable == (bool)isd;
Logger.WriteLine($"IsDebuggable match : {isdpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {isDebuggable}");
Logger.WriteLine($" MAA service: {isd}");
}
var mre = jwtBody["sgx-mrenclave"];
var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre);
Logger.WriteLine($"MRENCLAVE match : {mrepassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}");
Logger.WriteLine($" MAA service: {mre}");
}
var mrs = jwtBody["sgx-mrsigner"];
var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower());
Logger.WriteLine($"MRSIGNER match : {mrspassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrSignerHex.ToLower()}");
Logger.WriteLine($" MAA service: {mrs}");
}
var pid = jwtBody["product-id"];
var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid;
Logger.WriteLine($"ProductID match : {pidpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
Logger.WriteLine($" MAA service: {pid}");
}
var svn = jwtBody["svn"];
var svnPassed = SecurityVersion == (uint)svn;
Logger.WriteLine($"Security Version match : {svnPassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {SecurityVersion}");
Logger.WriteLine($" MAA service: {svn}");
}
var ehd = jwtBody["maa-ehd"];
var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd);
Logger.WriteLine($"Enclave Held Data match : {ehdPassed}");
if (includeDetails)
{
Logger.WriteLine(17, 100, " We think : ", HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex));
Logger.WriteLine(17, 100, " MAA service: ", ehd.ToString());
}
Logger.WriteLine("");
}
public void CompareToMaaServiceJwtToken(AttestationResult serviceResult, bool includeDetails)
{
//if (includeDetails)
//{
// Logger.WriteLine("");
// Logger.WriteLine("Claims in MAA Service JWT Token");
// Logger.WriteLine($"{jwtBody.ToString()}");
// Logger.WriteLine("");
//}
var isDebuggable = (Attributes & 1) == 1;
var isdpassed = isDebuggable == serviceResult.IsDebuggable;
Logger.WriteLine($"IsDebuggable match : {isdpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {isDebuggable}");
Logger.WriteLine($" MAA service: {serviceResult.IsDebuggable}");
}
var mrepassed = MrEnclaveHex.ToLower().Equals(serviceResult.MrEnclave);
Logger.WriteLine($"MRENCLAVE match : {mrepassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}");
Logger.WriteLine($" MAA service: {serviceResult.MrEnclave}");
}
var mrspassed = MrSignerHex.ToLower().Equals(serviceResult.MrSigner.ToLower());
Logger.WriteLine($"MRSIGNER match : {mrspassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrSignerHex.ToLower()}");
Logger.WriteLine($" MAA service: {serviceResult.MrSigner}");
}
var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)serviceResult.ProductId;
Logger.WriteLine($"ProductID match : {pidpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
Logger.WriteLine($" MAA service: {serviceResult.ProductId}");
}
var svnPassed = SecurityVersion == (uint)serviceResult.Svn;
Logger.WriteLine($"Security Version match : {svnPassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {SecurityVersion}");
Logger.WriteLine($" MAA service: {serviceResult.Svn}");
}
var ehdExpected = HexHelper.ConvertHexToByteArray(EnclaveHeldDataHex);
var ehdActual = serviceResult.EnclaveHeldData;
var ehdPassed = ehdExpected.SequenceEqual(ehdActual.ToArray());
Logger.WriteLine($"Enclave Held Data match : {ehdPassed}");
if (includeDetails)
{
Logger.WriteLine(17, 100, " We think : ", Convert.ToBase64String(ehdExpected));
Logger.WriteLine(17, 100, " MAA service: ", Convert.ToBase64String(serviceResult.EnclaveHeldData));
}
Logger.WriteLine("");
}
public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails)
{
var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1);
//if (includeDetails)
//{
// Logger.WriteLine("");
// Logger.WriteLine("Claims in MAA Service JWT Token");
// Logger.WriteLine($"{jwtBody.ToString()}");
// Logger.WriteLine("");
//}
var isDebuggable = (Attributes & 1) == 1;
var isd = jwtBody["is-debuggable"];
var isdpassed = isDebuggable == (bool)isd;
Logger.WriteLine($"IsDebuggable match : {isdpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {isDebuggable}");
Logger.WriteLine($" MAA service: {isd}");
}
var mre = jwtBody["sgx-mrenclave"];
var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre);
Logger.WriteLine($"MRENCLAVE match : {mrepassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}");
Logger.WriteLine($" MAA service: {mre}");
}
var mrs = jwtBody["sgx-mrsigner"];
var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower());
Logger.WriteLine($"MRSIGNER match : {mrspassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {MrSignerHex.ToLower()}");
Logger.WriteLine($" MAA service: {mrs}");
}
var pid = jwtBody["product-id"];
var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid;
Logger.WriteLine($"ProductID match : {pidpassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}");
Logger.WriteLine($" MAA service: {pid}");
}
var svn = jwtBody["svn"];
var svnPassed = SecurityVersion == (uint)svn;
Logger.WriteLine($"Security Version match : {svnPassed}");
if (includeDetails)
{
Logger.WriteLine($" We think : {SecurityVersion}");
Logger.WriteLine($" MAA service: {svn}");
}
var ehd = jwtBody["maa-ehd"];
var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd);
Logger.WriteLine($"Enclave Held Data match : {ehdPassed}");
if (includeDetails)
{
Logger.WriteLine(17, 124, " We think : ", EnclaveHeldDataHex);
Logger.WriteLine(17, 124, " MAA service: ", BitConverter.ToString(Base64Url.DecodeBytes(ehd.ToString())).Replace("-", ""));
}
Logger.WriteLine("");
}
