AttestationClient Class
Provides access to the Attestation family of APIs for trusted environment attestation.
Tip
The validate_token, validation_callback, validate_signature,
validate_expiration, validate_not_before_time, validate_issuer, and
issuer keyword arguments are default values applied to each API call within
the AttestationClient class. These values can be
overridden on individual API calls as needed.
For additional client creation configuration options, please see Python Request Options.
- Inheritance
-
builtins.objectAttestationClient
Constructor
AttestationClient(endpoint: str, credential: TokenCredential, **kwargs: Any)Parameters
| Name | Description |
|---|---|
|
endpoint
Required
|
The attestation instance base URI, for example https://mytenant.attest.azure.net. |
|
credential
Required
|
Credentials for the caller used to interact with the service. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Methods
| attest_open_enclave |
Attests the validity of an Open Enclave report. Note Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token. For additional request configuration options, please see Python Request Options. |
| attest_sgx_enclave |
Attests the validity of an SGX quote. Note Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token. For additional request configuration options, please see Python Request Options. |
| attest_tpm |
Attest a TPM based enclave. See the TPM Attestation Protocol Reference for more information. |
| close | |
| get_open_id_metadata |
Retrieves the OpenID metadata configuration document for this attestation instance. The metadata configuration document is defined in the OpenID Connect Discovery specification. The attestation service currently returns the following fields:
|
| get_signing_certificates |
Returns the set of signing certificates used to sign attestation tokens. For additional request configuration options, please see Python Request Options. |
attest_open_enclave
Attests the validity of an Open Enclave report.
Note
Note that if the draft_policy parameter is provided, the resulting
attestation token will be an unsecured attestation token.
For additional request configuration options, please see Python Request Options.
attest_open_enclave(report: bytes, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]Parameters
| Name | Description |
|---|---|
|
report
Required
|
An open_enclave report generated from an Intel(tm) SGX enclave |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
AttestationResult containing the claims in the returned attestation token. |
Examples
Attesting using a draft attestation policy.
draft_policy = """
version= 1.0;
authorizationrules
{
[ type=="x-ms-sgx-is-debuggable", value==false ] &&
[ type=="x-ms-sgx-product-id", value==1 ] &&
[ type=="x-ms-sgx-svn", value>= 0 ] &&
[ type=="x-ms-sgx-mrsigner", value=="2c1a44952ae8207135c6c29b75b8c029372ee94b677e15c20bd42340f10d41aa"]
=> permit();
};
issuancerules {
c:[type=="x-ms-sgx-mrsigner"] => issue(type="My-MrSigner", value=c.value);
};
"""
print("Attest Open enclave using ", self.shared_url)
print("Using draft policy:", draft_policy)
with AttestationClient(
self.shared_url, DefaultAzureCredential()
) as attest_client:
response, token = attest_client.attest_open_enclave(
oe_report, runtime_data=runtime_data, draft_policy=draft_policy
)
print("Token algorithm", token.algorithm)
print("Issuer of token is: ", response.issuer)
attest_sgx_enclave
Attests the validity of an SGX quote.
Note
Note that if the draft_policy parameter is provided, the resulting
attestation token will be an unsecured attestation token.
For additional request configuration options, please see Python Request Options.
attest_sgx_enclave(quote: bytes, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]Parameters
| Name | Description |
|---|---|
|
quote
Required
|
An SGX quote generated from an Intel(tm) SGX enclave |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
AttestationResult containing the claims in the returned attestation token. |
Examples
Attesting an SGX Enclave
print("\nAttest SGX enclave using {}".format(self.shared_url))
with AttestationClient(
self.shared_url, DefaultAzureCredential()
) as attest_client:
response, _ = attest_client.attest_sgx_enclave(
quote, runtime_data=runtime_data
)
print("Issuer of token is: ", response.issuer)
attest_tpm
Attest a TPM based enclave.
See the TPM Attestation Protocol Reference for more information.
attest_tpm(content: str, **kwargs: Any) -> strParameters
| Name | Description |
|---|---|
|
content
Required
|
Data to send to the TPM attestation service. |
Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
A structure containing the response from the TPM attestation. |
close
close() -> NoneKeyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
get_open_id_metadata
Retrieves the OpenID metadata configuration document for this attestation instance.
The metadata configuration document is defined in the OpenID Connect Discovery specification.
The attestation service currently returns the following fields:
issuer
jwks_uri
claims_supported
get_open_id_metadata(**kwargs: Dict[str, Any]) -> Dict[str, Any]Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
OpenID metadata configuration |
get_signing_certificates
Returns the set of signing certificates used to sign attestation tokens.
For additional request configuration options, please see Python Request Options.
get_signing_certificates(**kwargs: Any) -> List[AttestationSigner]Keyword-Only Parameters
| Name | Description |
|---|---|
|
inittime_data
|
Data presented at the time that the SGX enclave was initialized. |
|
inittime_json
|
Data presented at the time that the SGX enclave was initialized, JSON encoded. |
|
runtime_data
|
Data presented at the time that the open_enclave report was created. |
|
runtime_json
|
Data presented at the time that the open_enclave report was created. JSON Encoded. |
|
draft_policy
|
"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API. |
|
validate_token
|
If True, validate the token, otherwise return the token unvalidated. |
|
validation_callback
|
Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception. |
|
validate_signature
|
If True, validate the signature of the token being validated. |
|
validate_expiration
|
If True, validate the expiration time of the token being validated. |
|
issuer
|
Expected issuer, used if validate_issuer is true. |
|
validation_slack
|
Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine. |
|
validate_issuer
|
If True, validate that the issuer of the token matches the expected issuer. |
|
validate_not_before_time
|
If true, validate the "Not Before" time in the token. |
Returns
| Type | Description |
|---|---|
|
A list of AttestationSigner objects. |
Azure SDK for Python