Feedback Edit

AttestationClient Class

  • Reference

Provides access to the Attestation family of APIs for trusted environment attestation.

Tip

The validate_token, validation_callback, validate_signature,

validate_expiration, validate_not_before_time, validate_issuer, and

issuer keyword arguments are default values applied to each API call within

the AttestationClient class. These values can be

overridden on individual API calls as needed.

For additional client creation configuration options, please see Python Request Options.

Inheritance
builtins.object
AttestationClient

Constructor

AttestationClient(endpoint: str, credential: TokenCredential, **kwargs: Any)

Parameters

endpoint
str
Required

The attestation instance base URI, for example https://mytenant.attest.azure.net.

credential
TokenCredential
Required

Credentials for the caller used to interact with the service.

validate_token
bool

If True, validate the token, otherwise return the token unvalidated.

validation_callback
Callable[[AttestationToken, AttestationSigner], None]

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature
bool

If True, validate the signature of the token being validated.

validate_expiration
bool

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack
float

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer
bool

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time
bool

If true, validate the "Not Before" time in the token.

Methods

attest_open_enclave

Attests the validity of an Open Enclave report.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.
attest_sgx_enclave

Attests the validity of an SGX quote.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.
attest_tpm

Attest a TPM based enclave.

See the TPM Attestation Protocol Reference for more information.
close
get_open_id_metadata

Retrieves the OpenID metadata configuration document for this attestation instance.

The metadata configuration document is defined in the OpenID Connect Discovery specification.

The attestation service currently returns the following fields:

  • issuer

  • jwks_uri

  • claims_supported
get_signing_certificates

Returns the set of signing certificates used to sign attestation tokens.

For additional request configuration options, please see Python Request Options.

attest_open_enclave

Attests the validity of an Open Enclave report.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_open_enclave(report: bytes, **kwargs: Any) -> Tuple[azure.security.attestation._models.AttestationResult, azure.security.attestation._models.AttestationToken]

Parameters

report
bytes
Required

An open_enclave report generated from an Intel(tm) SGX enclave

inittime_data
bytes

Data presented at the time that the SGX enclave was initialized.

inittime_json
bytes

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data
bytes

Data presented at the time that the open_enclave report was created.

runtime_json
bytes

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token
bool

If True, validate the token, otherwise return the token unvalidated.

validation_callback
Callable[[AttestationToken, AttestationSigner], None]

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature
bool

If True, validate the signature of the token being validated.

validate_expiration
bool

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack
float

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer
bool

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time
bool

If true, validate the "Not Before" time in the token.

Returns

AttestationResult containing the claims in the returned attestation token.

Return type

<xref:Tuple>[AttestationResult, AttestationToken]

Examples

Attesting using a draft attestation policy.


   draft_policy = """
   version= 1.0;
   authorizationrules
   {
       [ type=="x-ms-sgx-is-debuggable", value==false ] &&
       [ type=="x-ms-sgx-product-id", value==1 ] &&
       [ type=="x-ms-sgx-svn", value>= 0 ] &&
       [ type=="x-ms-sgx-mrsigner", value=="2c1a44952ae8207135c6c29b75b8c029372ee94b677e15c20bd42340f10d41aa"]
           => permit();
   };
   issuancerules {
       c:[type=="x-ms-sgx-mrsigner"] => issue(type="My-MrSigner", value=c.value);
   };
   """
   print("Attest Open enclave using ", self.shared_url)
   print("Using draft policy:", draft_policy)
   with AttestationClient(
       self.shared_url, DefaultAzureCredential()
   ) as attest_client:
       response, token = attest_client.attest_open_enclave(
           oe_report, runtime_data=runtime_data, draft_policy=draft_policy
       )

       print("Token algorithm", token.algorithm)
       print("Issuer of token is: ", response.issuer)

attest_sgx_enclave

Attests the validity of an SGX quote.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_sgx_enclave(quote: bytes, **kwargs: Any) -> Tuple[azure.security.attestation._models.AttestationResult, azure.security.attestation._models.AttestationToken]

Parameters

quote
bytes
Required

An SGX quote generated from an Intel(tm) SGX enclave

inittime_data
bytes

Data presented at the time that the SGX enclave was initialized.

inittime_json
bytes

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data
bytes

Data presented at the time that the open_enclave report was created.

runtime_json
bytes

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API

validate_token
bool

If True, validate the token, otherwise return the token unvalidated.

validation_callback
Callable[[AttestationToken, AttestationSigner], None]

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature
bool

If True, validate the signature of the token being validated.

validate_expiration
bool

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack
float

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer
bool

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time
bool

If true, validate the "Not Before" time in the token.

Returns

AttestationResult containing the claims in the returned attestation token.

Return type

<xref:Tuple>[AttestationResult, AttestationToken]

Examples

Attesting an SGX Enclave


   print("\nAttest SGX enclave using {}".format(self.shared_url))
   with AttestationClient(
       self.shared_url, DefaultAzureCredential()
   ) as attest_client:
       response, _ = attest_client.attest_sgx_enclave(
           quote, runtime_data=runtime_data
       )

   print("Issuer of token is: ", response.issuer)

attest_tpm

Attest a TPM based enclave.

See the TPM Attestation Protocol Reference for more information.

attest_tpm(content: str, **kwargs: Any) -> str

Parameters

content
str
Required

Data to send to the TPM attestation service.

Returns

A structure containing the response from the TPM attestation.

Return type

str

close 

close() -> None

get_open_id_metadata

Retrieves the OpenID metadata configuration document for this attestation instance.

The metadata configuration document is defined in the OpenID Connect Discovery specification.

The attestation service currently returns the following fields:

  • issuer

  • jwks_uri

  • claims_supported

get_open_id_metadata(**kwargs: Dict[str, Any]) -> Dict[str, Any]

Returns

OpenID metadata configuration

Return type

<xref:Dict>[str, <xref:Any>]

get_signing_certificates

Returns the set of signing certificates used to sign attestation tokens.

For additional request configuration options, please see Python Request Options.

get_signing_certificates(**kwargs: Any) -> List[azure.security.attestation._models.AttestationSigner]

Returns

A list of AttestationSigner objects.

Return type

<xref:List>[AttestationSigner]