public void AddOnResultListener(AttestationResult result) { if (result != null) { AttestationResultEvent += result; } }
public static bool ValidateMaaJwt(string attestDnsName, AttestationToken token, AttestationSigner signer, bool includeDetails) { var tenantName = attestDnsName.Split('.')[0]; var attestUri = new Uri($"https://{attestDnsName}"); AttestationResult result = token.GetBody <AttestationResult>(); ValidateJwtIssuerIsTenant(result, attestUri, includeDetails); ValidateSigningCertIssuerMatchesJwtIssuer(result, signer, includeDetails); X509Certificate2 signingCertificate = signer.SigningCertificates[0]; byte[] certificateBytes = signingCertificate.RawData; string x5c = Convert.ToBase64String(certificateBytes); #if LOG_BOUNCY_CASTLE if (includeDetails) { var bouncyCertParser = new X509CertificateParser(); var bouncyCert = bouncyCertParser.ReadCertificate(certificateBytes); var bouncyAsn1Sequence = (DerSequence)bouncyCert.CertificateStructure.ToAsn1Object(); for (int i = 0; i < bouncyAsn1Sequence.Count; i++) { var asn1 = bouncyAsn1Sequence[i]; Logger.WriteLine(53, 128, $"{asn1.GetType().ToString(),50} : ", BitConverter.ToString(asn1.GetEncoded()).Replace("-", "")); } } #endif Logger.WriteBanner("VALIDATING MAA JWT TOKEN - MAA EMBEDDED QUOTE IN SIGNING CERTIFICATE FOR JWT"); MaaQuoteValidator.ValidateMaaQuote(x5c, includeDetails); return(true); }
public static bool ValidateMaaJwt(string attestDnsName, AttestationToken serviceToken, AttestationSigner tokenSigner, bool includeDetails) { var tenantName = attestDnsName.Split('.')[0]; var attestUri = new Uri($"https://{attestDnsName}"); AttestationResult result = serviceToken.GetBody <AttestationResult>(); ValidateJwtIssuerIsTenant(result, attestUri, includeDetails); ValidateSigningCertIssuerMatchesJwtIssuer(result, tokenSigner, includeDetails); return(true); }
private static void ValidateJwtIssuerIsTenant(AttestationResult result, Uri tenantAttestUri, bool includeDetails) { // Verify that the JWT issuer is indeed the tenantAttestUri (tenant specific URI) if (Uri.Compare(tenantAttestUri, result.Issuer, UriComponents.AbsoluteUri, UriFormat.Unescaped, StringComparison.OrdinalIgnoreCase) != 0) { throw new ArgumentException("JWT is not valid (iss claim does not match attest URI)"); } Logger.WriteLine($"JWT issuer claim validation : True"); if (includeDetails) { Logger.WriteLine($" JWT Issuer claim value : {result.Issuer}"); } }
private static void ValidateSigningCertIssuerMatchesJwtIssuer(AttestationResult result, AttestationSigner signer, bool includeDetails) { // Ensure that the JWT signing certificate is issued by the same issuer as the JWT itself var signingCertificate = signer.SigningCertificates[0]; if (!string.Equals(signingCertificate.Issuer, "CN=" + result.Issuer.OriginalString, StringComparison.OrdinalIgnoreCase)) { throw new ArgumentException("JWT is not valid (signing certificate issuer does not match JWT issuer)"); } Logger.WriteLine($"JWT signing cert issuer validation : True"); if (includeDetails) { Logger.WriteLine($" Signing certificate issuer : {signingCertificate.Issuer}"); } }
public void CompareToMaaServiceJwtToken(AttestationResult serviceResult, bool includeDetails) { //if (includeDetails) //{ // Logger.WriteLine(""); // Logger.WriteLine("Claims in MAA Service JWT Token"); // Logger.WriteLine($"{jwtBody.ToString()}"); // Logger.WriteLine(""); //} var isDebuggable = (Attributes & 1) == 1; var isdpassed = isDebuggable == serviceResult.IsDebuggable; Logger.WriteLine($"IsDebuggable match : {isdpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {isDebuggable}"); Logger.WriteLine($" MAA service: {serviceResult.IsDebuggable}"); } var mrepassed = MrEnclaveHex.ToLower().Equals(serviceResult.MrEnclave); Logger.WriteLine($"MRENCLAVE match : {mrepassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrEnclaveHex.ToLower()}"); Logger.WriteLine($" MAA service: {serviceResult.MrEnclave}"); } var mrspassed = MrSignerHex.ToLower().Equals(serviceResult.MrSigner.ToLower()); Logger.WriteLine($"MRSIGNER match : {mrspassed}"); if (includeDetails) { Logger.WriteLine($" We think : {MrSignerHex.ToLower()}"); Logger.WriteLine($" MAA service: {serviceResult.MrSigner}"); } var pidpassed = BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0) == (ulong)serviceResult.ProductId; Logger.WriteLine($"ProductID match : {pidpassed}"); if (includeDetails) { Logger.WriteLine($" We think : {BitConverter.ToUInt64(HexHelper.ConvertHexToByteArray(ProductIdHex), 0)}"); Logger.WriteLine($" MAA service: {serviceResult.ProductId}"); } var svnPassed = SecurityVersion == (uint)serviceResult.Svn; Logger.WriteLine($"Security Version match : {svnPassed}"); if (includeDetails) { Logger.WriteLine($" We think : {SecurityVersion}"); Logger.WriteLine($" MAA service: {serviceResult.Svn}"); } var ehdExpected = HexHelper.ConvertHexToByteArray(EnclaveHeldDataHex); var ehdActual = serviceResult.EnclaveHeldData; var ehdPassed = ehdExpected.SequenceEqual(ehdActual.ToArray()); Logger.WriteLine($"Enclave Held Data match : {ehdPassed}"); if (includeDetails) { Logger.WriteLine(17, 100, " We think : ", Convert.ToBase64String(ehdExpected)); Logger.WriteLine(17, 100, " MAA service: ", Convert.ToBase64String(serviceResult.EnclaveHeldData)); } Logger.WriteLine(""); }