AttestationClient Class

Provides access to the Attestation family of APIs for trusted environment attestation.

Tip

The validate_token, validation_callback, validate_signature,

validate_expiration, validate_not_before_time, validate_issuer, and

issuer keyword arguments are default values applied to each API call within

the AttestationClient class. These values can be

overridden on individual API calls as needed.

For additional client creation configuration options, please see Python Request Options.

Inheritance
builtins.object
AttestationClient

Constructor

AttestationClient(endpoint: str, credential: TokenCredential, **kwargs: Any)

Parameters

Name Description
endpoint
Required
str

The attestation instance base URI, for example https://mytenant.attest.azure.net.

credential
Required

Credentials for the caller used to interact with the service.

Keyword-Only Parameters

Name Description
validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Methods

attest_open_enclave

Attests the validity of an Open Enclave report.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_sgx_enclave

Attests the validity of an SGX quote.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_tpm

Attest a TPM based enclave.

See the TPM Attestation Protocol Reference for more information.

close
get_open_id_metadata

Retrieves the OpenID metadata configuration document for this attestation instance.

The metadata configuration document is defined in the OpenID Connect Discovery specification.

The attestation service currently returns the following fields:

  • issuer

  • jwks_uri

  • claims_supported

get_signing_certificates

Returns the set of signing certificates used to sign attestation tokens.

For additional request configuration options, please see Python Request Options.

attest_open_enclave

Attests the validity of an Open Enclave report.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_open_enclave(report: bytes, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]

Parameters

Name Description
report
Required

An open_enclave report generated from an Intel(tm) SGX enclave

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Returns

Type Description

AttestationResult containing the claims in the returned attestation token.

Examples

Attesting using a draft attestation policy.


   draft_policy = """
   version= 1.0;
   authorizationrules
   {
       [ type=="x-ms-sgx-is-debuggable", value==false ] &&
       [ type=="x-ms-sgx-product-id", value==1 ] &&
       [ type=="x-ms-sgx-svn", value>= 0 ] &&
       [ type=="x-ms-sgx-mrsigner", value=="2c1a44952ae8207135c6c29b75b8c029372ee94b677e15c20bd42340f10d41aa"]
           => permit();
   };
   issuancerules {
       c:[type=="x-ms-sgx-mrsigner"] => issue(type="My-MrSigner", value=c.value);
   };
   """
   print("Attest Open enclave using ", self.shared_url)
   print("Using draft policy:", draft_policy)
   with AttestationClient(
       self.shared_url, DefaultAzureCredential()
   ) as attest_client:
       response, token = attest_client.attest_open_enclave(
           oe_report, runtime_data=runtime_data, draft_policy=draft_policy
       )

       print("Token algorithm", token.algorithm)
       print("Issuer of token is: ", response.issuer)

attest_sgx_enclave

Attests the validity of an SGX quote.

Note

Note that if the draft_policy parameter is provided, the resulting

attestation token will be an unsecured attestation token.

For additional request configuration options, please see Python Request Options.

attest_sgx_enclave(quote: bytes, **kwargs: Any) -> Tuple[AttestationResult, AttestationToken]

Parameters

Name Description
quote
Required

An SGX quote generated from an Intel(tm) SGX enclave

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Returns

Type Description

AttestationResult containing the claims in the returned attestation token.

Examples

Attesting an SGX Enclave


   print("\nAttest SGX enclave using {}".format(self.shared_url))
   with AttestationClient(
       self.shared_url, DefaultAzureCredential()
   ) as attest_client:
       response, _ = attest_client.attest_sgx_enclave(
           quote, runtime_data=runtime_data
       )

   print("Issuer of token is: ", response.issuer)

attest_tpm

Attest a TPM based enclave.

See the TPM Attestation Protocol Reference for more information.

attest_tpm(content: str, **kwargs: Any) -> str

Parameters

Name Description
content
Required
str

Data to send to the TPM attestation service.

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Returns

Type Description
str

A structure containing the response from the TPM attestation.

close

close() -> None

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

get_open_id_metadata

Retrieves the OpenID metadata configuration document for this attestation instance.

The metadata configuration document is defined in the OpenID Connect Discovery specification.

The attestation service currently returns the following fields:

  • issuer

  • jwks_uri

  • claims_supported

get_open_id_metadata(**kwargs: Dict[str, Any]) -> Dict[str, Any]

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Returns

Type Description

OpenID metadata configuration

get_signing_certificates

Returns the set of signing certificates used to sign attestation tokens.

For additional request configuration options, please see Python Request Options.

get_signing_certificates(**kwargs: Any) -> List[AttestationSigner]

Keyword-Only Parameters

Name Description
inittime_data

Data presented at the time that the SGX enclave was initialized.

inittime_json

Data presented at the time that the SGX enclave was initialized, JSON encoded.

runtime_data

Data presented at the time that the open_enclave report was created.

runtime_json

Data presented at the time that the open_enclave report was created. JSON Encoded.

draft_policy
str

"draft" or "experimental" policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.

validate_token

If True, validate the token, otherwise return the token unvalidated.

validation_callback

Function callback to allow clients to perform custom validation of the token. if the token is invalid, the validation_callback function should throw an exception.

validate_signature

If True, validate the signature of the token being validated.

validate_expiration

If True, validate the expiration time of the token being validated.

issuer
str

Expected issuer, used if validate_issuer is true.

validation_slack

Slack time for validation - tolerance applied to help account for clock drift between the issuer and the current machine.

validate_issuer

If True, validate that the issuer of the token matches the expected issuer.

validate_not_before_time

If true, validate the "Not Before" time in the token.

Returns

Type Description

A list of AttestationSigner objects.