### YamlMime:JavaType uid: "com.azure.security.attestation.AttestationAsyncClient" fullName: "com.azure.security.attestation.AttestationAsyncClient" name: "AttestationAsyncClient" nameWithType: "AttestationAsyncClient" summary: "The AttestationAsyncClient implements the functionality required by the \"Attest\" family of APIs." inheritances: - "" inheritedClassMethods: - classRef: "java.lang.Object" methodsRef: - "clone" - "equals" - "finalize" - "getClass" - "hashCode" - "notify" - "notifyAll" - "toString" - "wait" - "wait" - "wait" syntax: "public final class **AttestationAsyncClient**" methods: - uid: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclave(com.azure.core.util.BinaryData)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclave(BinaryData report)" name: "attestOpenEnclave(BinaryData report)" nameWithType: "AttestationAsyncClient.attestOpenEnclave(BinaryData report)" summary: "Attest an OpenEnclave report." parameters: - description: "- OpenEnclave report to attest." name: "report" type: "" syntax: "public Mono attestOpenEnclave(BinaryData report)" desc: "Attest an OpenEnclave report.\n\nThis method is a convenience method which attests evidence from an OpenEnclave enclave with no `RuntimeData` or `InitTimeData`.\n\nThe `report` is generated via the [``oe\\_get\\_report\\}][oe_get_report].\n\nIt returns an containing the claims emitted by the attestation service.\n\n```java\nMono resultWithReport = client.attestOpenEnclave(openEnclaveReport);\n```\n\n\n[oe_get_report]: https://openenclave.github.io/openenclave/api/enclave_8h_aefcb89c91a9078d595e255bd7901ac71.html" returns: description: "the result of an attestation operation." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclave(com.azure.security.attestation.models.AttestationOptions)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclave(AttestationOptions options)" name: "attestOpenEnclave(AttestationOptions options)" nameWithType: "AttestationAsyncClient.attestOpenEnclave(AttestationOptions options)" summary: "Processes an OpenEnclave report , producing an artifact." parameters: - description: "Attestation options for Intel SGX enclaves." name: "options" type: "" syntax: "public Mono attestOpenEnclave(AttestationOptions options)" desc: "Processes an OpenEnclave report , producing an artifact. The type of artifact produced is dependent upon attestation policy." returns: description: "the result of an attestation operation." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclaveWithResponse(com.azure.security.attestation.models.AttestationOptions)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestOpenEnclaveWithResponse(AttestationOptions options)" name: "attestOpenEnclaveWithResponse(AttestationOptions options)" nameWithType: "AttestationAsyncClient.attestOpenEnclaveWithResponse(AttestationOptions options)" summary: "Attest an OpenEnclave report, specifying RunTimeData and InitTimeData." parameters: - description: "Attestation options for attesting SGX enclaves." name: "options" type: "" syntax: "public Mono> attestOpenEnclaveWithResponse(AttestationOptions options)" desc: "Attest an OpenEnclave report, specifying RunTimeData and InitTimeData. The parameter allows the caller to specify the OpenEnclave `report` which contains evidence from the enclave, and runtime data which allows the enclave to specify additional data from within the enclave. When calling the API, the caller can specify whether the attestation service should treat the runtime data as binary or as JSON when it is included in the response attestation token.\n\n**Attest an OpenEnclave enclave with attestation options.**\n\n```java\nMono> openEnclaveResponse = client.attestOpenEnclaveWithResponse(\n new AttestationOptions(openEnclaveReport)\n .setRunTimeData(new AttestationData(runtimeData, AttestationDataInterpretation.JSON)));\n```" returns: description: "the result of an attestation operation." type: "Mono<<>>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclave(com.azure.core.util.BinaryData)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclave(BinaryData quote)" name: "attestSgxEnclave(BinaryData quote)" nameWithType: "AttestationAsyncClient.attestSgxEnclave(BinaryData quote)" summary: "Attest an SGX Enclave Quote." parameters: - description: "SGX Quote to attest." name: "quote" type: "" syntax: "public Mono attestSgxEnclave(BinaryData quote)" desc: "Attest an SGX Enclave Quote.\n\nThis method is a convenience method which attests evidence from an Intel SGX enclave with no `RuntimeData` or `InitTimeData`.\n\nIt returns an containing the claims emitted by the attestation service.\n\n```java\nMono resultWithReport = client.attestSgxEnclave(sgxQuote);\n```" returns: description: "the result of an attestation operation." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclave(com.azure.security.attestation.models.AttestationOptions)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclave(AttestationOptions options)" name: "attestSgxEnclave(AttestationOptions options)" nameWithType: "AttestationAsyncClient.attestSgxEnclave(AttestationOptions options)" summary: "Attest an SGX enclave quote, specifying RunTimeData and InitTimeData." parameters: - description: "Attestation options for Intel SGX enclaves." name: "options" type: "" syntax: "public Mono attestSgxEnclave(AttestationOptions options)" desc: "Attest an SGX enclave quote, specifying RunTimeData and InitTimeData. The parameter allows the caller to specify the SGX `quote` which contains evidence from the enclave, and runtime data which allows the enclave to specify additional data from within the enclave. When calling the API, the caller can specify whether the attestation service should treat the runtime data as binary or as JSON when it is included in the response attestation token.\n\n**Attest an OpenEnclave enclave with attestation options.**\n\n```java\nMono result = client.attestSgxEnclave(new AttestationOptions(sgxQuote)\n .setRunTimeData(new AttestationData(runtimeData, AttestationDataInterpretation.BINARY)));\n```" returns: description: "the result of an attestation operation." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclaveWithResponse(com.azure.security.attestation.models.AttestationOptions)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestSgxEnclaveWithResponse(AttestationOptions options)" name: "attestSgxEnclaveWithResponse(AttestationOptions options)" nameWithType: "AttestationAsyncClient.attestSgxEnclaveWithResponse(AttestationOptions options)" summary: "Attest an SGX enclave quote, specifying RunTimeData and InitTimeData." parameters: - description: "Attestation options for Intel SGX enclaves." name: "options" type: "" syntax: "public Mono> attestSgxEnclaveWithResponse(AttestationOptions options)" desc: "Attest an SGX enclave quote, specifying RunTimeData and InitTimeData. The parameter allows the caller to specify the SGX `quote` which contains evidence from the enclave, and runtime data which allows the enclave to specify additional data from within the enclave. When calling the API, the caller can specify whether the attestation service should treat the runtime data as binary or as JSON when it is included in the response attestation token.\n\n**Attest an OpenEnclave enclave with attestation options.**\n\n```java\nMono> openEnclaveResponse = client.attestSgxEnclaveWithResponse(\n new AttestationOptions(sgxQuote)\n .setRunTimeData(new AttestationData(runtimeData, AttestationDataInterpretation.JSON)));\n```" returns: description: "the result of an attestation operation." type: "Mono<<>>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestTpm(java.lang.String)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestTpm(String request)" name: "attestTpm(String request)" nameWithType: "AttestationAsyncClient.attestTpm(String request)" summary: "Performs TPM attestation." parameters: - description: "Attestation request for Trusted Platform Module (TPM) attestation." name: "request" type: "String" syntax: "public Mono attestTpm(String request)" desc: "Performs TPM attestation. Processes attestation evidence from a VBS enclave, producing an attestation result.\n\nThe TPM attestation protocol is defined [here.][]\n\nUnlike OpenEnclave reports and SGX enclave quotes, TPM attestation is implemented using JSON encoded strings.\n\nThe client formats a string serialized JSON request to the service, which responds with a JSON response. The serialized JSON object exchange continues until the service responds with a JSON string with a property named `\"report\"`, whose value will be an attestation result token.\n\n**Perform the first leg of a TPM attestation operation**\n\n```java\n// The initial payload for TPM attestation is a JSON object with a property named \"payload\",\n // containing an object with a property named \"type\" whose value is \"aikcert\".\n\n String attestInitialPayload = \"{\\\"payload\\\": { \\\"type\\\": \\\"aikcert\\\" } }\";\n Mono tpmResponse = client.attestTpm(attestInitialPayload);\n```\n\n\n[here.]: https://docs.microsoft.com/azure/attestation/virtualization-based-security-protocol" returns: description: "attestation response for Trusted Platform Module (TPM) attestation." type: "Mono<String>" - uid: "com.azure.security.attestation.AttestationAsyncClient.attestTpmWithResponse(java.lang.String)" fullName: "com.azure.security.attestation.AttestationAsyncClient.attestTpmWithResponse(String request)" name: "attestTpmWithResponse(String request)" nameWithType: "AttestationAsyncClient.attestTpmWithResponse(String request)" summary: "Performs TPM attestation." parameters: - description: "Attestation request for Trusted Platform Module (TPM) attestation." name: "request" type: "String" syntax: "public Mono> attestTpmWithResponse(String request)" desc: "Performs TPM attestation. Processes attestation evidence from a VBS enclave, producing an attestation result.\n\nThe TPM attestation protocol is defined [here.][]\n\nUnlike OpenEnclave reports and SGX enclave quotes, TPM attestation is implemented using JSON encoded strings.\n\nThe client formats a string serialized JSON request to the service, which responds with a JSON response. The serialized JSON object exchange continues until the service responds with a JSON string with a property named `\"report\"`, whose value will be an attestation result token.\n\n**Perform the first leg of a TPM attestation operation**\n\n```java\n// The initial payload for TPM attestation is a JSON object with a property named \"payload\",\n // containing an object with a property named \"type\" whose value is \"aikcert\".\n\n String attestInitialPayload = \"{\\\"payload\\\": { \\\"type\\\": \\\"aikcert\\\" } }\";\n Mono> responseMono = client.attestTpmWithResponse(attestInitialPayload);\n```\n\n\n[here.]: https://docs.microsoft.com/azure/attestation/virtualization-based-security-protocol" returns: description: "attestation response for Trusted Platform Module (TPM) attestation." type: "Mono<<String>>" - uid: "com.azure.security.attestation.AttestationAsyncClient.getOpenIdMetadata()" fullName: "com.azure.security.attestation.AttestationAsyncClient.getOpenIdMetadata()" name: "getOpenIdMetadata()" nameWithType: "AttestationAsyncClient.getOpenIdMetadata()" summary: "Retrieves metadata about the attestation signing keys in use by the attestation service." syntax: "public Mono getOpenIdMetadata()" desc: "Retrieves metadata about the attestation signing keys in use by the attestation service.\n\n**Retrieve the OpenID metadata for this async client.**\n\n```java\nMono openIdMetadata = client.getOpenIdMetadata();\n```" returns: description: "any object." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.getOpenIdMetadataWithResponse()" fullName: "com.azure.security.attestation.AttestationAsyncClient.getOpenIdMetadataWithResponse()" name: "getOpenIdMetadataWithResponse()" nameWithType: "AttestationAsyncClient.getOpenIdMetadataWithResponse()" summary: "Retrieves metadata about the attestation signing keys in use by the attestation service." syntax: "public Mono> getOpenIdMetadataWithResponse()" desc: "Retrieves metadata about the attestation signing keys in use by the attestation service.\n\n**Retrieve the OpenID metadata for this async client.**\n\n```java\nMono> response = client.getOpenIdMetadataWithResponse();\n```" returns: description: "any object." type: "Mono<<>>" - uid: "com.azure.security.attestation.AttestationAsyncClient.listAttestationSigners()" fullName: "com.azure.security.attestation.AttestationAsyncClient.listAttestationSigners()" name: "listAttestationSigners()" nameWithType: "AttestationAsyncClient.listAttestationSigners()" summary: "Retrieves the list of objects associated with this attestation instance." syntax: "public Mono listAttestationSigners()" desc: "Retrieves the list of objects associated with this attestation instance.\n\nAn represents an X.509 certificate chain and KeyId which can be used to validate an attestation token returned by the service.\n\n**Retrieve Attestation Signers for this async client.**\n\n```java\nMono signersMono = client.listAttestationSigners();\n signersMono.subscribe(signers -> signers.getAttestationSigners().forEach(cert -> {\n System.out.println(\"Found certificate.\");\n if (cert.getKeyId() != null) {\n System.out.println(\" Certificate Key ID: \" + cert.getKeyId());\n } else {\n System.out.println(\" Signer does not have a Key ID\");\n }\n cert.getCertificates().forEach(chainElement -> {\n System.out.println(\" Cert Subject: \" + chainElement.getSubjectDN().getName());\n System.out.println(\" Cert Issuer: \" + chainElement.getIssuerDN().getName());\n });\n }));\n```" returns: description: "Returns an array of objects." type: "Mono<>" - uid: "com.azure.security.attestation.AttestationAsyncClient.listAttestationSignersWithResponse()" fullName: "com.azure.security.attestation.AttestationAsyncClient.listAttestationSignersWithResponse()" name: "listAttestationSignersWithResponse()" nameWithType: "AttestationAsyncClient.listAttestationSignersWithResponse()" summary: "Retrieves the list of objects associated with this attestation instance." syntax: "public Mono> listAttestationSignersWithResponse()" desc: "Retrieves the list of objects associated with this attestation instance.\n\nAn represents an X.509 certificate chain and KeyId which can be used to validate an attestation token returned by the service.\n\n**Retrieve Attestation Signers for this async client.**\n\n```java\nMono> responseOfSigners = client.listAttestationSignersWithResponse();\n responseOfSigners.subscribe();\n```" returns: description: "Returns an array of objects." type: "Mono<<>>" type: "class" desc: "The AttestationAsyncClient implements the functionality required by the \"Attest\" family of APIs.\n\nAn enclave (or Trusted Execution Environment) is a chunk of code that is isolated from the host (think: \"encrypted VM\" or \"encrypted container\"). But there's one key attribute of the enclave: It is encrypted.That means that if data is sent from the enclave, there is no way of knowing that the data came from the enclave.\n\nAnd even worse, there is no way of securely communicating with the enclave (since the enclave is fully isolated from the host, all information passed into the enclave has to go through its host first).\n\nTo solve the communication problem, the Attest API can be used to facilitate what is known as the \"Secure Key Release\" (SKR) protocol.\n\nThere are 4 parties involved in an attestation operation:\n\n * The host (which hosts the enclave)\n * The enclave (which is the enclave :) \x1a encrypted, nobody can see what goes on inside it),\n * The \"verifier\" which verifies the evidence from the enclave (this is the attestation service) and generates a token which can be received by a relying party, and\n * The \"relying party\" which will interpret the token from the service. For the Secure Key Release Protocol, this is the entity which wishes to communicate with the enclave.\n\nIt's possible that all these parties are on the same computer, it's possible they\x1are on multiple computers.\nIt's possible that the host is also the relying party. It's possible that the relying party is a component like Azure Managed HSM.\n\nThere are three primary pieces of data received by the service for the Attest family of APIs. All of them are arrays of bytes, and all of them originate from code running in the enclave (thus they need to be treated as opaque arrays of bytes by the SDK):\n\n1. Evidence. For Intel SGX enclaves, this has two forms, either an SGX 'Quote' or an OpenEnclave 'Report'. It is required for attestation operations.\n2. InitTimeData \x1a This is data which is specified at Initialization Time. It is optional (and not currently supported on all enclave types in Azure)\n3. RunTimeData \x1a this is data which is specified at the time the quote is generated (at \x1aruntime\x1a). It is optional, but required for the Secure Key Release protocol.\n\nThe Evidence is cryptographically signed by a known authority (for Intel SGX Quotes or OpenEnclave reports, this is a key owned by Intel which represents that the SGX enclave is valid and can be trusted).\nThe core idea for all attestation operations is to take advantage of a region within the Evidence which is controlled by enclave. For SGX Enclaves, this is the 64 bytes of \"user data\" contained within SGX quote.\n\nFor the Secure Key Release protocol, code inside the enclave generates an asymmetric key and serializes the public key into a byte buffer. It then calculates the SHA256 hash of the serialized key and creates a quote containing that SHA256 hash. We now have a cryptographically validated indication that the contents of the byte buffer was known inside the enclave.\n\nThe enclave then hands the byte buffer and the quote to its host. The host sends the quote and byte buffer as the \"RunTime Data\" to the via the or API. Assuming the byte buffer and quote are valid, and the quote contains the hash of the byte buffer, the attestation service responds with an signed by the attestation service, whose body is an .\n\nThe token generated also includes the contents of the InitTimeData and/or RunTimeData if it was provided in the Attest API call.\n\nThe host then sends the token to the relying party. The relying party verifies the token and verifies the claims within the token indicate that the enclave is the correct enclave. It then takes the key from the token and uses it to encrypt the data to be sent to the enclave and sends that back to the host, which passes it into the enclave.\n\nThat completes the secure key release protocol.\n\n\nWhen the Attestation Token is generated by the attestation service, as mentioned, it contains the InitTime and RunTime data.\n\nThere are two possible representations for RunTime Data in the attestation token, depending on the requirements of the relying party:\nThe first is as JSON formatted data. That can be convenient if the relying party expects to receive its public key as a JSON Web Key\nThe second is as a binary blob of data. That is needed if either the data sent by the enclave isn't a JSON object - for instance, if the RunTime data contained an asymmetric key which is formatted as a PEM encoded key, it should be interpreted as a binary blob\n\nIf you ask for the RunTime data to be included in the token as binary, then it will be base64url encoded in the \"x-ms-maa-enclavehelddata\" claim in the output token (the property).\nIf you ask for the RunTime data to be included in the token as JSON, then it will be included in the \"x-ms-maa-runtimeClaims\" claim in the output token (the property).\n\nIn addition to the Attest APIs, the object also contains helper APIs which can be used to retrieve the OpenId Metadata document and signing keys from the service.\n\nThe OpenId Metadata document contains properties which describe the attestation service.\n\nThe Attestation Signing Keys describe the keys which will be used to sign tokens generated by the attestation service. All tokens emitted by the attestation service will be signed by one of the certificates listed in the attestation signing keys." metadata: {} package: "com.azure.security.attestation" artifact: com.azure:azure-security-attestation:1.1.27