azure.security.attestation package¶
-
exception
azure.security.attestation.
AttestationTokenValidationException
(message)[source]¶ Thrown when an attestation token validation fails.
- Parameters
message (str) – Message for caller describing the reason for the failure.
-
with_traceback
()¶ Exception.with_traceback(tb) – set self.__traceback__ to tb and return self.
-
args
¶
-
class
azure.security.attestation.
AttestationClient
(credential: TokenCredential, instance_url: str, **kwargs: Any)[source]¶ - An AttestationClient object enables access to the Attestation family of APIs provided
by the attestation service.
- Parameters
instance_url (str) – base url of the service
credential (
TokenCredential
) – Credentials for the caller used to interact with the service.
- Keyword Arguments
pipeline (Pipeline) – If omitted, the standard pipeline is used.
policies (list[HTTPPolicy]) – If omitted, the standard pipeline is used.
transport (HttpTransport) – If omitted, the standard pipeline is used.
For additional client creation configuration options, please see https://aka.ms/azsdk/python/options.
-
attest_open_enclave
(report: bytes, inittime_data: Optional[azure.security.attestation._models.AttestationData] = None, runtime_data: Optional[azure.security.attestation._models.AttestationData] = None, **kwargs: Dict[str, Any]) → azure.security.attestation._models.AttestationResponse[azure.security.attestation._models.AttestationResult][source]¶ Attests the validity of an Open Enclave report.
- Parameters
report (bytes) – An open_enclave report generated from an Intel(tm) SGX enclave
inittime_data (azure.security.attestation.AttestationData) – Data presented at the time that the SGX enclave was initialized.
runtime_data (azure.security.attestation.AttestationData) – Data presented at the time that the open_enclave report was created.
- Keyword Arguments
draft_policy (str) – “draft” or “experimental” policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API.
- Returns
Attestation service response encapsulating an
AttestationResult
.- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.AttestationResult]
Example: Simple OpenEnclave attestation.
print() print('Attest Open enclave using ', self.shared_url) with self._create_client(self.shared_url) as attest_client: response = attest_client.attest_open_enclave( oe_report, runtime_data=AttestationData(runtime_data)) print("Issuer of token is: ", response.value.issuer)
Example: Simple OpenEnclave attestation with draft attestation policy.
draft_policy=""" version= 1.0; authorizationrules { [ type=="x-ms-sgx-is-debuggable", value==false ] && [ type=="x-ms-sgx-product-id", value==1 ] && [ type=="x-ms-sgx-svn", value>= 0 ] && [ type=="x-ms-sgx-mrsigner", value=="2c1a44952ae8207135c6c29b75b8c029372ee94b677e15c20bd42340f10d41aa"] => permit(); }; issuancerules { c:[type=="x-ms-sgx-mrsigner"] => issue(type="My-MrSigner", value=c.value); }; """ print('Attest Open enclave using ', self.shared_url) print('Using draft policy:', draft_policy) with self._create_client(self.shared_url) as attest_client: response = attest_client.attest_open_enclave( oe_report, runtime_data=AttestationData(runtime_data, is_json=False), draft_policy=draft_policy) print("Token algorithm", response.token.algorithm) print("Issuer of token is: ", response.value.issuer)
Note
Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token.
For additional request configuration options, please see Python Request Options.
-
attest_sgx_enclave
(quote: bytes, inittime_data: Optional[azure.security.attestation._models.AttestationData] = None, runtime_data: Optional[azure.security.attestation._models.AttestationData] = None, **kwargs: Dict[str, Any]) → azure.security.attestation._models.AttestationResponse[azure.security.attestation._models.AttestationResult][source]¶ Attests the validity of an SGX quote.
- Parameters
quote (bytes) – An SGX quote generated from an Intel(tm) SGX enclave
inittime_data (azure.security.attestation.AttestationData) – Data presented at the time that the SGX enclave was initialized.
runtime_data (azure.security.attestation.AttestationData) – Data presented at the time that the SGX quote was created.
- Keyword Arguments
draft_policy (str) – “draft” or “experimental” policy to be used with this attestation request. If this parameter is provided, then this policy document will be used for the attestation request. This allows a caller to test various policy documents against actual data before applying the policy document via the set_policy API
- Returns
Attestation service response encapsulating an
AttestationResult
.- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.AttestationResult]
Note
Note that if the draft_policy parameter is provided, the resulting attestation token will be an unsecured attestation token.
Example:
print() print('Attest SGX enclave using ', self.shared_url) with self._create_client(self.shared_url) as attest_client: response = attest_client.attest_sgx_enclave( quote, runtime_data=AttestationData(runtime_data, is_json=False)) print("Issuer of token is: ", response.value.issuer)
For additional request configuration options, please see Python Request Options.
-
attest_tpm
(request: azure.security.attestation._models.TpmAttestationRequest, **kwargs: Any) → azure.security.attestation._models.TpmAttestationResponse[source]¶ Attest a TPM based enclave.
See the TPM Attestation Protocol Reference for more information.
- Parameters
request (azure.security.attestation.TpmAttestationRequest) – Incoming request to send to the TPM attestation service.
- Returns
A structure containing the response from the TPM attestation.
- Return type
-
get_openidmetadata
(**kwargs: Dict[str, Any]) → Any[source]¶ Retrieves the OpenID metadata configuration document for this attestation instance.
- Returns
OpenID metadata configuration
- Return type
Any
-
get_signing_certificates
(**kwargs: Any) → list[AttestationSigner][source]¶ Returns the set of signing certificates used to sign attestation tokens.
- Returns
A list of
azure.security.attestation.AttestationSigner
objects.- Return type
For additional request configuration options, please see Python Request Options.
-
class
azure.security.attestation.
AttestationAdministrationClient
(credential: TokenCredential, instance_url: str, **kwargs: Any)[source]¶ Provides administrative APIs for managing an instance of the Attestation Service.
- Parameters
instance_url (str) – base url of the service
credential (
TokenCredential
) – Credentials for the caller used to interact with the service.
- Keyword Arguments
pipeline (Pipeline) – If omitted, the standard pipeline is used.
transport (HttpTransport) – If omitted, the standard pipeline is used.
policies (list[HTTPPolicy]) – If omitted, the standard pipeline is used.
-
add_policy_management_certificate
(certificate_to_add: bytes, signing_key: azure.security.attestation._models.AttestationSigningKey, **kwargs: Any) → azure.security.attestation._models.AttestationResponse[azure.security.attestation._models.PolicyCertificatesModificationResult][source]¶ Adds a new policy management certificate to the set of policy management certificates for the instance.
- Parameters
certificate_to_add (bytes) – DER encoded X.509 certificate to add to the list of attestation policy management certificates.
signing_key (azure.security.attestation.AttestationSigningKey) – Signing Key representing one of the existing attestation signing certificates.
- Returns
Attestation service response encapsulating the status of the add request.
- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.PolicyCertificatesModificationResult]
The
PolicyCertificatesModificationResult
response to theadd_policy_management_certificate()
API contains two attributes of interest.The first is certificate_resolution, which indicates whether the certificate in question is present in the set of policy management certificates after the operation has completed, or if it is absent.
The second is the thumbprint of the certificate added. The thumbprint for the certificate is the SHA1 hash of the DER encoding of the certificate.
-
get_policy
(attestation_type, **kwargs)[source]¶ Retrieves the attestation policy for a specified attestation type.
- Parameters
attestation_type (azure.security.attestation.AttestationType) –
azure.security.attestation.AttestationType
for which to retrieve the policy.- Returns
Attestation service response encapsulating a string attestation policy.
- Return type
- Raises
azure.security.attestation.AttestationTokenValidationException – Raised when an attestation token is invalid.
-
get_policy_management_certificates
(**kwargs: Any) → AttestationResponse[list[list[bytes]]][source]¶ Retrieves the set of policy management certificates for the instance.
The list of policy management certificates will only be non-empty if the attestation service instance is in Isolated mode.
- Returns
Attestation service response encapsulating a list of DER encoded X.509 certificate chains.
- Return type
azure.security.attestation.AttestationResponse[list[list[bytes]]]
-
remove_policy_management_certificate
(certificate_to_add: bytes, signing_key: azure.security.attestation._models.AttestationSigningKey, **kwargs: Any) → azure.security.attestation._models.AttestationResponse[azure.security.attestation._models.PolicyCertificatesModificationResult][source]¶ Removes a new policy management certificate to the set of policy management certificates for the instance.
- Parameters
certificate_to_add (bytes) – DER encoded X.509 certificate to add to the list of attestation policy management certificates.
signing_key (azure.security.attestation.AttestationSigningKey) – Signing Key representing one of the existing attestation signing certificates.
- Returns
Attestation service response encapsulating a list of DER encoded X.509 certificate chains.
- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.PolicyCertificatesModificationResult]
The
PolicyCertificatesModificationResult
response to theremove_policy_management_certificate()
API contains two attributes of interest.The first is certificate_resolution, which indicates whether the certificate in question is present in the set of policy management certificates after the operation has completed, or if it is absent.
The second is the thumbprint of the certificate added. The thumbprint for the certificate is the SHA1 hash of the DER encoding of the certificate.
-
reset_policy
(attestation_type: AttestationType, signing_key: Optional[AttestationSigningKey] = None, **kwargs: dict[str, Any]) → AttestationResponse[PolicyResult][source]¶ Resets the attestation policy for the specified attestation type to the default value.
- Parameters
attestation_type (azure.security.attestation.AttestationType) –
azure.security.attestation.AttestationType
for which to set the policy.attestation_policy (str) – Attestation policy to be reset.
signing_key (azure.security.attestation.AttestationSigningKey) – Signing key to be used to sign the policy before sending it to the service.
- Returns
Attestation service response encapsulating a
PolicyResult
.- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.PolicyResult]
- Raises
azure.security.attestation.AttestationTokenValidationException – Raised when an attestation token is invalid.
Note
If the attestation instance is in Isolated mode, then the signing_key parameter MUST be a signing key containing one of the certificates returned by
get_policy_management_certificates()
.If the attestation instance is in AAD mode, then the signing_key parameter does not need to be provided.
-
set_policy
(attestation_type: azure.security.attestation._generated.models._azure_attestation_rest_client_enums.AttestationType, attestation_policy: str, signing_key: Optional[azure.security.attestation._models.AttestationSigningKey] = None, **kwargs: Any) → azure.security.attestation._models.AttestationResponse[azure.security.attestation._models.PolicyResult][source]¶ Sets the attestation policy for the specified attestation type.
- Parameters
attestation_type (azure.security.attestation.AttestationType) –
azure.security.attestation.AttestationType
for which to set the policy.attestation_policy (str) – Attestation policy to be set.
signing_key (azure.security.attestation.AttestationSigningKey) – Signing key to be used to sign the policy before sending it to the service.
- Returns
Attestation service response encapsulating a
PolicyResult
.- Return type
azure.security.attestation.AttestationResponse[azure.security.attestation.PolicyResult]
- Raises
azure.security.attestation.AttestationTokenValidationException – Raised when an attestation token is invalid.
Note
If the attestation instance is in Isolated mode, then the signing_key parameter MUST be a signing key containing one of the certificates returned by
get_policy_management_certificates()
.If the attestation instance is in AAD mode, then the signing_key parameter does not need to be provided.
-
class
azure.security.attestation.
AttestationType
[source]¶ An enumeration.
-
OPEN_ENCLAVE
= 'OpenEnclave'¶ OpenEnclave extensions to SGX.
-
SGX_ENCLAVE
= 'SgxEnclave'¶ Intel Software Guard eXtensions.
-
TPM
= 'Tpm'¶ Edge TPM Virtualization Based Security.
-
-
class
azure.security.attestation.
AttestationToken
(**kwargs)[source]¶ Represents a token returned from the attestation service.
- Keyword Arguments
body (Any) – The body of the newly created token, if provided.
signer (azure.security.attestation.AttestationSigningKey) – If specified, the key used to sign the token. If the signer property is not specified, the token created is unsecured.
token (str) – If no body or signer is provided, the string representation of the token.
body_type (Type) – The underlying type of the body of the ‘token’ parameter, used to deserialize the underlying body when parsing the token.
-
validate_token
(options: TokenValidationOptions = None, signers: list[AttestationSigner] = None) → bool[source]¶ - Validate the attestation token based on the options specified in the
- Parameters
options (azure.security.attestation.TokenValidationOptions) – Options to be used when validating the token.
signers (list[azure.security.attestation.AttestationSigner]) – Potential signers for the token. If the signers parameter is specified, validate_token will only consider the signers as potential signatories for the token, otherwise it will consider attributes in the header of the token.
- Return bool
Returns True if the token successfully validated, False otherwise.
- Raises
azure.security.attestation.AttestationTokenValidationException
-
property
algorithm
¶ Json Web Token Header “alg”.
See RFC 7515 Section 4.1.1 for details.
If the value of algorithm is “none” it indicates that the token is unsecured.
-
property
certificate_sha256_thumbprint
¶ The “thumbprint” of the certificate used to sign the request generated using the SHA256 algorithm.
RFC 7515 Section 4.1.8 for details.
-
property
certificate_thumbprint
¶ The “thumbprint” of the certificate used to sign the request.
RFC 7515 Section 4.1.7 for details.
-
property
content_type
¶ Json Web Token Header “content type”.
See RFC 7515 Section 4.1.10 for details.
-
property
critical
¶ Json Web Token Header “Critical”.
See RFC 7515 Section 4.1.11 for details.
-
property
expiration_time
¶ Expiration time for the token.
-
property
issuance_time
¶ Time when the token was issued.
-
property
issuer
¶ Json Web Token “iss” claim.
RFC 7519 Section 4.1.1 for details.
-
property
key_id
¶ Json Web Token Header “kid”.
See RFC 7515 Section 4.1.4 for details.
-
property
key_url
¶ Json Web Token Header “Key URL”.
See RFC 7515 Section 4.1.2 for details.
-
property
not_before_time
¶ Time before which the token is invalid.
-
property
type
¶ Json Web Token Header “typ”.
RFC 7515 Section 4.1.9 for details.
-
property
x509_certificate_chain
¶ An array of Base64 encoded X.509 certificates which represent a certificate chain used to sign the token.
See RFC 7515 Section 4.1.6 for details.
-
property
x509_url
¶ Json Web Token Header “X509 URL”.
See RFC 7515 Section 4.1.5 for details.
-
class
azure.security.attestation.
AttestationSigner
(certificates: list[bytes], key_id: str, **kwargs: Any)[source]¶ Represents a signing certificate returned by the Attestation Service.
- Parameters
certificates (list[bytes]) – A list of Base64 encoded X.509 Certificates representing an X.509 certificate chain. The first of these certificates will be used to sign an
AttestationToken
.key_id (str) – A string which identifies a signing key, See RFC 7517 Section 4.5
-
class
azure.security.attestation.
AttestationResponse
(token, value)[source]¶ Represents a response from the attestation service.
- Parameters
token (azure.security.attestation.AttestationToken) – Attestation Token returned from the service.
value (T) – Value of the body of the attestation token.
-
class
azure.security.attestation.
AttestationResult
(**kwargs: Dict[str, Any])[source]¶ An AttestationResult represents the claims returned from the attestation service as a result of a call to
azure.security.attestation.AttestationClient.attest_sgx()
, orAttestationClient.attest_open_enclave()
.- Keyword Arguments
issuer (str) – Entity which issued the attestation token.
confirmation (dict) – Confirmation claim for the token.
unique_identifier (str) – Unique identifier for the token.
nonce (str) – Returns the input nonce attribute passed to the attest API.
version (str) – Version of the token. Must be “1.0”
runtime_claims (dict) – Runtime claims passed in from the caller of the attest API.
inittime_claims (dict) – Inittime claims passed in from the caller of the attest API.
enclave_held_data (bytes) – Runtime data passed in from the caller of the attest API.
policy_claims (dict) – Attestation claims issued by policies.
verifier_type (str) – Verifier which generated this token.
policy_signer (azure.security.attestation.AttestationSigner) – If the policy which processed the request is signed, this will be the certificate which signed the policy.
policy_hash (str) – The hash of the policy which processed the attestation evidence.
is_debuggable (bool) – True if the SGX enclave being attested is debuggable.
product_id (int) – Product ID for the SGX enclave being attested.
mr_enclave (str) – MRENCLAVE value for the SGX enclave being attested.
mr_signer (str) – MRSIGNER value for the SGX enclave being attested.
svn (int) – Security version number for the SGX enclave being attested.
sgx_collateral (dict) – Collateral which identifies the collateral used to create the token.
-
property
confirmation
¶ Returns the confirmation claim for the attestation token.
If present, the confirmation property can be used to identify a proof of possession of a key.
See RFC 7800 Section 3.1 for details.
-
property
enclave_held_data
¶ Returns the value of the runtime_data field specified as an input to the
azure.security.attestation.AttestationClient.attest_sgx()
orazure.security.attestation.AttestationClient.attest_open_enclave()
API.Note
The enclave_held_data prperty will only be populated if the runtime_data parameter to the Attest API is marked as not being JSON.
-
property
inittime_claims
¶ Returns the inittime claims in the token.
This value will match the input inittime_data property to the
azure.security.attestation.AttestationClient.attest_sgx()
orazure.security.attestation.AttestationClient.attest_open_enclave()
API.Note
The inittime_claims property will only be populated if the inittime_data parameter to the Attest API is marked as being JSON.
-
property
is_debuggable
¶ Returns “True” if the source evidence being attested indicates that the TEE has debugging enabled.
-
property
issuer
¶ Returns the issuer of the attestation token.
The issuer for the token MUST be the same as the instance_uri associated with the
azure.security.attestation.AttestationClient
object. If it is not, then the token should be rejected.See RFC 7519 Section 4.1.1 for details.
-
property
mr_enclave
¶ Returns HEX encoded mr-enclave value of the SGX enclave being attested.
-
property
mr_signer
¶ Returns HEX encoded mr-signer value of the SGX enclave being attested.
-
property
nonce
¶ Returns the value of the “nonce” input to the attestation request.
-
property
policy_claims
¶ Returns the claims for the token generated by attestation policy.
-
property
policy_hash
¶ Returns the base64url encoded SHA256 hash of the Base64Url encoded attestation policy which was applied when generating this token.
-
property
policy_signer
¶ Returns the signing certificate which was used to sign the policy which was applied when the token was generated.
- Return type
-
property
product_id
¶ Returns the product id associated with the SGX enclave being attested.
-
property
runtime_claims
¶ Returns the runtime claims in the token.
This value will match the input runtime_data property to the
azure.security.attestation.AttestationClient.attest_sgx()
orazure.security.attestation.AttestationClient.attest_open_enclave()
API.Note
The runtime_claims property will only be populated if the runtime_data parameter to the Attest API is marked as being JSON.
-
property
sgx_collateral
¶ Returns a set of information describing the complete set of inputs to the oe_verify_evidence
-
property
unique_id
¶ Returns a unique ID claim for the attestation token.
If present, the unique_id property can be used to distinguish between different attestation tokens.
See RFC 7519 Section 4.1.7 for details.
-
property
verifier_type
¶ Returns the verifier which generated this attestation token.
-
class
azure.security.attestation.
AttestationData
(data: bytes, is_json: Optional[bool] = None)[source]¶ AttestationData represents an object passed as an input to the Attestation Service.
AttestationData comes in two forms: Binary and JSON. To distinguish between the two, when an
AttestationData
object is created, the caller provides an indication that the input binary data will be treated as either JSON or Binary.If the is_json parameter is not provided, then the AttestationData constructor will probe the data parameter to determine whether the data should be treated as JSON.
The AttestationData is reflected in the generated
AttestationResult
in two possible ways. If the AttestationData is Binary, then the AttestationData is reflected in the AttestationResult.enclave_held_data claim. If the AttestationData is JSON, then the AttestationData is expressed as JSON in the AttestationResult.runtime_claims or AttestationResult.inittime_claims claim.
-
class
azure.security.attestation.
TokenValidationOptions
(**kwargs: Any)[source]¶ Validation options for an Attestation Token object.
- Keyword Arguments
validate_token (bool) – if True, validate the token, otherwise return the token unvalidated.
validation_callback (Callable[[AttestationToken, AttestationSigner], bool]) – Callback to allow clients to perform custom validation of the token.
validate_signature (bool) – if True, validate the signature of the token being validated.
validate_expiration (bool) – If True, validate the expiration time of the token being validated.
issuer (str) – Expected issuer, used if validate_issuer is true.
validate_issuer (bool) – If True, validate that the issuer of the token matches the expected issuer.
validate_not_before_time (bool) – If true, validate the “Not Before” time in the token.
-
class
azure.security.attestation.
StoredAttestationPolicy
(policy: str)[source]¶ Represents an attestation policy in storage.
When serialized, the StoredAttestationPolicy object will Base64Url encode the UTF-8 representation of the policy value.
- Parameters
policy (str) – Policy to be saved.
-
class
azure.security.attestation.
PolicyResult
(policy_resolution: azure.security.attestation._generated.models._azure_attestation_rest_client_enums.PolicyModification, policy_signer: azure.security.attestation._generated.models._models_py3.JSONWebKey, policy_token_hash: str)[source]¶ PolicyResult represents the result of a
azure.security.attestation.AttestationAdministrationClient.set_policy()
orazure.security.attestation.AttestationAdministrationClient.reset_policy()
API call.The PolicyResult class is returned as the body of an attestation token from the attestation service. It can be used to ensure that the attestation service received the policy object sent from the client without alteration.
- Parameters
policy_resolution (azure.security.attestation.PolicyModification) – The result of the policy set or reset call.
policy_signer (azure.security.attestation.AttestationSigner) – If the call to set_policy or reset_policy had a
AttestationSigningKey
parameter, this will be the certificate which was specified in this parameter.policy_token_hash (str) – The hash of the complete JSON Web Signature presented to the set_policy or reset_policy API.
-
class
azure.security.attestation.
CertificateModification
[source]¶ The result of the operation
-
IS_ABSENT
= 'IsAbsent'¶ After the operation was performed, the certificate is no longer present in the set of certificates.
-
IS_PRESENT
= 'IsPresent'¶ After the operation was performed, the certificate is in the set of certificates.
-
-
class
azure.security.attestation.
AttestationSigningKey
(signing_key_der: bytes, certificate_der: bytes)[source]¶ Represents a signing key used by the attestation service.
Typically the signing key used by the service consists of two components: An RSA or ECDS private key and an X.509 Certificate wrapped around the public key portion of the private key.
-
class
azure.security.attestation.
TpmAttestationRequest
(data)[source]¶ Represents a request for TPM attestation.
- Parameters
data (bytes) – The data sent to the Attestation Service in the parameter to
azure.security.attestation.AttestationClient.attest_tpm()
.
-
class
azure.security.attestation.
TpmAttestationResponse
(data)[source]¶ Represents a request for TPM attestation.
- Parameters
data (bytes) – The data received from the Attestation Service in response to a call to
azure.security.attestation.AttestationClient.attest_tpm()
.
-
class
azure.security.attestation.
PolicyModification
[source]¶ The result of the operation
-
REMOVED
= 'Removed'¶ The specified policy object was removed.
-
UPDATED
= 'Updated'¶ The specified policy object was updated.
-
-
class
azure.security.attestation.
PolicyCertificatesModificationResult
(certificate_thumbprint: str, certificate_resolution: azure.security.attestation._generated.models._azure_attestation_rest_client_enums.CertificateModification)[source]¶ The result of a policy certificate modification.