public async Task SettingAttestationPolicy()
{
var endpoint = TestEnvironment.AadAttestationUrl;
#region Snippet:GetPolicy
var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());
AttestationResponse <string> policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);
string result = policyResult.Value;
#endregion
#region Snippet:SetPolicy
string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";
//@@ X509Certificate2 policyTokenCertificate = new X509Certificate2(<Attestation Policy Signing Certificate>);
//@@ AsymmetricAlgorithm policyTokenKey = <Attestation Policy Signing Key>;
/*@@*/ var policyTokenCertificate = TestEnvironment.PolicyCertificate0;
/*@@*/ var policyTokenKey = TestEnvironment.PolicySigningKey0;
var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, new AttestationTokenSigningKey(policyTokenKey, policyTokenCertificate));
#endregion
#region Snippet:VerifySigningHash
// The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
// To verify that the policy specified by the caller was received by the service inside the enclave, we
// verify that the hash of the policy document returned from the Attestation Service matches the hash
// of an attestation token created locally.
//@@ TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
/*@@*/ AttestationTokenSigningKey signingKey = new AttestationTokenSigningKey(policyTokenKey, policyTokenCertificate);
var policySetToken = new AttestationToken(
BinaryData.FromObjectAsJson(new StoredAttestationPolicy {
AttestationPolicy = attestationPolicy
}),
signingKey);
using var shaHasher = SHA256.Create();
byte[] attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));
Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash.ToArray()));
#endregion
var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);
// When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
var resetResult2 = client.ResetPolicy(
AttestationType.SgxEnclave,
new AttestationTokenSigningKey(TestEnvironment.PolicySigningKey0, policyTokenCertificate));
return;
}
public async Task AttestingAnSgxEnclave()
{
byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData);
var report = Base64Url.Decode(_openEnclaveReport);
var quoteList = report.ToList();
quoteList.RemoveRange(0, 0x10);
byte[] binaryQuote = quoteList.ToArray();
#region Snippet:GetSigningCertificates
var client = GetAttestationClient();
IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value;
#endregion
{
#region Snippet:AttestSgxEnclave
// Collect quote and runtime data from an SGX enclave.
// For the "Secure Key Release" scenario, the runtime data is normally a serialized asymmetric key.
// When the 'quote' (attestation evidence) is created specify the SHA256 hash of the runtime data when
// creating the evidence.
//
// When the generated evidence is created, the hash of the runtime data is included in the
// secured portion of the evidence.
//
// The Attestation service will validate that the Evidence is valid and that the SHA256 of the RuntimeData
// parameter is included in the evidence.
AttestationResponse <AttestationResult> attestationResult = client.AttestSgxEnclave(new AttestationRequest
{
Evidence = BinaryData.FromBytes(binaryQuote),
RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
});
// At this point, the EnclaveHeldData field in the attestationResult.Value property will hold the
// contain the input binaryRuntimeData.
// The token is now passed to the "relying party". The relying party will validate that the token was
// issued by the Attestation Service. It then extracts the asymmetric key from the EnclaveHeldData field.
// The relying party will then Encrypt it's "key" data using the asymmetric key and transmits it back
// to the enclave.
var encryptedData = SendTokenToRelyingParty(attestationResult.Token);
// Now the encrypted data can be passed into the enclave which can decrypt that data.
#endregion
}
{
var runtimeDataList = Base64Url.Decode(_runtimeData).ToList();
runtimeDataList.Add(1);
binaryRuntimeData = runtimeDataList.ToArray();
#region Snippet:AttestSgxEnclaveWithException
try
{
AttestationResponse <AttestationResult> attestationResult = client.AttestSgxEnclave(new AttestationRequest
{
Evidence = BinaryData.FromBytes(binaryQuote),
RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
});
}
catch (RequestFailedException ex)
when(ex.ErrorCode == "InvalidParameter")
{
// Ignore invalid quote errors.
}
#endregion
}
return;
}
