public async Task GetPolicyIsolated()
{
var adminclient = GetIsolatedAdministrationClient();
StoredAttestationPolicy policyResult = await adminclient.GetPolicyAsync(AttestationType.SgxEnclave);
var result = policyResult.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
var policy = System.Text.Encoding.UTF8.GetString(policyRaw);
Assert.IsTrue(policy.StartsWith("version"));
}
public async Task AttestSgxEnclaveSharedValidateCallback()
{
// An SGX Quote is an OpenEnclave report with the first 16 bytes stripped from it.
var report = Base64Url.Decode(_openEnclaveReport);
var quoteList = report.ToList();
quoteList.RemoveRange(0, 0x10);
byte[] binaryQuote = quoteList.ToArray();
byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData);
bool callbackInvoked = false;
var tokenValidationOptions = new AttestationTokenValidationOptions
{
ValidateExpirationTime = TestEnvironment.IsTalkingToLiveServer,
};
tokenValidationOptions.TokenValidated += (AttestationTokenValidationEventArgs args) =>
{
// Verify that the callback can access the enclave held data field.
CollectionAssert.AreEqual(binaryRuntimeData, args.Token.GetBody <AttestationResult>().EnclaveHeldData.ToArray());
// The MAA service always sends a Key ID for the signer.
Assert.IsNotNull(args.Signer.CertificateKeyId);
Assert.AreEqual(TestEnvironment.SharedAttestationUrl, args.Token.Issuer);
callbackInvoked = true;
return(Task.CompletedTask);
};
var client = TestEnvironment.GetSharedAttestationClient(this, tokenValidationOptions);
IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value;
{
// Collect quote and enclave held data from an SGX enclave.
var attestationResult = await client.AttestSgxEnclaveAsync(
new AttestationRequest
{
Evidence = BinaryData.FromBytes(binaryQuote),
RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
});
// Confirm that the attestation token contains the enclave held data we specified.
CollectionAssert.AreEqual(binaryRuntimeData, attestationResult.Value.EnclaveHeldData.ToArray());
// VERIFY ATTESTATIONRESULT.
// Encrypt Data using DeprecatedEnclaveHeldData
// Send to enclave.
Assert.IsTrue(callbackInvoked);
}
}
public async Task AttestSgxEnclaveShared()
{
// An SGX Quote is an OpenEnclave report with the first 16 bytes stripped from it.
var report = Base64Url.Decode(_openEnclaveReport);
var quoteList = report.ToList();
quoteList.RemoveRange(0, 0x10);
byte[] binaryQuote = quoteList.ToArray();
byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData);
var client = TestEnvironment.GetSharedAttestationClient(this);
IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value;
{
// Collect quote and enclave held data from an SGX enclave.
var attestationResult = await client.AttestSgxEnclaveAsync(
new AttestationRequest
{
Evidence = BinaryData.FromBytes(binaryQuote),
RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), false),
});
// Confirm that the attestation token contains the enclave held data we specified.
CollectionAssert.AreEqual(binaryRuntimeData, attestationResult.Value.EnclaveHeldData.ToArray());
// VERIFY ATTESTATIONRESULT.
// Encrypt Data using DeprecatedEnclaveHeldData
// Send to enclave.
}
{
// Collect quote and enclave held data from an SGX enclave.
var attestationResult = await client.AttestSgxEnclaveAsync(
new AttestationRequest
{
Evidence = BinaryData.FromBytes(binaryQuote),
RuntimeData = new AttestationData(BinaryData.FromBytes(binaryRuntimeData), true),
});
// Confirm that the attestation token contains the enclave held data we specified.
Assert.IsNull(attestationResult.Value.EnclaveHeldData);
// VERIFY ATTESTATIONRESULT.
// Encrypt Data using DeprecatedEnclaveHeldData
// Send to enclave.
}
}
public async Task AttestSgxShared()
{
byte[] binaryQuote = Base64Url.Decode(_sgxQuote);
byte[] binaryRuntimeData = Base64Url.Decode(_runtimeData);
var client = GetSharedAttestationClient();
IReadOnlyList <AttestationSigner> signingCertificates = (await client.GetSigningCertificatesAsync()).Value;
{
// Collect quote and enclave held data from an SGX enclave.
var attestationResult = await client.AttestSgxEnclaveAsync(binaryQuote, null, false, BinaryData.FromBytes(binaryRuntimeData), false);
// Confirm that the attestation token contains the enclave held data we specified.
CollectionAssert.AreEqual(binaryRuntimeData, attestationResult.Value.DeprecatedEnclaveHeldData);
// VERIFY ATTESTATIONRESULT.
// Encrypt Data using DeprecatedEnclaveHeldData
// Send to enclave.
}
}
public async Task SetPolicySecured(AttestationAdministrationClient adminClient, bool isIsolated)
{
// Reset the current attestation policy to a known state. Necessary if there were previous runs that failed.
await ResetAttestationPolicy(adminClient, AttestationType.OpenEnclave, true, isIsolated);
string originalPolicy;
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
originalPolicy = System.Text.Encoding.UTF8.GetString(policyRaw);
}
X509Certificate2 x509Certificate;
RSA rsaKey;
if (isIsolated)
{
x509Certificate = TestEnvironment.PolicyManagementCertificate;
rsaKey = TestEnvironment.PolicyManagementKey;
}
else
{
x509Certificate = TestEnvironment.PolicyCertificate0;
rsaKey = TestEnvironment.PolicySigningKey0;
}
byte[] disallowDebuggingHash;
{
var policySetToken = new SecuredAttestationToken(new StoredAttestationPolicy {
AttestationPolicy = Base64Url.EncodeString(disallowDebugging)
}, rsaKey, x509Certificate);
var policySetResult = await adminClient.SetPolicyAsync(AttestationType.OpenEnclave, policySetToken);
var shaHasher = SHA256Managed.Create();
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution);
CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash);
Assert.AreEqual(x509Certificate, policySetResult.Value.PolicySigner.SigningCertificates[0]);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
var policy = System.Text.Encoding.UTF8.GetString(policyRaw);
Assert.AreEqual(disallowDebugging, policy);
}
{
var policyResetToken = new SecuredAttestationToken(rsaKey, x509Certificate);
var policySetResult = await adminClient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken);
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
}
{
var policyResult = await adminClient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
var policy = System.Text.Encoding.UTF8.GetString(policyRaw);
// And when we're done, policy should be reset to the original value.
Assert.AreEqual(originalPolicy, policy);
}
}
public async Task SetPolicyUnsecuredAad()
{
var adminclient = GetAadAdministrationClient();
// Reset the current attestation policy to a known state. Necessary if there were previous runs that failed.
await ResetAttestationPolicy(adminclient, AttestationType.OpenEnclave, false, false);
string originalPolicy;
{
var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
originalPolicy = System.Text.Encoding.UTF8.GetString(policyRaw);
}
byte[] disallowDebuggingHash;
{
var policySetToken = new UnsecuredAttestationToken(new StoredAttestationPolicy {
AttestationPolicy = Base64Url.EncodeString(disallowDebugging)
});
var policySetResult = await adminclient.SetPolicyAsync(AttestationType.OpenEnclave, policySetToken);
var shaHasher = SHA256Managed.Create();
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Updated, policySetResult.Value.PolicyResolution);
CollectionAssert.AreEqual(disallowDebuggingHash, policySetResult.Value.PolicyTokenHash);
}
{
var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
var policy = System.Text.Encoding.UTF8.GetString(policyRaw);
Assert.AreEqual(disallowDebugging, policy);
}
{
var policyResetToken = new UnsecuredAttestationToken();
var policySetResult = await adminclient.ResetPolicyAsync(AttestationType.OpenEnclave, policyResetToken);
Assert.AreEqual(200, policySetResult.GetRawResponse().Status);
Assert.AreEqual(PolicyModification.Removed, policySetResult.Value.PolicyResolution);
}
{
var policyResult = await adminclient.GetPolicyAsync(AttestationType.OpenEnclave);
var result = policyResult.Value.AttestationPolicy;
var policyRaw = Base64Url.Decode(result);
var policy = System.Text.Encoding.UTF8.GetString(policyRaw);
// And when we're done, policy should be reset to the original value.
Assert.AreEqual(originalPolicy, policy);
}
}