public async Task RunAsync() { // Fetch file var enclaveInfo = await EnclaveInfo.CreateFromFileAsync(this.fileName); // Send to service for attestation string endpoint = "https://" + this.attestDnsName; // Send to service for attestation var options = new AttestationClientOptions(tokenOptions: new AttestationTokenValidationOptions { ExpectedIssuer = endpoint, ValidateIssuer = true, } ); options.TokenOptions.TokenValidated += (args) => { // Analyze results Logger.WriteBanner("IN VALIDATION CALLBACK, VALIDATING MAA JWT TOKEN - BASICS"); JwtValidationHelper.ValidateMaaJwt(attestDnsName, args.Token, args.Signer, this.includeDetails); args.IsValid = true; return(Task.CompletedTask); }; var maaService = new AttestationClient(new Uri(endpoint), new DefaultAzureCredential(), options); BinaryData openEnclaveReport = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.QuoteHex)); BinaryData runtimeData = BinaryData.FromBytes(HexHelper.ConvertHexToByteArray(enclaveInfo.EnclaveHeldDataHex)); var serviceResponse = await maaService.AttestOpenEnclaveAsync( new AttestationRequest { Evidence = openEnclaveReport, RuntimeData = new AttestationData(runtimeData, false), }); var serviceJwtToken = serviceResponse.Token.ToString(); Logger.WriteBanner("VALIDATING MAA JWT TOKEN - MATCHES CLIENT ENCLAVE INFO"); enclaveInfo.CompareToMaaServiceJwtToken(serviceResponse.Value, this.includeDetails); }
public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails) { var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1); //if (includeDetails) //{ // Logger.WriteLine(""); // Logger.WriteLine("Claims in MAA Service JWT Token"); // Logger.WriteLine($"{jwtBody.ToString()}"); // Logger.WriteLine(""); //} var isDebuggable = (Attributes & 2) != 0; // In SGX DEBUG flag is equal to 0x0000000000000002ULL // See https://github.com/intel/linux-sgx/blob/master/common/inc/sgx_attributes.h#L39 var isd = jwtBody["is-debuggable"]; var isdpassed = isDebuggable == (bool)isd; Logger.WriteLine($"IsDebuggable match : {isdpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {isDebuggable}"); Logger.WriteLine($" MAA service: {isd}"); } var mre = jwtBody["sgx-mrenclave"]; var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre); Logger.WriteLine($"MRENCLAVE match : {mrepassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}"); Logger.WriteLine($" MAA service: {mre}"); } var mrs = jwtBody["sgx-mrsigner"]; var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower()); Logger.WriteLine($"MRSIGNER match : {mrspassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrSignerHex.ToLower()}"); Logger.WriteLine($" MAA service: {mrs}"); } var pid = jwtBody["product-id"]; var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid; Logger.WriteLine($"ProductID match : {pidpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}"); Logger.WriteLine($" MAA service: {pid}"); } var svn = jwtBody["svn"]; var svnPassed = SecurityVersion == (uint)svn; Logger.WriteLine($"Security Version match : {svnPassed}"); if (includeDetails) { Logger.WriteLine($" We think : {SecurityVersion}"); Logger.WriteLine($" MAA service: {svn}"); } var ehd = jwtBody["maa-ehd"]; var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd); Logger.WriteLine($"Enclave Held Data match : {ehdPassed}"); if (includeDetails) { Logger.WriteLine(17, 100, " We think : ", HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex)); Logger.WriteLine(17, 100, " MAA service: ", ehd.ToString()); } Logger.WriteLine(""); }
public void CompareToMaaServiceJwtToken(AttestationResult serviceResult, bool includeDetails) { //if (includeDetails) //{ // Logger.WriteLine(""); // Logger.WriteLine("Claims in MAA Service JWT Token"); // Logger.WriteLine($"{jwtBody.ToString()}"); // Logger.WriteLine(""); //} var isDebuggable = (Attributes & 1) == 1; var isdpassed = isDebuggable == serviceResult.IsDebuggable; Logger.WriteLine($"IsDebuggable match : {isdpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {isDebuggable}"); Logger.WriteLine($" MAA service: {serviceResult.IsDebuggable}"); } var mrepassed = MrEnclaveHex.ToLower().Equals(serviceResult.MrEnclave); Logger.WriteLine($"MRENCLAVE match : {mrepassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}"); Logger.WriteLine($" MAA service: {serviceResult.MrEnclave}"); } var mrspassed = MrSignerHex.ToLower().Equals(serviceResult.MrSigner.ToLower()); Logger.WriteLine($"MRSIGNER match : {mrspassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrSignerHex.ToLower()}"); Logger.WriteLine($" MAA service: {serviceResult.MrSigner}"); } var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)serviceResult.ProductId; Logger.WriteLine($"ProductID match : {pidpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}"); Logger.WriteLine($" MAA service: {serviceResult.ProductId}"); } var svnPassed = SecurityVersion == (uint)serviceResult.Svn; Logger.WriteLine($"Security Version match : {svnPassed}"); if (includeDetails) { Logger.WriteLine($" We think : {SecurityVersion}"); Logger.WriteLine($" MAA service: {serviceResult.Svn}"); } var ehdExpected = HexHelper.ConvertHexToByteArray(EnclaveHeldDataHex); var ehdActual = serviceResult.EnclaveHeldData; var ehdPassed = ehdExpected.SequenceEqual(ehdActual.ToArray()); Logger.WriteLine($"Enclave Held Data match : {ehdPassed}"); if (includeDetails) { Logger.WriteLine(17, 100, " We think : ", Convert.ToBase64String(ehdExpected)); Logger.WriteLine(17, 100, " MAA service: ", Convert.ToBase64String(serviceResult.EnclaveHeldData)); } Logger.WriteLine(""); }
public void CompareToMaaServiceJwtToken(string serviceJwtToken, bool includeDetails) { var jwtBody = JoseHelper.ExtractJosePart(serviceJwtToken, 1); //if (includeDetails) //{ // Logger.WriteLine(""); // Logger.WriteLine("Claims in MAA Service JWT Token"); // Logger.WriteLine($"{jwtBody.ToString()}"); // Logger.WriteLine(""); //} var isDebuggable = (Attributes & 1) == 1; var isd = jwtBody["is-debuggable"]; var isdpassed = isDebuggable == (bool)isd; Logger.WriteLine($"IsDebuggable match : {isdpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {isDebuggable}"); Logger.WriteLine($" MAA service: {isd}"); } var mre = jwtBody["sgx-mrenclave"]; var mrepassed = MrEnclaveHex.ToLower().Equals((string)mre); Logger.WriteLine($"MRENCLAVE match : {mrepassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}"); Logger.WriteLine($" MAA service: {mre}"); } var mrs = jwtBody["sgx-mrsigner"]; var mrspassed = MrSignerHex.ToLower().Equals(((string)mrs).ToLower()); Logger.WriteLine($"MRSIGNER match : {mrspassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrSignerHex.ToLower()}"); Logger.WriteLine($" MAA service: {mrs}"); } var pid = jwtBody["product-id"]; var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)pid; Logger.WriteLine($"ProductID match : {pidpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}"); Logger.WriteLine($" MAA service: {pid}"); } var svn = jwtBody["svn"]; var svnPassed = SecurityVersion == (uint)svn; Logger.WriteLine($"Security Version match : {svnPassed}"); if (includeDetails) { Logger.WriteLine($" We think : {SecurityVersion}"); Logger.WriteLine($" MAA service: {svn}"); } var ehd = jwtBody["maa-ehd"]; var ehdPassed = HexHelper.ConvertHexToBase64Url(EnclaveHeldDataHex).Equals((string)ehd); Logger.WriteLine($"Enclave Held Data match : {ehdPassed}"); if (includeDetails) { Logger.WriteLine(17, 124, " We think : ", EnclaveHeldDataHex); Logger.WriteLine(17, 124, " MAA service: ", BitConverter.ToString(Base64Url.DecodeBytes(ehd.ToString())).Replace("-", "")); } Logger.WriteLine(""); }