public async Task AttestSgxShared() { byte[] binaryQuote = Base64Url.Decode(_sgxQuote); byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData); var client = GetSharedAttestationClient(); IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value; { // Collect quote and enclave held data from an SGX enclave. var attestationResult = await client.AttestSgxEnclaveAsync(binaryQuote, null, false, BinaryData.FromBytes(binaryRuntimeData), false); // Confirm that the attestation token contains the enclave held data we specified. CollectionAssert.AreEqual(binaryRuntimeData, attestationResult.Value.DeprecatedEnclaveHeldData); // VERIFY ATTESTATIONRESULT. // Encrypt Data using DeprecatedEnclaveHeldData // Send to enclave. } }
public async Task AttestSgxEnclaveSharedValidateCallback() { // An SGX Quote is an OpenEnclave report with the first 16 bytes stripped from it. var report = Base64Url.Decode(_openEnclaveReport); var quoteList = report.ToList(); quoteList.RemoveRange(0, 0x10); byte[] binaryQuote = quoteList.ToArray(); byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData); bool callbackInvoked = false; var client = TestEnvironment.GetSharedAttestationClient(this, new TokenValidationOptions( validateExpirationTime: TestEnvironment.IsTalkingToLiveServer, validationCallback: (attestationToken, signer) => { // Verify that the callback can access the enclave held data field. CollectionAssert.AreEqual(binaryRuntimeData, attestationToken.GetBody <AttestationResult>().EnclaveHeldData); // The MAA service always sends a Key ID for the signer. Assert.IsNotNull(signer.CertificateKeyId); Assert.AreEqual(TestEnvironment.SharedAttestationUrl, attestationToken.Issuer); callbackInvoked = true; return(true); })); IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value; { // Collect quote and enclave held data from an SGX enclave. var attestationResult = await client.AttestSgxEnclaveAsync(binaryQuote, null, false, BinaryData.FromBytes(binaryRuntimeData), false); // Confirm that the attestation token contains the enclave held data we specified. CollectionAssert.AreEqual(binaryRuntimeData, attestationResult.Value.DeprecatedEnclaveHeldData); // VERIFY ATTESTATIONRESULT. // Encrypt Data using DeprecatedEnclaveHeldData // Send to enclave. Assert.IsTrue(callbackInvoked); } }
public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated) { // Reset the current attestation policy to a known state. Necessary if there were previous runs that failed. await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated); string originalPolicy; { var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); originalPolicy = System.Text.Encoding.UTF8.GetString(policyRaw); } X509Certificate2 x509Certificate; RSA rsaKey; if (isIsolated) { x509Certificate = TestEnvironment.PolicyManagementCertificate; rsaKey = TestEnvironment.PolicyManagementKey; } else { x509Certificate = TestEnvironment.PolicyCertificate0; rsaKey = TestEnvironment.PolicySigningKey0; } byte[] disallowDebuggingHash; { var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy { AttestationPolicy = Base64Url.EncodeString(disallowDebugging) }, rsaKey, x509Certificate); var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, policySetToken); var shaHasher = SHA256Managed.Create(); disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString())); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution); CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash); Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]); } { var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); var policy = System.Text.Encoding.UTF8.GetString(policyRaw); Assert.AreEqual(disallowDebugging, policy); } { var policyResetToken = new SecuredAttestationToken(rsaKey, x509Certificate); var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution); } { var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); var policy = System.Text.Encoding.UTF8.GetString(policyRaw); // And when we're done, policy should be reset to the original value. Assert.AreEqual(originalPolicy, policy); } }
public async Task SetPolicyUnsecuredAad() { var adminclient = GetAadAdministrationClient(); // Reset the current attestation policy to a known state. Necessary if there were previous runs that failed. await ResetAttestationPolicy(adminclient, AttestationType.OpenEnclave, false, false); string originalPolicy; { var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); originalPolicy = System.Text.Encoding.UTF8.GetString(policyRaw); } byte[] disallowDebuggingHash; { var policySetToken = new UnsecuredAttestationToken(new StoredAttestationPolicy { AttestationPolicy = Base64Url.EncodeString(disallowDebugging) }); var policySetResult = await adminclient.SetPolicyAsync(AttestationType.OpenEnclave, policySetToken); var shaHasher = SHA256Managed.Create(); disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString())); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution); CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash); } { var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); var policy = System.Text.Encoding.UTF8.GetString(policyRaw); Assert.AreEqual(disallowDebugging, policy); } { var policyResetToken = new UnsecuredAttestationToken(); var policySetResult = await adminclient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken); Assert.AreEqual(200, policySetResult.GetRawResponse().Status); Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution); } { var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave); var result = policyResult.Value.AttestationPolicy; var policyRaw = Base64Url.Decode(result); var policy = System.Text.Encoding.UTF8.GetString(policyRaw); // And when we're done, policy should be reset to the original value. Assert.AreEqual(originalPolicy, policy); } }