@azure/attestation 1.0.1-alpha.20241126.1 → 1.0.1-alpha.20241127.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/dist/attestation.d.ts +0 -904
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@azure/attestation",
3
- "version": "1.0.1-alpha.20241126.1",
3
+ "version": "1.0.1-alpha.20241127.1",
4
4
  "description": "Javascript/Typescript client implementation for the Microsoft Azure Attestation service.",
5
5
  "sdk-type": "client",
6
6
  "main": "./dist/commonjs/index.js",
package/dist/attestation.d.ts DELETED
@@ -1,904 +0,0 @@
1
- import type { CommonClientOptions } from '@azure/core-client';
2
- import type { OperationOptions } from '@azure/core-client';
3
- import type { TokenCredential } from '@azure/core-auth';
4
-
5
- /**
6
- * Attestation Client class.
7
- *
8
- * The AttestationClient class enables access to the Attestation related APIs:
9
- *
10
- * - getPolicy
11
- * - setPolicy
12
- * - resetPolicy
13
- * - getPolicyManagementCertificates
14
- * - addPolicyManagementCertificate
15
- * - removePolicyManagementCertificate
16
- */
17
- export declare class AttestationAdministrationClient {
18
- /**
19
- * Creates an instance of AttestationAdministrationClient.
20
- *
21
- * Example usage:
22
- * ```ts
23
- * import { AttestationAdministrationClient } from "@azure/attestation";
24
- *
25
- * const client = new AttestationAdministrationClient(
26
- * "<service endpoint>",
27
- * new TokenCredential("<>")
28
- * );
29
- * ```
30
- *
31
- * @param endpoint - The attestation instance endpoint, for example https://mytenant.attest.azure.net.
32
- * @param credential - Used to authenticate requests to the service.
33
- * @param options - Used to configure the Form Recognizer client.
34
- */
35
- constructor(endpoint: string, credentials: TokenCredential, options?: AttestationAdministrationClientOptions);
36
- /**
37
- * Retrieves the attestation policy document from the server, and returns it
38
- * to the caller.
39
- *
40
- * @param attestationType - AttestationType for which to retrieve policy.
41
- * @param options - Pipeline and client options for the `getPolicy` call.
42
- * @returns `AttestationResponse<string>` - the `value` property is the
43
- * attestation policy, the `token` property will be the actual token
44
- * returned by the attestation service.
45
- */
46
- getPolicy(attestationType: AttestationType, options?: AttestationAdministrationClientPolicyOperationOptions): Promise<AttestationResponse<string>>;
47
- /**
48
- * Sets the attestation policy for the specified {@link attestationType}.
49
- *
50
- * @param attestationType - Attestation Type for which to set policy.
51
- * @param newPolicyDocument - Policy document to be set.
52
- * @param options - call options.
53
- * @returns An {@link AttestationResponse} wrapping a {@link PolicyResult}.
54
- * Clients can use the PolicyResult to validate that the policy was actually
55
- * set by the attestation service.
56
- *
57
- * @remarks
58
- *
59
- * Please note that if the attestation service instance is running in "Isolated"
60
- * mode, the {@link signingKey} must be one of the signing keys configured for the
61
- * service instance.
62
- *
63
- * @throws {@link Error} when a private key is specified without a certificate and vice versa.
64
- * @throws {@link Error} when the key in the certificate provided does not match the private key.
65
- */
66
- setPolicy(attestationType: AttestationType, newPolicyDocument: string, options?: AttestationAdministrationClientPolicyOperationOptions): Promise<AttestationResponse<PolicyResult>>;
67
- /**
68
- * Resets the attestation policy for the specified {@link attestationType} to
69
- * the default value.
70
- *
71
- * @param attestationType - Attestation Type for which to set policy.
72
- * @param options - call options.
73
- * @returns An {@link AttestationResponse} wrapping a {@link PolicyResult}.
74
- * Clients can use the PolicyResult to validate that the policy was actually
75
- * reset by the attestation service.
76
- *
77
- * @remarks
78
- *
79
- * Please note that if the attestation service instance is running in "Isolated"
80
- * mode, the {@link signingKey} must be one of the signing keys configured for the
81
- * service instance.
82
- *
83
- * @throws {@link Error} when a private key is specified without a certificate and vice versa.
84
- * @throws {@link Error} when the key in the certificate provided does not match the private key.
85
- */
86
- resetPolicy(attestationType: AttestationType, options?: AttestationAdministrationClientPolicyOperationOptions): Promise<AttestationResponse<PolicyResult>>;
87
- /** Returns the set of policy management certificates for this attestation instance.
88
- *
89
- * @remarks If the attestation instance is not in `Isolated` mode, this list will
90
- * always be empty.
91
- *
92
- * @param options - Options for the call to the attestation service.
93
- * @returns AttestationResponse wrapping a list of Attestation Signers.
94
- */
95
- getPolicyManagementCertificates(options?: AttestationAdministrationClientPolicyCertificateOperationOptions): Promise<AttestationResponse<AttestationSigner[]>>;
96
- /** Add a new certificate chain to the set of policy management certificates.
97
- *
98
- * @param pemCertificate - PEM encoded certificate to add to the set of policy management certificates.
99
- * @param privateKey - Existing attestation private key used to sign the incoming request.
100
- * @param certificate - Existing attestation certificate used to verify the incoming request.
101
- * @param options - Options used in the call to the service.
102
- * @returns An attestation response including a PolicyCertificatesModificationResult
103
- *
104
- * @remarks This API is only supported on `isolated` attestation instances.
105
- *
106
- * The signing key MUST be one of the existing attestation signing certificates. The
107
- * new pemCertificate is signed using the signingKey and the service will validate the
108
- * signature before allowing the addition.
109
- *
110
- * @throws {@link Error} when a private key is specified without a certificate and vice versa.
111
- * @throws {@link Error} when the key in the certificate provided does not match the private key.
112
- *
113
- */
114
- addPolicyManagementCertificate(pemCertificate: string, privateKey: string, certificate: string, options?: AttestationAdministrationClientPolicyCertificateOperationOptions): Promise<AttestationResponse<PolicyCertificatesModificationResult>>;
115
- private keyTypeFromCertificate;
116
- /** Add a new certificate chain to the set of policy management certificates.
117
- *
118
- * @param pemCertificate - PEM encoded certificate to add to the set of policy management certificates.
119
- * @param privateKey - Existing attestation private key used to sign the incoming request.
120
- * @param certificate - Existing attestation certificate used to verify the incoming request.
121
- * @param options - Options used in the call to the service.
122
- * @returns An attestation response including a PolicyCertificatesModificationResult
123
- *
124
- * @remarks This API is only supported on `isolated` attestation instances.
125
- *
126
- * The signing key MUST be one of the existing attestation signing certificates. The
127
- * new pemCertificate is signed using the signingKey and the service will validate the
128
- * signature before allowing the addition.
129
- *
130
- * @throws {@link Error} when a private key is specified without a certificate and vice versa.
131
- * @throws {@link Error} when the key in the certificate provided does not match the private key.
132
- */
133
- removePolicyManagementCertificate(pemCertificate: string, privateKey: string, certificate: string, options?: AttestationAdministrationClientPolicyCertificateOperationOptions): Promise<AttestationResponse<PolicyCertificatesModificationResult>>;
134
- private signingKeys;
135
- private _client;
136
- private _signers?;
137
- private _validationOptions?;
138
- }
139
-
140
- /**
141
- * Operation options for the Attestation Administration Client operations.
142
- */
143
- export declare interface AttestationAdministrationClientOperationOptions extends OperationOptions {
144
- /**
145
- * Options to be used globally to validate attestation tokens received from
146
- * the attestation service.
147
- */
148
- validationOptions?: AttestationTokenValidationOptions;
149
- }
150
-
151
- /**
152
- * Attestation Client Construction Options.
153
- */
154
- export declare interface AttestationAdministrationClientOptions extends CommonClientOptions {
155
- /**
156
- * Options to be used globally to validate attestation tokens received from
157
- * the attestation service.
158
- */
159
- validationOptions?: AttestationTokenValidationOptions;
160
- }
161
-
162
- /**
163
- * Operation options for the Policy Certificates operations.
164
- */
165
- export declare interface AttestationAdministrationClientPolicyCertificateOperationOptions extends AttestationAdministrationClientOperationOptions {
166
- }
167
-
168
- /**
169
- * Operation options for the administration Policy operations.
170
- */
171
- export declare interface AttestationAdministrationClientPolicyOperationOptions extends AttestationAdministrationClientOperationOptions {
172
- /**
173
- * Optional Private key used to sign the token sent to the attestation service.
174
- *
175
- * Required for Isolated Mode attestation instances.
176
- */
177
- privateKey?: string;
178
- /**
179
- * Optional certificate which can validate the token sent to the attestation service.
180
- *
181
- * Required for Isolated Mode attestation instances.
182
- *
183
- * If the service instance is in Isolated mode, the certificate *must* be one
184
- * of the configured policy management certificates.
185
- */
186
- certificate?: string;
187
- }
188
-
189
- /**
190
- * Attestation Client class.
191
- *
192
- * The AttestationClient class enables access to the Attestation related APIs:
193
- *
194
- * - getOpenIdMetadata
195
- * - getAttestationSigners
196
- * - attestSgxEnclave
197
- * - attestOpenEnclave
198
- * - attestTpm
199
- */
200
- export declare class AttestationClient {
201
- /**
202
- * Creates an instance of AttestationClient.
203
- *
204
- * Example usage:
205
- * ```ts
206
- * import { AttestationClient } from "@azure/attestation";
207
- *
208
- * const client = new AttestationClient(
209
- * "<service endpoint>"
210
- * );
211
- * ```
212
- *
213
- * @param endpoint - The attestation instance base URI, for example https://mytenant.attest.azure.net.
214
- * @param options - Options used to configure the Attestation Client.
215
- *
216
- */
217
- constructor(endpoint: string, options?: AttestationClientOptions);
218
- /**
219
- * Creates an instance of AttestationClient with options and credentials.
220
- *
221
- * Example usage:
222
- * ```ts
223
- * import { AttestationClient } from "@azure/attestation";
224
- *
225
- * const client = new AttestationClient(
226
- * "<service endpoint>",
227
- * new TokenCredential("<>"),
228
- * { tokenValidationOptions: { validateToken: false } }
229
- * );
230
- * ```
231
- *
232
- * Note that credentials are required to call the `attestTpm` API.
233
- *
234
- * @param endpoint - The attestation instance base URI, for example https://mytenant.attest.azure.net.
235
- * @param credentials - Credentials used to configure the attestation client.
236
- *
237
- */
238
- constructor(endpoint: string, credentials: TokenCredential, options?: AttestationClientOptions);
239
- /** Attests an OpenEnclave report generated from an SGX Enclave using the OpenEnclave SDK.
240
- *
241
- * @param report - An OpenEnclave report generated by an SGX enclave.
242
- * @param options - Operation options for the attestOpenEnclave API call.
243
- * @returns Returns an AttestationResponse whose body is an AttestationResult describing
244
- * the claims returned by the attestation service.
245
- *
246
- * @throws {@link Error} if the `initTimeData` option and `initTimeJson` option is provided.
247
- * @throws {@link Error} if the `runTimeData` option and `runTimeJson` option is provided.
248
- * @throws {@link Error} if the `initTimeJson` option is provided and the value of `initTimeJson` is not JSON.
249
- * @throws {@link Error} if the `runTimeJson` option is provided and the value of `runTimeJson` is not JSON.
250
- */
251
- attestOpenEnclave(report: Uint8Array | Buffer | Blob, options?: AttestOpenEnclaveOptions): Promise<AttestationResponse<AttestationResult>>;
252
- /** Attests a quote generated from SGX Enclave using the Intel SDK.
253
- *
254
- * @param quote - An SGX quote generated by an SGX enclave.
255
- * @param options - Operation options for the attestOpenEnclave API call.
256
- * @returns Returns an AttestationResponse whose body is an AttestationResult describing
257
- * the claims returned by the attestation service.
258
- * @throws {@link Error} if the `initTimeData` option and `initTimeJson` option is provided.
259
- * @throws {@link Error} if the `runTimeData` option and `runTimeJson` option is provided.
260
- */
261
- attestSgxEnclave(quote: Uint8Array | Buffer | Blob, options?: AttestSgxEnclaveOptions): Promise<AttestationResponse<AttestationResult>>;
262
- /** Attest a TPM based enclave.
263
-
264
- * See the {@link https://docs.microsoft.com/en-us/azure/attestation/virtualization-based-security-protocol | TPM Attestation Protocol Reference} for more information.
265
- *
266
- * @param request - Incoming request to send to the TPM attestation service, Utf8 encoded.
267
- * @param options - Pipeline options for TPM attestation request.
268
- * @returns A structure containing the response from the TPM attestation, Utf8 encoded.
269
- *
270
- * @remarks
271
- *
272
- * The incoming requests to the TPM attestation API are stringified JSON objects.
273
- *
274
- * @example
275
- * For example, the initial call for a TPM attestation operation is:
276
- *
277
- * ```js
278
- * const encodedPayload = JSON.stringify({ payload: { type: "aikcert" } });
279
- * const result = await client.attestTpm(encodedPayload);
280
- * ```
281
- *
282
- * where stringToBytes converts the string to UTF8.
283
- *
284
- * Note that the attestTpm requires an attestation client which is configured with
285
- * authentication credentials.
286
- *
287
- */
288
- attestTpm(request: string, options?: AttestTpmOptions): Promise<string>;
289
- /**
290
- * Returns the list of attestation signers which can be used to sign attestation
291
- * service tokens.
292
- *
293
- * @param options - Client operation options.
294
- * @returns the set of AttestationSigners which may be used to sign attestation tokens.
295
- */
296
- getAttestationSigners(options?: AttestationClientOperationOptions): Promise<AttestationSigner[]>;
297
- /**
298
- * Returns the OpenID Metadata discovery document for the attestation service instance.
299
- * @param options - Client operation options.
300
- * @returns The OpenID metadata discovery document for the attestation service.
301
- */
302
- getOpenIdMetadata(options?: AttestationClientOperationOptions): Promise<Record<string, unknown>>;
303
- private _client;
304
- private _validationOptions?;
305
- private _signers?;
306
- private _signingKeys;
307
- }
308
-
309
- /**
310
- * Operation options for the Attestation Client operations.
311
- */
312
- export declare interface AttestationClientOperationOptions extends OperationOptions {
313
- /**
314
- * Validation options to be used to validate attestation tokens received
315
- * from the attestation service for the individual operation.
316
- */
317
- validationOptions?: AttestationTokenValidationOptions;
318
- }
319
-
320
- /**
321
- * Attestation Client Construction Options.
322
- */
323
- export declare interface AttestationClientOptions extends CommonClientOptions {
324
- /**
325
- * Validation options to be used to validate attestation tokens received
326
- * from the attestation service.
327
- */
328
- validationOptions?: AttestationTokenValidationOptions;
329
- }
330
-
331
- /**
332
- *
333
- * An AttestationPolicyToken represents an AttestationToken which holds an attestation
334
- * policy document.
335
- *
336
- * When the attestation service receives a set policy request, the payload of the
337
- * set policy token contains a {@link https://datatracker.ietf.org/doc/html/rfc7515 | JSON Web Signature}
338
- * whose body contains the actual attestation policy document.
339
- *
340
- * The AttestationPolicyToken represents this JWS object.
341
- */
342
- export declare interface AttestationPolicyToken extends AttestationToken {
343
- }
344
-
345
- /**
346
- * An AttestationResponse represents the response from the Microsoft Azure
347
- * Attestation service. It has two properties:
348
- *
349
- * @param token - The attestation token returned from the attestation service.
350
- * @param body - The value of the response from the attestation service.
351
- * @typeparam T - The type of the {@link body} property.
352
- *
353
- */
354
- export declare interface AttestationResponse<T> {
355
- /**
356
- * The Attestation Token returned from the attestation service.
357
- */
358
- token: AttestationToken;
359
- /**
360
- * The value of the response from the attestation service, derived
361
- * from the body of the {@link token} property.
362
- */
363
- body: T;
364
- }
365
-
366
- /**
367
- * A Microsoft Azure Attestation response token body - the body of a response token issued by MAA
368
- */
369
- export declare interface AttestationResult {
370
- /**
371
- * Unique Identifier for the token.
372
- *
373
- * Corresponds to the 'jti' claim defined in
374
- * {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7 | RFC 7519 section 4.1.7}
375
- */
376
- uniqueId: string;
377
- /**
378
- * Returns the issuer of the attestation token. MUST be the same as the
379
- * endpoint used when constructing the attestation client instance.
380
- */
381
- issuer: string;
382
- /**
383
- * Returns the "nonce" value if one was specified in the Attest request.
384
- */
385
- nonce?: string;
386
- /**
387
- * The Schema version of this structure. Current Value: 1.0
388
- */
389
- version: string;
390
- /**
391
- * Returns the runtime claims in the token.
392
- *
393
- * This value will match the input `runTimeJson` property to the
394
- * {@link AttestationClient.attestSgxEnclave} or
395
- * {@link AttestationClient.attestOpenEnclave} API.
396
- *
397
- * @remarks
398
- *
399
- * The `runtimeClaims` property will only be populated if the
400
- * `runtimeJson` parameter to the `Attest` API is specified. It will
401
- * not be populated if the `runtimeData` parameter is specified.
402
- */
403
- runTimeClaims: unknown;
404
- /**
405
- * Returns the initialization time claims in the token.
406
- * This value will match the input `initTimeJson` property to the
407
- * {@link AttestationClient.attestSgxEnclave} or
408
- * {@link AttestationClient.attestOpenEnclave} API.
409
- *
410
- * @remarks
411
- *
412
- * The `initTimeClaims` property will only be populated if the `initTimeJson`
413
- * parameter to the `Attest` API is specified. It will not be populated if
414
- * the `initTimeData` parameter is specified.
415
- */
416
- initTimeClaims: unknown;
417
- /**
418
- * Returns the set of claims generated by the attestation policy on the instance.
419
- */
420
- policyClaims: unknown;
421
- /**
422
- * Returns the verifier which generated this attestation token. Normally one of:
423
- * "SGX" or "TPM", but others can be specified.
424
- */
425
- verifierType: string;
426
- /**
427
- * The certificate used to sign the policy object, if specified.
428
- */
429
- policySigner?: AttestationSigner;
430
- /**
431
- * The base64url encoded SHA256 hash of the BASE64URL encoded policy text
432
- * used for attestation.
433
- */
434
- policyHash: Uint8Array;
435
- /**
436
- * True if the enclave is debuggable, false otherwise. Only valid if `verifierType` is SGX.
437
- */
438
- isDebuggable?: boolean;
439
- /**
440
- * The SGX Product ID for the enclave. Only valid if the `verifierType` field is "SGX"
441
- */
442
- productId?: number;
443
- /**
444
- * The HEX encoded SGX MRENCLAVE value for the enclave. Only valid if the
445
- * `verifierType` field is "SGX"
446
- */
447
- mrEnclave?: string;
448
- /**
449
- * The HEX encoded SGX MRSIGNER value for the enclave. Only valid if the
450
- * `verifierType` field is "SGX"
451
- */
452
- mrSigner?: string;
453
- /**
454
- * The SGX SVN value for the enclave. Only valid if the `verifierType` field is "SGX"
455
- */
456
- svn?: number;
457
- /**
458
- * Returns the value of the runtime_data field specified as an input to the
459
- * {@link AttestationClient.attestSgxEnclave} or {@link AttestationClient.attestOpenEnclave} API.
460
- *
461
- * @remarks
462
- *
463
- * The `enclaveHeldData` property will only be populated if the
464
- * `runtimeData` parameter to the `Attest` API is specified.
465
- */
466
- enclaveHeldData?: Uint8Array;
467
- /**
468
- * Returns a set of information describing the complete set of inputs to the
469
- * Attestation validation logic.
470
- *
471
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
472
- * for more information on quote validation.
473
- */
474
- sgxCollateral?: AttestationSgxCollateralInfo;
475
- }
476
-
477
- /**
478
- * Defines the contents of the {@link AttestationResult.sgxCollateral} claim in
479
- * an {@link AttestationResult}.
480
- */
481
- export declare interface AttestationSgxCollateralInfo {
482
- /**
483
- * Hex encoded Sha256 hash of the Quoting Enclave Certificates.
484
- *
485
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
486
- * for more information on quote validation.
487
- */
488
- qeidcertshash?: string;
489
- /**
490
- * Hex encoded Sha256 hash of the Quoting Enclave Certificate CRL.
491
- *
492
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
493
- * for more information on quote validation.
494
- */
495
- qeidcrlhash?: string;
496
- /**
497
- * Hex encoded Sha256 hash of the Quoting Enclave Identity.
498
- *
499
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
500
- * for more information on quote validation.
501
- */
502
- qeidhash?: string;
503
- /**
504
- * Hex encoded Sha256 hash of the SGX Quote or OpenEnclave Report validated
505
- * by this token.
506
- *
507
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
508
- * for more information on quote validation.
509
- */
510
- quotehash?: string;
511
- /**
512
- * Hex encoded Sha256 hash of the TCB Info Certificates.
513
- *
514
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
515
- * for more information on quote validation.
516
- */
517
- tcbinfocertshash?: string;
518
- /**
519
- * Hex encoded Sha256 hash of the TCB Info Certificate CRL.
520
- *
521
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
522
- * for more information on quote validation.
523
- */
524
- tcbinfocrlhash?: string;
525
- /**
526
- * Hex encoded Sha256 hash of the TCB Info for the device being attested.
527
- *
528
- * See the {@link https://software.intel.com/content/www/us/en/develop/articles/quote-verification-attestation-with-intel-sgx-dcap.html | Intel SGX documentation }
529
- * for more information on quote validation.
530
- */
531
- tcbinfohash?: string;
532
- }
533
-
534
- /**
535
- * An AttestationSigner represents a signing certificate chain/Key ID combination
536
- * returned by the attestation service.
537
- */
538
- export declare interface AttestationSigner {
539
- /**
540
- * The Key ID for the signer, as defined by the "kid" parameter in
541
- * {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.5 | RFC 7517 section 4.5}
542
- */
543
- keyId?: string;
544
- /**
545
- * An array of X.509 certificates DER encoded and PEM encoded one of which
546
- * will be used to sign an attestation token. Also the "x5c" parameter in
547
- * {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.7 | RFC 7517 section 4.7}
548
- */
549
- certificates: string[];
550
- }
551
-
552
- /**
553
- *
554
- * An AttestationToken represents an RFC 7515 JSON Web Signature object.
555
- *
556
- * It can represent either the token returned by the attestation service,
557
- * or it can be used to create a token locally which can be used to verify
558
- * attestation policy changes.
559
- */
560
- export declare interface AttestationToken {
561
- /**
562
- * Returns the deserialized body of the AttestationToken object.
563
- *
564
- * @returns The body of the attestation token as an object.
565
- */
566
- getBody(): unknown;
567
- /**
568
- * the token to a string.
569
- *
570
- * @remarks
571
- * Serializes the token to a string.
572
- *
573
- * @returns The token serialized to a RFC 7515 JSON Web Signature.
574
- */
575
- serialize(): string;
576
- /**
577
- * Validates the attestation token to verify that it is semantically correct.
578
- *
579
- * @param possibleSigners - the set of possible signers for this attestation token.
580
- * @param options - validation options
581
- */
582
- getTokenProblems(possibleSigners?: AttestationSigner[], options?: AttestationTokenValidationOptions): string[];
583
- /** ********* JSON WEB SIGNATURE (RFC 7515) PROPERTIES */
584
- /**
585
- * Returns the algorithm from the header of the JSON Web Signature.
586
- *
587
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.1 | RFC 7515 Section 4.1.1})
588
- * for details.
589
- *
590
- * If the value of algorithm is "none" it indicates that the token is unsecured.
591
- */
592
- algorithm: string;
593
- /**
594
- * Json Web Signature Header "kid".
595
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.4 | RFC 7515 Section 4.1.4})
596
- * for details.
597
- */
598
- keyId?: string;
599
- /**
600
- * Json Web Signature Header "crit".
601
- *
602
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.11 | RFC 7515 Section 4.1.11})
603
- * for details.
604
- *
605
- */
606
- critical?: boolean;
607
- /**
608
- * Json Web Token Header "content type".
609
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.10 | RFC 7515 Section 4.1.10})
610
- *
611
- */
612
- contentType?: string;
613
- /**
614
- * Json Web Token Header "key URL".
615
- *
616
- * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.2 | RFC 7515 Section 4.1.2})
617
- *
618
- */
619
- keyUrl?: string;
620
- /**
621
- * Json Web Token Header "X509 Url".
622
- * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.5 | RFC 7515 Section 4.1.5})
623
- *
624
- */
625
- x509Url?: string;
626
- /** Json Web Token Header "Typ".
627
- *
628
- * @see {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.9 | RFC 7515 Section 4.1.9})
629
- *
630
- */
631
- type?: string;
632
- /**
633
- * Json Web Token Header "x509 thumprint".
634
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.7 | RFC 7515 Section 4.1.7})
635
- */
636
- certificateThumbprint?: string;
637
- /** Json Web Token Header "x509 SHA256 thumprint".
638
- *
639
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.8 | RFC 7515 Section 4.1.8})
640
- *
641
- */
642
- certificateSha256Thumbprint?: string;
643
- /** Json Web Token Header "x509 certificate chain".
644
- *
645
- * See {@link https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.6 | RFC 7515 Section 4.1.6})
646
- *
647
- */
648
- certificateChain?: AttestationSigner;
649
- /** ********* JSON WEB TOKEN (RFC 7519) PROPERTIES */
650
- /** Issuer of the attestation token.
651
- * See {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 | RFC 7519 Section 4.1.6})
652
- * for details.
653
- */
654
- issuer?: string;
655
- /** Expiration time for the token, from JWT body.
656
- *
657
- * See {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.4 | RFC 7519 Section 4.1.4})
658
- * for details.
659
- */
660
- expiresOn?: Date;
661
- /** Issuance time for the token, from JWT body.
662
- *
663
- * See {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.6 | RFC 7519 Section 4.1.6})
664
- * for details.
665
- */
666
- issuedAt?: Date;
667
- /**
668
- * Not Before time for the token, from JWT body.
669
- *
670
- * See {@link https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.5 | RFC 7519 Section 4.1.5})
671
- * for details.
672
- */
673
- notBefore?: Date;
674
- }
675
-
676
- /**
677
- * Options used to validate attestation tokens.
678
- *
679
- * @typeparam issuer - if provided, specifies the expected issuer of the attestation token.
680
- * @typeparam validateExpirationTime - if true, validate the expiration time in the token.
681
- * @typeparam validateNotBeforeTime - if true, validate the "not before" time in the token.
682
- * @typeparam validateToken - if true, validate the token.
683
- * @typeparam timeValidationSlack - the validation time slack in the time based validations.
684
- *
685
- * @remarks
686
- *
687
- * If validateToken, validateNotBeforeTime, or validateExpirationTime are not
688
- * provided, they are all assumed to be 'true'.
689
- *
690
- */
691
- export declare interface AttestationTokenValidationOptions {
692
- /**
693
- * If true, validate the attestation token, if false, skip validation.
694
- */
695
- validateToken?: boolean;
696
- /**
697
- * If true, validate the expiration time for the token.
698
- */
699
- validateExpirationTime?: boolean;
700
- /**
701
- * If true, validate the "not before" time for the token.
702
- */
703
- validateNotBeforeTime?: boolean;
704
- /**
705
- * If true, validate the issuer of the token.
706
- */
707
- validateIssuer?: boolean;
708
- /**
709
- * The expected issuer for the {@link AttestationToken}. Only checked if {@link validateIssuer} is set.
710
- */
711
- expectedIssuer?: string;
712
- /**
713
- * Tolerance time (in seconds) used to accound for clock drift between the local machine
714
- * and the server creating the token.
715
- */
716
- timeValidationSlack?: number;
717
- /**
718
- * Validation function which allows developers to provide their own validation
719
- * functionality for the attestation token. This can be used to perform additional
720
- * validations for signing certificate in AttestationSigner.
721
- *
722
- * @param token - Attestation Token to validate.
723
- * @param signer - Signing Certificate which validated the token.
724
- *
725
- * @remarks
726
- *
727
- * If there is a problem with token validation, the validateAttestationCallback function
728
- * will return an array of strings indicating the set of problems found in the token.
729
- *
730
- * @returns an array of problems in the token, or undefined if there are no problems.
731
- */
732
- validateAttestationToken?: (token: AttestationToken, signer?: AttestationSigner) => string[] | undefined;
733
- }
734
-
735
- /**
736
- * Defines values for AttestationType. \
737
- * {@link KnownAttestationType} can be used interchangeably with AttestationType,
738
- * this enum contains the known values that the service supports.
739
- * ### Known values supported by the service
740
- * **SgxEnclave**: Intel Software Guard eXtensions \
741
- * **OpenEnclave**: OpenEnclave extensions to SGX \
742
- * **Tpm**: Edge TPM Virtualization Based Security
743
- */
744
- export declare type AttestationType = string;
745
-
746
- /**
747
- * Optional parameters for the AttestOpenEnclave API.
748
- *
749
- * @param initTimeData - data provided at the time the enclave was initialized.
750
- * @param runTimeData - data provided at the time the SGX quote being attested was created.
751
- * @param draftPolicyForAttestation - If specified, the attestation policy to be used during the attestation request.
752
- */
753
- export declare interface AttestOpenEnclaveOptions extends AttestationClientOperationOptions {
754
- /**
755
- *initTimeData : data provided at the time the enclave was initialized, to be interpreted as binary data.
756
- *
757
- */
758
- initTimeData?: Uint8Array | Buffer | Blob;
759
- /**
760
- * inittimeJson : data provided at the time the enclave was initialized, to be interpreted as JSON data.
761
- */
762
- initTimeJson?: Uint8Array | Buffer | Blob;
763
- /**
764
- * runTimeData - data provided at the time the OpenEnclave report being attested was created to be interpreted as binary data.
765
- */
766
- runTimeData?: Uint8Array | Buffer | Blob;
767
- /**
768
- * runTimeJson - data provided at the time the OpenEnclave report being attested was created to be interpreted as JSON data.
769
- */
770
- runTimeJson?: Uint8Array | Buffer | Blob;
771
- /**
772
- * draftPolicyForAttestation - If specified, the attestation policy to be used during the attestation request.
773
- */
774
- draftPolicyForAttestation?: string;
775
- }
776
-
777
- /**
778
- * Optional parameters for the AttestSgxEnclave API.
779
- *
780
- * @param initTimeData - data provided at the time the enclave was initialized.
781
- * @param runTimeData - data provided at the time the SGX quote being attested was created.
782
- * @param draftPolicyForAttestation - If specified, the attestation policy to be used during the attestation request.
783
- */
784
- export declare interface AttestSgxEnclaveOptions extends AttestationClientOperationOptions {
785
- /**
786
- *initTimeData : data provided at the time the enclave was initialized, to be interpreted as binary data.
787
- *
788
- */
789
- initTimeData?: Uint8Array | Buffer | Blob;
790
- /**
791
- * inittimeJson : data provided at the time the enclave was initialized, to be interpreted as JSON data.
792
- */
793
- initTimeJson?: Uint8Array | Buffer | Blob;
794
- /**
795
- * runTimeData - data provided at the time the OpenEnclave report being attested was created to be interpreted as binary data.
796
- */
797
- runTimeData?: Uint8Array | Buffer | Blob;
798
- /**
799
- * runTimeJson - data provided at the time the OpenEnclave report being attested was created to be interpreted as JSON data.
800
- */
801
- runTimeJson?: Uint8Array | Buffer | Blob;
802
- /**
803
- * draftPolicyForAttestation - If specified, the attestation policy to be used during the attestation request.
804
- */
805
- draftPolicyForAttestation?: string;
806
- }
807
-
808
- /**
809
- * Operation options for the AttestTpm API.
810
- */
811
- export declare interface AttestTpmOptions extends AttestationClientOperationOptions {
812
- }
813
-
814
- /**
815
- * Defines values for CertificateModification. \
816
- * {@link KnownCertificateModification} can be used interchangeably with CertificateModification,
817
- * this enum contains the known values that the service supports.
818
- * ### Known values supported by the service
819
- * **IsPresent**: After the operation was performed, the certificate is in the set of certificates. \
820
- * **IsAbsent**: After the operation was performed, the certificate is no longer present in the set of certificates.
821
- */
822
- export declare type CertificateModification = string;
823
-
824
- /** Constructs an AttestationToken containing an Attestation Policy document.
825
- *
826
- * @param policy - Attestation policy to embed in the attestation token.
827
- * @param privateKey - optional private key used to sign the attestation token.
828
- * @param certificate - optional certificate used to verify the attestation token.
829
- *
830
- * @remarks Note that if the attestation instance is running in `Isolated` mode,
831
- * the privateKey and certificate are required. If the attestation instance
832
- * is running in `AAD` mode, they are optional.
833
- *
834
- * @throws {@link Error} when the key in the certificate provided does not match the private key.
835
- */
836
- export declare function createAttestationPolicyToken(policy: string, privateKey?: string, certificate?: string): AttestationPolicyToken;
837
-
838
- /** Known values of {@link AttestationType} that the service accepts. */
839
- export declare enum KnownAttestationType {
840
- /** Intel Software Guard eXtensions */
841
- SgxEnclave = "SgxEnclave",
842
- /** OpenEnclave extensions to SGX */
843
- OpenEnclave = "OpenEnclave",
844
- /** Edge TPM Virtualization Based Security */
845
- Tpm = "Tpm"
846
- }
847
-
848
- /** Known values of {@link CertificateModification} that the service accepts. */
849
- export declare enum KnownCertificateModification {
850
- /** After the operation was performed, the certificate is in the set of certificates. */
851
- IsPresent = "IsPresent",
852
- /** After the operation was performed, the certificate is no longer present in the set of certificates. */
853
- IsAbsent = "IsAbsent"
854
- }
855
-
856
- /** Known values of {@link PolicyModification} that the service accepts. */
857
- export declare enum KnownPolicyModification {
858
- /** The specified policy object was updated. */
859
- Updated = "Updated",
860
- /** The specified policy object was removed. */
861
- Removed = "Removed"
862
- }
863
-
864
- /** The result of a policy certificate modification */
865
- export declare interface PolicyCertificatesModificationResult {
866
- /** Hex encoded SHA1 Hash of the binary representation certificate which was added or removed */
867
- certificateThumbprint: string;
868
- /** The result of the operation */
869
- certificateResolution: CertificateModification;
870
- }
871
-
872
- /**
873
- * Defines values for PolicyModification. \
874
- * {@link KnownPolicyModification} can be used interchangeably with PolicyModification,
875
- * this enum contains the known values that the service supports.
876
- * ### Known values supported by the service
877
- * **Updated**: The specified policy object was updated. \
878
- * **Removed**: The specified policy object was removed.
879
- */
880
- export declare type PolicyModification = string;
881
-
882
- /**
883
- * The result of a policy certificate modification
884
- */
885
- export declare interface PolicyResult {
886
- /**
887
- * The result of the operation
888
- */
889
- policyResolution: PolicyModification;
890
- /**
891
- * The SHA256 hash of the policy object modified
892
- */
893
- policyTokenHash: Uint8Array;
894
- /**
895
- * The certificate used to sign the policy object, if specified
896
- */
897
- policySigner?: AttestationSigner;
898
- /**
899
- * A JSON Web Token containing a StoredAttestationPolicy object with the attestation policy
900
- */
901
- policy?: string;
902
- }
903
-
904
- export { }