1.0.0 (2021-05-11)
Changed
- Final changes for Azure Attestation Service for .Net, including API review feedback. Mostly code cleanups, but significant improvements to the
AttestationToken
class.
Breaking change
- Clients no longer need to instantiate
SecuredAttestationToken
orUnsecuredAttestationToken
objects to validate the token hash. All of the functionality associated withSecuredAttestationToken
andUnsecuredAttestationToken
has been folded into theAttestationToken
class.
As a result, theSecuredAttestationToken
andUnsecuredAttestationToken
types have been removed.
// The SetPolicyAsync API will create an AttestationToken signed with the TokenSigningKey to transmit the policy.
// To verify that the policy specified by the caller was received by the service inside the enclave, we
// verify that the hash of the policy document returned from the Attestation Service matches the hash
// of an attestation token created locally.
TokenSigningKey signingKey = new TokenSigningKey(<Customer provided signing key>, <Customer provided certificate>)
var policySetToken = new AttestationToken(
BinaryData.FromObjectAsJson(new StoredAttestationPolicy { AttestationPolicy = attestationPolicy }),
signingKey);
using var shaHasher = SHA256Managed.Create();
byte[] attestationPolicyHash = shaHasher.ComputeHash(Encoding.UTF8.GetBytes(policySetToken.Serialize()));
Debug.Assert(attestationPolicyHash.SequenceEqual(setResult.Value.PolicyTokenHash.ToArray()));
- The JSON Web Token associated properties in the
AttestationToken
class have been converted to nullable types to allow the AttestationToken class to express JSON Web Signature objects. - The token validation related properties in the
AttestationClientOptions
class (validateAttestationTokens, validationCallback) have been moved into the newTokenValidationOptions
class. - The
TokenValidationOptions
class contains a number of options to tweak the JSON Web Token validation process, modeled extremely loosely after constructs in Nimbus JWT and PyJWT. - The validationCallback in the
TokenValidationOptions
object has been moved to aTokenValidated
event on theTokenValidationOptions
class. TheTokenValidated
event derives from the SyncAsyncEventHandler class, enabling both synchronous and asynchronous event handlers. - The
TokenBody
andTokenHeader
properties have been removed from the AttestationToken object since they were redundant. - The
TokenSigningKey
type has been renamedAttestationTokenSigningKey
. - The
PolicyResult
type has been renamedPolicyModificationResult
. - The constructor for the
AttestationToken
class has been changed from taking anobject
to taking aBinaryData
. This allows callers to use their preferred serialization
mechanism. The constructor forAttestationToken
will ensure that thebody
parameter is in fact a serialized JSON object to ensure it is compatable wih the JSON Web Signature encoding algorithms. - The inputs to the AttestSgxEnclave and AttestOpenEnclave APIs have been restructured
to reduce the number of parameters passed into the API. - When creating an
AttestationData
object specifying that the body type is "JSON", the binary data passed in will be verified that it contains a JSON object. - The return value of
GetPolicyManagementCertificates
has been changed fromAttestationResult<PolicyCertificatesResult>
toAttestationResult<IReadOnlyList<X509Certificate2>>
to simplify the experience of retrieving the certificate list. As a consequence of this change, thePolicyCertificatesResult
type has been removed. - The unused
TpmAttestationRequest
andTpmAttestationResponse
types have been removed. - The
AttestationTokenSigningKey
will now ensure that the public key in the provided certificate is the public key corresponding to the private key. AttestTpm
andAttestTpmAsync
are changed to accept a newTpmAttestationRequest
and return aTpmAttestationResponse
instead of accepting and returning aBinaryData
. The semantics of the API do not change, just the encapsulation of the BinaryData.