AttestationClient Class
Provides access to the Attestation family of APIs for trusted environment attestation.
Tip
The validate_token, validation_callback, validate_signature,
validate_expiration, validate_not_before_time, validate_issuer, and
issuer keyword arguments are default values applied to each API call within
the AttestationClient class. These values can be
overridden on individual API calls as needed.
For additional client creation configuration options, please see Python Request Options.
Constructor
AttestationClient(endpoint: str, credential: AsyncTokenCredential, **kwargs: Any)Parameters
| Name | Description |
|---|---|
|
credential
Required
|
Credentials for the caller used to interact with the service. |
|
endpoint
Required
|
The attestation instance base URI, for example https://mytenant.attest.azure.net. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Methods
| attest_open_enclave |
Attests the validity of an Open Enclave report. Note Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token. For additional request configuration options, please see Python Request Options. |
| attest_sgx_enclave |
Attests the validity of an SGX quote. Note Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token. For additional request configuration options, please see Python Request Options. |
| attest_tpm |
Attest a TPM based enclave. See the TPM Attestation Protocol Reference for more information. |
| close | |
| get_open_id_metadata |
Retrieves the OpenID metadata configuration document for this attestation instance. The metadata configuration document is defined in the OpenID Connect Discovery specification. The attestation service currently returns the following fields:
|
| get_signing_certificates |
Returns the set of signing certificates used to sign attestation tokens. For additional request configuration options, please see Python Request Options. |
attest_open_enclave
Attests the validity of an Open Enclave report.
Note
Note that if the draft_policy parameter is provided, the resulting
attestation token will be an unsecured attestation token.
For additional request configuration options, please see Python Request Options.
async attest_open_enclave(report: bytes, *, inittime_json: bytes = None, inittime_data: bytes = None, runtime_json: bytes = None, runtime_data: bytes = None, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]Parameters
| Name | Description |
|---|---|
|
report
Required
|
An open_enclave report generated from an Intel(tm) SGX enclave |
|
runtime_json
Required
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. Default value: None
|
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. Default value: None
|
|
runtime_data
|
Data presented at the time that the open_enclave report was created. Default value: None
|
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
|
runtime_json
|
Default value: None
|
Returns
| Type | Description |
|---|---|
|
<xref:azure.security.attestation.aio.AttestationResult> containing the claims in the returned attestation token. |
Examples
Attesting using a draft attestation policy.
draft_policy = """
version= 1.0;
authorizationrules
{
[ type=="x-ms-sgx-is-debuggable", value==false ] &&
[ type=="x-ms-sgx-product-id", value==1 ] &&
[ type=="x-ms-sgx-svn", value>= 0 ] &&
[ type=="x-ms-sgx-mrsigner", value=="2c1a44952ae8207135c6c29b75b8c029372ee94b677e15c20bd42340f10d41aa"]
=> permit();
};
issuancerules {
c:[type=="x-ms-sgx-mrsigner"] => issue(type="My-MrSigner", value=c.value);
};
"""
print("Attest Open enclave using ", self.shared_url)
print("Using draft policy:", draft_policy)
async with DefaultAzureCredential() as credential, AttestationClient(
self.shared_url, credential
) as attest_client:
response, token = await attest_client.attest_open_enclave(
oe_report, runtime_data=runtime_data, draft_policy=draft_policy
)
print("Token algorithm", token.algorithm)
print("Issuer of token is: ", response.issuer)
attest_sgx_enclave
Attests the validity of an SGX quote.
Note
Note that if the draft_policy parameter is provided, the resulting
attestation token will be an unsecured attestation token.
For additional request configuration options, please see Python Request Options.
async attest_sgx_enclave(quote: bytes, *, inittime_json: bytes = None, inittime_data: bytes = None, runtime_json: bytes = None, runtime_data: bytes = None, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]Parameters
| Name | Description |
|---|---|
|
quote
Required
|
An SGX quote generated from an Intel(tm) SGX enclave |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. Default value: None
|
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. Default value: None
|
|
runtime_data
|
Data presented at the time that the open_enclave report was created. Default value: None
|
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. Default value: None
|
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
<xref:azure.security.attestation.aio.AttestationResult> containing the claims in the returned attestation token. |
Examples
Attesting an SGX Enclave
print("\nAttest SGX enclave using {}".format(self.shared_url))
async with DefaultAzureCredential() as credential, AttestationClient(
self.shared_url, credential
) as attest_client:
response, _ = await attest_client.attest_sgx_enclave(
quote, runtime_data=runtime_data
)
print("Issuer of token is: ", response.issuer)
attest_tpm
Attest a TPM based enclave.
See the TPM Attestation Protocol Reference for more information.
async attest_tpm(content: str, **kwargs: Any) -> strParameters
| Name | Description |
|---|---|
|
content
Required
|
Data to send to the TPM attestation service. |
Returns
| Type | Description |
|---|---|
|
A structure containing the response from the TPM attestation. |
close
async close() -> Noneget_open_id_metadata
Retrieves the OpenID metadata configuration document for this attestation instance.
The metadata configuration document is defined in the OpenID Connect Discovery specification.
The attestation service currently returns the following fields:
issuer
jwks_uri
claims_supported
async get_open_id_metadata(**kwargs: Any) -> Dict[str, Any]Returns
| Type | Description |
|---|---|
|
OpenID metadata configuration |
get_signing_certificates
Returns the set of signing certificates used to sign attestation tokens.
For additional request configuration options, please see Python Request Options.
async get_signing_certificates(**kwargs: Any) -> List[AttestationSigner]Returns
| Type | Description |
|---|---|
|
A list of AttestationSigner objects. |
