AttestationAdministrationClient.SetPolicy Method

Reference

Definition

Namespace:: Azure.Security.Attestation

Assembly:: Azure.Security.Attestation.dll

Package:: Azure.Security.Attestation v1.0.0

Source:: AttestationAdministrationClient.cs

Important

Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Sets the attesttion policy for the specified AttestationType.

public virtual Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult> SetPolicy (Azure.Security.Attestation.AttestationType attestationType, string policyToSet, Azure.Security.Attestation.AttestationTokenSigningKey signingKey = default, System.Threading.CancellationToken cancellationToken = default);

abstract member SetPolicy : Azure.Security.Attestation.AttestationType * string * Azure.Security.Attestation.AttestationTokenSigningKey * System.Threading.CancellationToken -> Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult>
override this.SetPolicy : Azure.Security.Attestation.AttestationType * string * Azure.Security.Attestation.AttestationTokenSigningKey * System.Threading.CancellationToken -> Azure.Security.Attestation.AttestationResponse<Azure.Security.Attestation.PolicyModificationResult>

Public Overridable Function SetPolicy (attestationType As AttestationType, policyToSet As String, Optional signingKey As AttestationTokenSigningKey = Nothing, Optional cancellationToken As CancellationToken = Nothing) As AttestationResponse(Of PolicyModificationResult)

Parameters

attestationType: AttestationType

AttestationType whose policy should be set.

policyToSet: String

Specifies the attestation policy to set.

signingKey: AttestationTokenSigningKey

If provided, specifies the signing key used to sign the request to the attestation service.

cancellationToken: CancellationToken

Cancellation token used to cancel this operation.

Returns

AttestationResponse<PolicyModificationResult>

An AttestationResponse<T> with the policy for the specified attestation type.

Remarks

If the signingKey parameter is not provided, then the policy document sent to the attestation service will be unsigned. Unsigned attestation policies are only allowed when the attestation instance is running in AAD mode - if the attestation instance is running in Isolated mode, then a signing key and signing certificate MUST be provided to ensure that the caller of the API is authorized to change policy. The Certificate field MUST be one of the certificates returned by the GetPolicyManagementCertificates(CancellationToken) API.

Clients need to be able to verify that the attestation policy document was not modified before the policy document was received by the attestation service's enclave. There are two properties provided in the [PolicyResult][attestation_policy_result] that can be used to verify that the service received the policy document:

PolicySigner - if the SetPolicy(AttestationType, String, AttestationTokenSigningKey, CancellationToken) call included a signing certificate, this will be the certificate provided at the time of the `SetPolicy` call. If no policy signer was set, this will be null.
PolicyTokenHash - this is the hash of the [JSON Web Token][json_web_token] sent to the service

To verify the hash, clients can generate an attestation token and verify the hash generated from that token:

// The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
// To verify that the policy specified by the caller was received by the service inside the enclave, we
// verify that the hash of the policy document returned from the Attestation Service matches the hash
// of an attestation token created locally.
TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
var policySetToken = new AttestationToken(
    BinaryData.FromObjectAsJson(new StoredAttestationPolicy { AttestationPolicy = attestationPolicy }),
    signingKey);

using var shaHasher = SHA256Managed.Create();
byte[] attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));

Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash.ToArray()));

If the signing key and certificate are not provided, then the SetPolicyAsync API will create an unsecured attestation token wrapping the attestation policy. To validate the PolicyTokenHash return value, a developer can create their own AttestationToken and create the hash of that.

using var shaHasher = SHA256Managed.Create();
var policySetToken = new UnsecuredAttestationToken(new StoredAttestationPolicy { AttestationPolicy = disallowDebugging });
disallowDebuggingHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));

Applies to

Dela via