Exemplo n.º 1
0
        public async Task SettingAttestationPolicy()
        {
            var endpoint = TestEnvironment.AadAttestationUrl;

            #region Snippet:GetPolicy
            var client = new AttestationAdministrationClient(new Uri(endpoint), new DefaultAzureCredential());

            AttestationResponse <string> policyResult = await client.GetPolicyAsync(AttestationType.SgxEnclave);

            string result = policyResult.Value;
            #endregion

            #region Snippet:SetPolicy
            string attestationPolicy = "version=1.0; authorizationrules{=> permit();}; issuancerules{};";

            //@@ X509Certificate2 policyTokenCertificate = new X509Certificate2(<Attestation Policy Signing Certificate>);
            //@@ AsymmetricAlgorithm policyTokenKey = <Attestation Policy Signing Key>;
            /*@@*/ var policyTokenCertificate = TestEnvironment.PolicyCertificate0;
            /*@@*/ var policyTokenKey         = TestEnvironment.PolicySigningKey0;

            var setResult = client.SetPolicy(AttestationType.SgxEnclave, attestationPolicy, new AttestationTokenSigningKey(policyTokenKey, policyTokenCertificate));
            #endregion

            #region Snippet:VerifySigningHash

            // The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
            // To verify that the policy specified by the caller was received by the service inside the enclave, we
            // verify that the hash of the policy document returned from the Attestation Service matches the hash
            // of an attestation token created locally.
            //@@ TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
            /*@@*/ AttestationTokenSigningKey signingKey = new AttestationTokenSigningKey(policyTokenKey, policyTokenCertificate);
            var policySetToken = new AttestationToken(
                BinaryData.FromObjectAsJson(new StoredAttestationPolicy {
                AttestationPolicy = attestationPolicy
            }),
                signingKey);

            using var shaHasher = SHA256.Create();
            byte[] attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));

            Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash.ToArray()));
            #endregion
            var resetResult = client.ResetPolicy(AttestationType.SgxEnclave);

            // When the attestation instance is in Isolated mode, the ResetPolicy API requires using a signing key/certificate to authorize the user.
            var resetResult2 = client.ResetPolicy(
                AttestationType.SgxEnclave,
                new AttestationTokenSigningKey(TestEnvironment.PolicySigningKey0, policyTokenCertificate));
            return;
        }
Exemplo n.º 2
0
        public async Task AttestingAnSgxEnclave()
        {
            byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData);
            var    report            = Base64Url.Decode(_openEnclaveReport);
            var    quoteList         = report.ToList();

            quoteList.RemoveRange(0, 0x10);
            byte[] binaryQuote = quoteList.ToArray();
            #region Snippet:GetSigningCertificates
            var client = GetAttestationClient();

            IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value;
            #endregion
            {
                #region Snippet:AttestSgxEnclave
                // Collect quote and runtime data from an SGX enclave.
                // For the "Secure Key Release" scenario, the runtime data is normally a serialized asymmetric key.
                // When the 'quote' (attestation evidence) is created specify the SHA256 hash of the runtime data when
                // creating the evidence.
                //
                // When the generated evidence is created, the hash of the runtime data is included in the
                // secured portion of the evidence.
                //
                // The Attestation service will validate that the Evidence is valid and that the SHA256 of the RuntimeData
                // parameter is included in the evidence.
                AttestationResponse <AttestationResult> attestationResult = client.AttestSgxEnclave(new AttestationRequest
                {
                    Evidence    = BinaryData.FromBytes(binaryQuote),
                    RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
                });

                // At this point, the EnclaveHeldData field in the attestationResult.Value property will hold the
                // contain the input binaryRuntimeData.

                // The token is now passed to the "relying party". The relying party will validate that the token was
                // issued by the Attestation Service. It then extracts the asymmetric key from the EnclaveHeldData field.
                // The relying party will then Encrypt it's "key" data using the asymmetric key and transmits it back
                // to the enclave.
                var encryptedData = SendTokenToRelyingParty(attestationResult.Token);

                // Now the encrypted data can be passed into the enclave which can decrypt that data.

                #endregion
            }

            {
                var runtimeDataList = Base64Url.Decode(_runtimeData).ToList();
                runtimeDataList.Add(1);
                binaryRuntimeData = runtimeDataList.ToArray();

                #region Snippet:AttestSgxEnclaveWithException

                try
                {
                    AttestationResponse <AttestationResult> attestationResult = client.AttestSgxEnclave(new AttestationRequest
                    {
                        Evidence    = BinaryData.FromBytes(binaryQuote),
                        RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
                    });
                }
                catch (RequestFailedException ex)
                    when(ex.ErrorCode == "InvalidParameter")
                    {
                        // Ignore invalid quote errors.
                    }
                #endregion
            }
            return;
        }