AttestationAdministrationClient.SetPolicyAsync Method
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Sets the attesttion policy for the specified AttestationType.
public virtual System.Threading.Tasks.Task<Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult>> SetPolicyAsync (Azure.Security.Attestation.AttestationType attestationType, string policyToSet, Azure.Security.Attestation.AttestationTokenSigningKey signingKey = default, System.Threading.CancellationToken cancellationToken = default);
abstract member SetPolicyAsync : Azure.Security.Attestation.AttestationType * string * Azure.Security.Attestation.AttestationTokenSigningKey * System.Threading.CancellationToken -> System.Threading.Tasks.Task<Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult>>
override this.SetPolicyAsync : Azure.Security.Attestation.AttestationType * string * Azure.Security.Attestation.AttestationTokenSigningKey * System.Threading.CancellationToken -> System.Threading.Tasks.Task<Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult>>
Public Overridable Function SetPolicyAsync (attestationType As AttestationType, policyToSet As String, Optional signingKey As AttestationTokenSigningKey = Nothing, Optional cancellationToken As CancellationToken = Nothing) As Task(Of AttestationResponse(Of PolicyModificationResult))
Parameters
- attestationType
- AttestationType
AttestationType whose policy should be set.
- policyToSet
- String
Specifies the attestation policy to set.
- signingKey
- AttestationTokenSigningKey
If provided, specifies the signing key used to sign the request to the attestation service.
- cancellationToken
- CancellationToken
Cancellation token used to cancel this operation.
Returns
An AttestationResponse<T> with the policy for the specified attestation type.
Remarks
If the signingKey
parameter is not provided, then the policy document sent to the attestation service will be unsigned. Unsigned attestation policies are only allowed when the attestation instance is running in AAD mode - if the attestation instance is running in Isolated mode, then a signing key and signing certificate MUST be provided to ensure that the caller of the API is authorized to change policy. The Certificate field MUST be one of the certificates returned by the GetPolicyManagementCertificates(CancellationToken) API.
Clients need to be able to verify that the attestation policy document was not modified before the policy document was received by the attestation service's enclave. There are two properties provided in the [PolicyResult][attestation_policy_result] that can be used to verify that the service received the policy document:
- PolicySigner - if the SetPolicy(AttestationType, String, AttestationTokenSigningKey, CancellationToken) call included a signing certificate, this will be the certificate provided at the time of the `SetPolicy` call. If no policy signer was set, this will be null.
- PolicyTokenHash - this is the hash of the [JSON Web Token][json_web_token] sent to the service
// The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
// To verify that the policy specified by the caller was received by the service inside the enclave, we
// verify that the hash of the policy document returned from the Attestation Service matches the hash
// of an attestation token created locally.
TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
var policySetToken = new AttestationToken(
BinaryData.FromObjectAsJson(new StoredAttestationPolicy { AttestationPolicy = attestationPolicy }),
signingKey);
using var shaHasher = SHA256Managed.Create();
byte[] attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));
Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash.ToArray()));
If the signing key and certificate are not provided, then the SetPolicyAsync API will create an unsecured attestation token wrapping the attestation policy. To validate the PolicyTokenHash return value, a developer can create their own AttestationToken and create the hash of that.
using var shaHasher = SHA256Managed.Create();
var policySetToken = new AttestationToken(new StoredAttestationPolicy { AttestationPolicy = disallowDebugging });
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.ToString()));
Applies to
Azure SDK for .NET