Exemplo n.º 1
0
        public async Task SettingAttestationPolicy()
        {
            var endpoint = TestEnvironment.AadAttestationUrl;

            #region Snippet:GetPolicy
            var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());

            var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            var result = policyResult.Value.AttestationPolicy;
            #endregion

            #region Snippet:SetPolicy
            string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";

            var policyTokenSigner = TestEnvironment.PolicyCertificate0;

            AttestationToken policySetToken = new SecuredAttestationToken(
                new StoredAttestationPolicy {
                AttestationPolicy = Base64Url.EncodeString(attestationPolicy),
            },
                TestEnvironment.PolicySigningKey0,
                policyTokenSigner);

            var setResult = client.SetPolicy(AttestationType.SgxEnclave, policySetToken);
            #endregion
            var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);

            // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
            var resetResult2 = client.ResetPolicy(
                AttestationType.SgxEnclave,
                new SecuredAttestationToken(TestEnvironment.PolicySigningKey0, policyTokenSigner));
            return;
        }
        private async Task ResetAttestationPolicy(AttestationAdministrationClient adminClient, AttestationType attestationType, bool isSecuredToken, bool isIsolated)
        {
            X509Certificate2 x509Certificate = null;
            RSA rsaKey = null;

            if (isSecuredToken)
            {
                if (isIsolated)
                {
                    x509Certificate = TestEnvironment.PolicyManagementCertificate;

                    rsaKey = TestEnvironment.PolicyManagementKey;
                }
                else
                {
                    x509Certificate = TestEnvironment.PolicyCertificate0;

                    rsaKey = TestEnvironment.PolicySigningKey0;
                }
            }
            else
            {
            }

            var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, (rsaKey != null ? new TokenSigningKey(rsaKey, x509Certificate) : null));

            Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
            Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
        }
        public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated)
        {
            // Reset the current attestation policy to a known state. Necessary if there were previous runs that failed.
            await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated);

            string originalPolicy = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);

            X509Certificate2 x509Certificate;
            RSA rsaKey;

            if (isIsolated)
            {
                x509Certificate = TestEnvironment.PolicyManagementCertificate;

                rsaKey = TestEnvironment.PolicyManagementKey;
            }
            else
            {
                x509Certificate = TestEnvironment.PolicyCertificate0;

                rsaKey = TestEnvironment.PolicySigningKey0;
            }

            byte[] disallowDebuggingHash;
            {
                var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, disallowDebugging, new TokenSigningKey(rsaKey, x509Certificate));

                var shaHasher = SHA256Managed.Create();

                var policySetToken = new AttestationToken(
                    new StoredAttestationPolicy {
                    AttestationPolicy = disallowDebugging
                }, new TokenSigningKey(rsaKey, x509Certificate));
                disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));

                Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
                Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution);
                CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash);
                Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]);
            }

            {
                var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);

                Assert.AreEqual(disallowDebugging, policyResult.Value);
            }
            {
                var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, new TokenSigningKey(rsaKey, x509Certificate));

                Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
                Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
            }

            {
                var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);

                // And when we're done, policy should be reset to the original value.
                Assert.AreEqual(originalPolicy, policyResult.Value);
            }
        }
        public async Task GetAttestationPolicy()
        {
            var client       = new AttestationAdministrationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential());
            var attestClient = new AttestationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential(),
                                                     new AttestationClientOptions(validationCallback: (attestationToken, signer) => true));
            IReadOnlyList <AttestationSigner> signingCertificates = attestClient.GetSigningCertificates().Value;
            var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            var result = policyResult.Value;
        }
        public async Task SettingAttestationPolicy()
        {
            var endpoint = TestEnvironment.AadAttestationUrl;

            #region Snippet:GetPolicy
            var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());

            var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            var result = policyResult.Value;
            #endregion

            #region Snippet:SetPolicy
            string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";

            //@@ X509Certificate2 policyTokenCertificate = new X509Certificate2(<Attestation Policy Signing Certificate>);
            //@@ AsymmetricAlgorithm policyTokenKey = <Attestation Policy Signing Key>;
            /*@@*/ var policyTokenCertificate = TestEnvironment.PolicyCertificate0;
            /*@@*/ var policyTokenKey         = TestEnvironment.PolicySigningKey0;

            var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, new TokenSigningKey(policyTokenKey, policyTokenCertificate));
            #endregion

            #region Snippet:VerifySigningHash

            // The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
            // To verify that the policy specified by the caller was received by the service inside the enclave, we
            // verify that the hash of the policy document returned from the Attestation Service matches the hash
            // of an attestation token created locally.
            //@@ TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
            /*@@*/ TokenSigningKey signingKey = new TokenSigningKey(policyTokenKey, policyTokenCertificate);
            var policySetToken = new AttestationToken(
                new StoredAttestationPolicy {
                AttestationPolicy = attestationPolicy
            },
                signingKey);

            using var shaHasher = SHA256Managed.Create();
            var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));

            Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash));
            #endregion
            var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);

            // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
            var resetResult2 = client.ResetPolicy(
                AttestationType.SgxEnclave,
                new TokenSigningKey(TestEnvironment.PolicySigningKey0, policyTokenCertificate));
            return;
        }
Exemplo n.º 6
0
        public async Task GetAttestationPolicy()
        {
            var tokenOptions = new AttestationTokenValidationOptions();

            tokenOptions.TokenValidated += (AttestationTokenValidationEventArgs args) => { args.IsValid = true; return(Task.CompletedTask); };
            var client       = new AttestationAdministrationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential());
            var attestClient = new AttestationClient(new Uri(TestEnvironment.AadAttestationUrl), new DefaultAzureCredential(),
                                                     new AttestationClientOptions(tokenOptions: tokenOptions));

            ;
            IReadOnlyList <AttestationSigner> signingCertificates = attestClient.GetSigningCertificates().Value;
            var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            var result = policyResult.Value;
        }
        public async Task SettingAttestationPolicy()
        {
            var endpoint = TestEnvironment.AadAttestationUrl;

            #region Snippet:GetPolicy
            var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());

            var policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            var result = policyResult.Value;
            #endregion

            #region Snippet:SetPolicy
            string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";

            var policyTokenSigner = TestEnvironment.PolicyCertificate0;

            var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, TestEnvironment.PolicySigningKey0, policyTokenSigner);
            #endregion

            #region Snippet:VerifySigningHash

            // The SetPolicyAsync API will create a SecuredAttestationToken to transmit the policy.
            var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy {
                AttestationPolicy = attestationPolicy
            }, TestEnvironment.PolicySigningKey0, policyTokenSigner);

            var shaHasher             = SHA256Managed.Create();
            var attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));

            CollectionAssert.AreEqual(attestationPolicyHash, setResult.Value.PolicyTokenHash);

            #endregion
            var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);

            // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
            var resetResult2 = client.ResetPolicy(
                AttestationType.SgxEnclave,
                TestEnvironment.PolicySigningKey0, policyTokenSigner);
            return;
        }