다음을 통해 공유


증명 토큰의 예

증명 정책은 증명 증거를 처리하고 Azure Attestation이 증명 토큰을 발급할지 여부를 확인하는 데 사용됩니다. 사용자 지정 정책을 사용하여 증명 토큰 생성을 제어할 수 있습니다. 다음은 증명 토큰의 몇 가지 예입니다.

SGX(Software Guard Extensions) 증명을 위해 생성된 샘플 JWT(JSON Web Token)

{
  "alg": "RS256",
  "jku": "https://tradewinds.us.attest.azure.net/certs",
  "kid": <self signed certificate reference to perform signature verification of attestation token,
  "typ": "JWT"
}.{
  "aas-ehd": <input enclave held data>,
  "exp": 1568187398,
  "iat": 1568158598,
  "is-debuggable": false,
  "iss": "https://tradewinds.us.attest.azure.net",
  "maa-attestationcollateral": 
    {
      "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
      "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
      "qeidhash": <SHA256 value of the QE Identity collateral>,
      "quotehash": <SHA256 value of the evaluated quote>, 
      "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>, 
      "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>, 
      "tcbinfohash": <SHA256 value of the TCB Info collateral>
     },
  "maa-ehd": <input enclave held data>,
  "nbf": 1568158598,
  "product-id": 4639,
  "sgx-mrenclave": <SGX enclave mrenclave value>,
  "sgx-mrsigner": <SGX enclave msrigner value>,
  "svn": 0,
  "tee": "sgx"
  "x-ms-attestation-type": "sgx", 
  "x-ms-policy-hash": <>,
  "x-ms-sgx-collateral": 
    {
      "qeidcertshash": <SHA256 value of QE Identity issuing certs>,
      "qeidcrlhash": <SHA256 value of QE Identity issuing certs CRL list>,
      "qeidhash": <SHA256 value of the QE Identity collateral>,
      "quotehash": <SHA256 value of the evaluated quote>, 
      "tcbinfocertshash": <SHA256 value of the TCB Info issuing certs>, 
      "tcbinfocrlhash": <SHA256 value of the TCB Info issuing certs CRL list>, 
      "tcbinfohash": <SHA256 value of the TCB Info collateral>
     },
  "x-ms-sgx-ehd": <>, 
  "x-ms-sgx-is-debuggable": true,
  "x-ms-sgx-mrenclave": <SGX enclave mrenclave value>,
  "x-ms-sgx-mrsigner": <SGX enclave msrigner value>, 
  "x-ms-sgx-product-id": 1, 
  "x-ms-sgx-svn": 1,
  "x-ms-ver": "1.0",
  "x-ms-sgx-config-id": "000102030405060708090a0b0c0d8f99000102030405060708090a0b0c860e9a000102030405060708090a0b7d0d0e9b000102030405060708090a740c0d0e9c",
  "x-ms-sgx-config-svn": 3451,
  "x-ms-sgx-isv-extended-product-id": "8765432143211234abcdabcdef123456",
  "x-ms-sgx-isv-family-id": "1234567812344321abcd1234567890ab"
}.[Signature]

여기에 사용된 일부 클레임은 더 이상 사용되지 않는 것으로 간주되지만 완전히 지원됩니다. 이후 모든 코드 및 도구는 더 이상 사용되지 않는 클레임 이름을 사용하는 것이 좋습니다. 자세한 내용은 Azure Attestation을 통해 발급된 클레임을 참조하세요.

아래 클레임은 Intel® Xeon® 확장 가능한 프로세서 기반 서버 플랫폼용으로 생성된 증명 토큰에만 표시됩니다. SGX enclave가 키 구분 및 공유 지원으로 구성되어 있지 않으면 클레임이 표시되지 않습니다.

x-ms-sgx-config-id

x-ms-sgx-config-svn

x-ms-sgx-isv-extended-product-id

x-ms-sgx-isv-family-id

SEV-SNP 증명을 위해 생성된 샘플 JWT

{ 
  "exp": 1649970020, 
  "iat": 1649941220, 
  "iss": "https://maasandbox0001.wus.attest.azure.net", 
  "jti": "b65da1dcfbb4698b0bb2323cac664b745a2ff1cffbba55641fd65784aa9474d5", 
  "nbf": 1649941220, 
  "x-ms-attestation-type": "sevsnpvm", 
  "x-ms-compliance-status": "azure-compliant-cvm", 
  "x-ms-policy-hash": "LTPRQQju-FejAwdYihF8YV_c2XWebG9joKvrHKc3bxs", 
  "x-ms-runtime": { 
    "keys": [ 
      { 
        "e": "AQAB", 
        "key_ops": ["encrypt"], 
        "kid": "HCLTransferKey", 
        "kty": "RSA", 
        "n": "ur08DccjGGzRo3OIq445n00Q3OthMIbR3SWIzCcicIM_7nPiVF5NBIknk2zdHZN1iiNhIzJezrXSqVT7Ty1Dl4AB5xiAAqxo7xGjFqlL47NA8WbZRMxQtwlsOjZgFxosDNXIt6dMq7ODh4nj6nV2JMScNfRKyr1XFIUK0XkOWvVlSlNZjaAxj8H4pS0yNfNwr1Q94VdSn3LPRuZBHE7VrofHRGSHJraDllfKT0-8oKW8EjpMwv1ME_OgPqPwLyiRzr99moB7uxzjEVDe55D2i2mPrcmT7kSsHwp5O2xKhM68rda6F-IT21JgdhQ6n4HWCicslBmx4oqkI-x5lVsRkQ" 
      } 
    ], 
    "vm-configuration": { 
      "secure-boot": true, 
      "secure-boot-template-id": "1734c6e8-3154-4dda-ba5f-a874cc483422", 
      "tpm-enabled": true, 
      "vmUniqueId": "AE5CBB2A-DC95-4870-A74A-EE4FB33B1A9C" 
    } 
  }, 
  "x-ms-sevsnpvm-authorkeydigest": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 
  "x-ms-sevsnpvm-bootloader-svn": 0, 
  "x-ms-sevsnpvm-familyId": "01000000000000000000000000000000", 
  "x-ms-sevsnpvm-guestsvn": 1, 
  "x-ms-sevsnpvm-hostdata": "0000000000000000000000000000000000000000000000000000000000000000", 
  "x-ms-sevsnpvm-idkeydigest": "38ed94f9aab20bc5eb40e89c7cbb03aa1b9efb435892656ade789ccaa0ded82ff18bae0e849c3166351ba1fa7ff620a2", 
  "x-ms-sevsnpvm-imageId": "02000000000000000000000000000000", 
  "x-ms-sevsnpvm-is-debuggable": false, 
  "x-ms-sevsnpvm-launchmeasurement": "04a170f39a3f702472ed0c7ecbda9babfc530e3caac475fdd607ff499177d14c278c5a15ad07ceacd5230ae63d507e9d", 
  "x-ms-sevsnpvm-microcode-svn": 40, 
  "x-ms-sevsnpvm-migration-allowed": false, 
  "x-ms-sevsnpvm-reportdata": "99dd4593a43f4b0f5f10f1856c7326eba309b943251fededc15592e3250ca9e90000000000000000000000000000000000000000000000000000000000000000", 
  "x-ms-sevsnpvm-reportid": "d1d5c2c71596fae601433ecdfb62799de2a785cc08be3b1c8a4e26a381494787", 
  "x-ms-sevsnpvm-smt-allowed": true, 
  "x-ms-sevsnpvm-snpfw-svn": 0, 
  "x-ms-sevsnpvm-tee-svn": 0, 
  "x-ms-sevsnpvm-vmpl": 0, 
  "x-ms-ver": "1.0" 
} 

TDX 증명을 위해 생성된 샘플 JWT

아래 클레임의 정의는 Azure Attestation TDX EAT 프로필에서 확인할 수 있습니다.

{
   "attester_tcb_status": "UpToDate",
   "dbgstat": "disabled",
   "eat_profile": "https://aka.ms/maa-eat-profile-tdxvm",
   "exp": 1697706287,
   "iat": 1697677487,
   "intuse": "generic",
   "iss": "https://maasand001.eus.attest.azure.net",
   "jti": "5f65006d573bc1c04f67820348c20f5d8da72ddbbd4d6c03da8de9f11b5cf29b",
   "nbf": 1697677487,
   "tdx_mrconfigid": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_mrowner": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_mrownerconfig": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_mrseam": "2fd279c16164a93dd5bf373d834328d46008c2b693af9ebb865b08b2ced320c9a89b4869a9fab60fbe9d0c5a5363c656",
   "tdx_mrsignerseam": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_mrtd": "5be56d418d33661a6c21da77c9503a07e430b35eb92a0bd042a6b3c4e79b3c82bb1c594e770d0d129a0724669f1e953f",
   "tdx_report_data": "93c6db49f2318387bcebdad0275e206725d948f9000d900344aa44abaef145960000000000000000000000000000000000000000000000000000000000000000",
   "tdx_rtmr0": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_rtmr1": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_rtmr2": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_rtmr3": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000",
   "tdx_seam_attributes": "0000000000000000",
   "tdx_seamsvn": 3,
   "tdx_td_attributes": "0000000000000000",
   "tdx_td_attributes_debug": false,
   "tdx_td_attributes_key_locker": false,
   "tdx_td_attributes_perfmon": false,
   "tdx_td_attributes_protection_keys": false,
   "tdx_td_attributes_septve_disable": false,
   "tdx_tee_tcb_svn": "03000600000000000000000000000000",
   "tdx_xfam": "e718060000000000",
   "x-ms-attestation-type": "tdxvm",
   "x-ms-compliance-status": "azure-compliant-cvm",
   "x-ms-policy-hash": "B56nbp5slhw66peoRYkpdq1WykMkEworvdol08hnMXE",
   "x-ms-runtime": {
      "test-claim-name": "test-claim-value"
   },
   "x-ms-ver": "1.0"
} 

다음 단계