Contoh token pengesahan
Kebijakan pengesahan digunakan untuk memproses bukti pengesahan dan menentukan apakah Azure Attestation mengeluarkan token pengesahan. Pembuatan token pengesahan dapat dikontrol dengan kebijakan kustom. Berikut adalah beberapa contoh token pengesahan.
Contoh JSON Web Token (JWT) yang dihasilkan untuk pengesahan Software Guard Extensions (SGX)
{
"alg": "RS256",
"jku": "https://tradewinds.us.attest.azure.net/certs",
"kid": <self signed certificate reference to perform signature verification of attestation token,
"typ": "JWT"
}.{
"aas-ehd": <input enclave held data>,
"exp": 1568187398,
"iat": 1568158598,
"is-debuggable": false,
"iss": "https://tradewinds.us.attest.azure.net",
"maa-attestationcollateral":
{
"qeidcertshash": <SHA256 value of QE Identity issuing certs>,
"qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
"qeidhash": <SHA256 value of the QE Identity collateral>,
"quotehash": <SHA256 value of the evaluated quote>,
"tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
"tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
"tcbinfohash": <SHA256 value of the TCB Info collateral>
},
"maa-ehd": <input enclave held data>,
"nbf": 1568158598,
"product-id": 4639,
"sgx-mrenclave": <SGX enclave mrenclave value>,
"sgx-mrsigner": <SGX enclave msrigner value>,
"svn": 0,
"tee": "sgx"
"x-ms-attestation-type": "sgx",
"x-ms-policy-hash": <>,
"x-ms-sgx-collateral":
{
"qeidcertshash": <SHA256 value of QE Identity issuing certs>,
"qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
"qeidhash": <SHA256 value of the QE Identity collateral>,
"quotehash": <SHA256 value of the evaluated quote>,
"tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>,
"tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>,
"tcbinfohash": <SHA256 value of the TCB Info collateral>
},
"x-ms-sgx-ehd": <>,
"x-ms-sgx-is-debuggable": true,
"x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,
"x-ms-sgx-mrsigner": <SGX enclave msrigner value>,
"x-ms-sgx-product-id": 1,
"x-ms-sgx-svn": 1,
"x-ms-ver": "1.0",
"x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",
"x-ms-sgx-config-svn": 3451,
"x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",
"x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"
}.[Signature]
Beberapa klaim yang digunakan di sini dianggap tidak digunakan lagi tetapi didukung sepenuhnya. Disarankan agar semua kode dan alat di masa mendatang menggunakan nama klaim yang tidak digunakan lagi. Untuk informasi selengkapnya, lihat klaim yang dikeluarkan oleh Azure Attestation.
Klaim di bawah ini hanya muncul dalam token pengesahan yang dihasilkan untuk platform server berbasis prosesor Intel® Xeon® Scalable. Klaim tidak muncul jika enklave SGX tidak dikonfigurasi dengan Pemisahan Kunci dan Dukungan Berbagi.
x-ms-sgx-config-id
x-ms-sgx-config-svn
x-ms-sgx-isv-extended-product-id
x-ms-sgx-isv-family-id
Sampel JWT yang dihasilkan untuk pengesahan SEV-SNP
{
"exp": 1649970020,
"iat": 1649941220,
"iss": "https://maasandbox0001.wus.attest.azure.net",
"jti": "b65da1dcfbb4698b0bb2323cac664b745a2ff1cffbba55641fd65784aa9474d5",
"nbf": 1649941220,
"x-ms-attestation-type": "sevsnpvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-policy-hash": "LTPRQQju-FejAwdYihF8YV_c2XWebG9joKvrHKc3bxs",
"x-ms-runtime": {
"keys": [
{
"e": "AQAB",
"key_ops": ["encrypt"],
"kid": "HCLTransferKey",
"kty": "RSA",
"n": "ur08DccjGGzRo3OIq445n00Q3OthMIbR3SWIzCcicIM_7nPiVF5NBIknk2zdHZN1iiNhIzJezrXSqVT7Ty1Dl4AB5xiAAqxo7xGjFqlL47NA8WbZRMxQtwlsOjZgFxosDNXIt6dMq7ODh4nj6nV2JMScNfRKyr1XFIUK0XkOWvVlSlNZjaAxj8H4pS0yNfNwr1Q94VdSn3LPRuZBHE7VrofHRGSHJraDllfKT0-8oKW8EjpMwv1ME_OgPqPwLyiRzr99moB7uxzjEVDe55D2i2mPrcmT7kSsHwp5O2xKhM68rda6F-IT21JgdhQ6n4HWCicslBmx4oqkI-x5lVsRkQ"
}
],
"vm-configuration": {
"secure-boot": true,
"secure-boot-template-id": "1734c6e8-3154-4dda-ba5f-a874cc483422",
"tpm-enabled": true,
"vmUniqueId": "AE5CBB2A-DC95-4870-A74A-EE4FB33B1A9C"
}
},
"x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-bootloader-svn": 0,
"x-ms-sevsnpvm-familyId": "01000000000000000000000000000000",
"x-ms-sevsnpvm-guestsvn": 1,
"x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-idkeydigest": "38ed94f9aab20bc5eb40e89c7cbb03aa1b9efb435892656ade789ccaa0ded82ff18bae0e849c3166351ba1fa7ff620a2",
"x-ms-sevsnpvm-imageId": "02000000000000000000000000000000",
"x-ms-sevsnpvm-is-debuggable": false,
"x-ms-sevsnpvm-launchmeasurement": "04a170f39a3f702472ed0c7ecbda9babfc530e3caac475fdd607ff499177d14c278c5a15ad07ceacd5230ae63d507e9d",
"x-ms-sevsnpvm-microcode-svn": 40,
"x-ms-sevsnpvm-migration-allowed": false,
"x-ms-sevsnpvm-reportdata": "99dd4593a43f4b0f5f10f1856c7326eba309b943251fededc15592e3250ca9e90000000000000000000000000000000000000000000000000000000000000000",
"x-ms-sevsnpvm-reportid": "d1d5c2c71596fae601433ecdfb62799de2a785cc08be3b1c8a4e26a381494787",
"x-ms-sevsnpvm-smt-allowed": true,
"x-ms-sevsnpvm-snpfw-svn": 0,
"x-ms-sevsnpvm-tee-svn": 0,
"x-ms-sevsnpvm-vmpl": 0,
"x-ms-ver": "1.0"
}
Sampel JWT yang dihasilkan untuk pengesahan TDX
Definisi klaim di bawah ini tersedia di profil Azure Attestation TDX EAT.
{
"attester_tcb_status": "UpToDate",
"dbgstat": "disabled",
"eat_profile": "https://aka.ms/maa-eat-profile-tdxvm",
"exp": 1697706287,
"iat": 1697677487,
"intuse": "generic",
"iss": "https://maasand001.eus.attest.azure.net",
"jti": "5f65006d573bc1c04f67820348c20f5d8da72ddbbd4d6c03da8de9f11b5cf29b",
"nbf": 1697677487,
"tdx_mrconfigid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrowner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrownerconfig": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrseam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656",
"tdx_mrsignerseam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_mrtd": "5be56d418d33661a6c21da77c9503a07e430b35eb92a0bd042a6b3c4e79b3c82bb1c594e770d0d129a0724669f1e953f",
"tdx_report_data": "93c6db49f2318387bcebdad0275e206725d948f9000d900344aa44abaef145960000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr0": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr1": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr2": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_rtmr3": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
"tdx_seam_attributes": "0000000000000000",
"tdx_seamsvn": 3,
"tdx_td_attributes": "0000000000000000",
"tdx_td_attributes_debug": false,
"tdx_td_attributes_key_locker": false,
"tdx_td_attributes_perfmon": false,
"tdx_td_attributes_protection_keys": false,
"tdx_td_attributes_septve_disable": false,
"tdx_tee_tcb_svn": "03000600000000000000000000000000",
"tdx_xfam": "e718060000000000",
"x-ms-attestation-type": "tdxvm",
"x-ms-compliance-status": "azure-compliant-cvm",
"x-ms-policy-hash": "B56nbp5slhw66peoRYkpdq1WykMkEworvdol08hnMXE",
"x-ms-runtime": {
"test-claim-name": "test-claim-value"
},
"x-ms-ver": "1.0"
}