def test_token_expiration(self):
        token30sec = AttestationToken(body={
            "exp": time()+30, # Expires in 30 seconds
            "iat": time(),
            "nbf": time() # Not valid before now.
        })
        assert token30sec.validate_token() is True

        expired_token=AttestationToken(body={
            "exp": time()-30, # Expired 30 seconds ago
            "iat": time(),
            "nbf": time()+5 # Not valid for 5 seconds.
        })
        with pytest.raises(AttestationTokenValidationException):
            assert expired_token.validate_token() is False

        early_token=AttestationToken(body={
            "exp": time()+30, # Expires in 30 seconds
            "iat": time(),
            "nbf": time()+5 # Not valid for 5 seconds.
        })
        with pytest.raises(AttestationTokenValidationException):
            assert early_token.validate_token() is False

        # Specify 40 seconds of slack, so we're within the slack.
        # Token validation should start succeeding now because the slack
        # lets it work.
        token_options=TokenValidationOptions(validation_slack=40)
        assert expired_token.validate_token(token_options) is True
        assert early_token.validate_token(token_options) is True
예제 #2
0
    async def attest_open_enclave_shared_with_options(self):
        """
        Demonstrates calling into the attest_open_enclave API using an attestation
        token validation callback to perform validation of the attestation collateral
        received from the server.
        """

        write_banner("attest_open_enclave_shared_with_options")
        oe_report = base64.urlsafe_b64decode(sample_open_enclave_report)
        runtime_data = base64.urlsafe_b64decode(sample_runtime_data)
        print()
        print('Attest Open enclave using ', self.shared_url)

        # [START attest_open_enclave_shared_with_options]

        def validate_token(token, signer):
            #type(AttestationToken, AttestationSigner) -> bool
            """
        Perform minimal validation of the issued SGX token.
        The token validation logic will have checked the issuance_time
        and expiration_time, but this shows accessing those fields.
        
        The validation logic also checks the subject of the certificate to verify
        that the issuer of the certificate is the expected instance of the service.
        """
            print("In validation callback, checking token...")
            print("     Token issuer: ", token.issuer)
            print("     Token was issued at: ", token.issuance_time)
            print("     Token expires at: ", token.expiration_time)
            if token.issuer != self.shared_url:
                print(
                    "Token issuer {} does not match expected issuer {}".format(
                        token.issuer, self.shared_url))
                return False

            # Check the subject of the signing certificate used to validate the token.
            certificate = cryptography.x509.load_der_x509_certificate(
                signer.certificates[0], backend=default_backend())
            if certificate.subject != x509.Name(
                [x509.NameAttribute(NameOID.COMMON_NAME, self.shared_url)]):
                print(
                    "Certificate subject {} does not match expected subject {}"
                    .format(certificate.subject, self.shared_url))
                return False

            print("Token passes validation checks.")
            return True

        async with self._create_client(
                self.shared_url,
                token_validation_options=TokenValidationOptions(
                    validation_callback=validate_token)) as attest_client:
            response = await attest_client.attest_open_enclave(
                oe_report,
                runtime_data=AttestationData(runtime_data, is_json=False))

        print("Issuer of token is: ", response.value.issuer)
 def create_client(self, base_uri, **kwargs): 
     #type:(str, Any) -> AttestationClient
     """
     docstring
     """
     credential = self.get_credential(AttestationClient)
     attest_client = self.create_client_from_credential(AttestationClient,
         credential=credential,
         instance_url=base_uri,
         token_validation_options = TokenValidationOptions(
             validate_token=True,
             validate_signature=True,
             validate_issuer=self.is_live,
             issuer=base_uri,
             validate_expiration=self.is_live))
     return attest_client
예제 #4
0
 def create_admin_client(
         self, base_uri):  #type() -> AttestationAdministrationClient:
     """
         docstring
         """
     credential = self.get_credential(AttestationAdministrationClient,
                                      is_async=True)
     attest_client = self.create_client_from_credential(
         AttestationAdministrationClient,
         credential=credential,
         instance_url=base_uri,
         token_validation_options=TokenValidationOptions(
             validate_token=True,
             validate_signature=True,
             validate_issuer=self.is_live,
             issuer=base_uri,
             validate_expiration=self.is_live))
     return attest_client
    def test_token_callback_rejected(self):
        key = self._create_rsa_key()
        cert = self._create_x509_certificate(key, u'test certificate')

        token_signer = AttestationSigningKey(key, cert)

        token = AttestationToken(body={"val1": [1, 2, 3]}, signer=token_signer)
        assert token.get_body()== {"val1": [1, 2, 3]}

        global callback_invoked
        callback_invoked = False

        def callback(token, signer):
            assert signer.certificates[0]==cert
            return False

        options = TokenValidationOptions(validation_callback = callback)
        with pytest.raises(AttestationTokenValidationException):
            assert token.validate_token(options) is False