public async Task DownloadNonExportableCertificate(string contentType)
{
string name = Recording.GenerateId();
CertificatePolicy policy = new CertificatePolicy
{
IssuerName = WellKnownIssuerNames.Self,
Subject = "CN=default",
KeyType = CertificateKeyType.Rsa,
Exportable = false,
ReuseKey = false,
KeyUsage =
{
CertificateKeyUsage.DataEncipherment,
},
CertificateTransparency = false,
ContentType = contentType,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy);
RegisterForCleanup(name);
await operation.WaitForCompletionAsync();
using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name);
Assert.IsFalse(x509certificate.HasPrivateKey);
}
public async Task VerifyUnexpectedCancelCertificateOperation()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
try
{
// Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw.
await Client.CancelCertificateOperationAsync(certName);
}
catch (RequestFailedException e) when(e.Status == 403)
{
Assert.Inconclusive("The create operation completed before it could be canceled.");
}
OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>(
async() => await WaitForCompletion(operation),
$"Expected exception {nameof(OperationCanceledException)} not thrown. Operation status: {operation?.Properties?.Status}, error: {operation?.Properties?.Error?.Message}");
Assert.AreEqual("The operation was canceled so no value is available.", ex.Message);
Assert.IsTrue(operation.HasCompleted);
Assert.IsFalse(operation.HasValue);
Assert.AreEqual(200, operation.GetRawResponse().Status);
}
public async Task VerifyUpdateCertificatePolicy()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
KeyVaultCertificateWithPolicy original = await WaitForCompletion(operation);
Assert.NotNull(original);
RegisterForCleanup(certName);
certificatePolicy = new CertificatePolicy(WellKnownIssuerNames.Self, "CN=Azure SDK")
{
ReuseKey = true,
CertificateTransparency = true,
Exportable = false,
ContentType = CertificateContentType.Pem,
KeySize = 3072
};
CertificatePolicy updatePolicy = await Client.UpdateCertificatePolicyAsync(certName, certificatePolicy);
Assert.NotNull(updatePolicy);
Assert.NotNull(updatePolicy.UpdatedOn);
Assert.AreEqual(certificatePolicy.Subject, updatePolicy.Subject);
Assert.AreEqual(certificatePolicy.ReuseKey, updatePolicy.ReuseKey);
Assert.AreEqual(certificatePolicy.Exportable, updatePolicy.Exportable);
Assert.AreEqual(certificatePolicy.CertificateTransparency, updatePolicy.CertificateTransparency);
Assert.AreEqual(certificatePolicy.ContentType, updatePolicy.ContentType);
Assert.AreEqual(certificatePolicy.KeySize, updatePolicy.KeySize);
}
public async Task VerifyCancelCertificateOperation()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
try
{
await operation.CancelAsync();
}
catch (RequestFailedException e) when(e.Status == 403)
{
Assert.Inconclusive("The create operation completed before it could be canceled.");
}
OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>(() => WaitForCompletion(operation));
Assert.AreEqual("The operation was canceled so no value is available.", ex.Message);
Assert.IsTrue(operation.HasCompleted);
Assert.IsFalse(operation.HasValue);
Assert.AreEqual(200, operation.GetRawResponse().Status);
}
public async Task VerifyUnexpectedDeleteCertificateOperation()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown;
CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
try
{
// Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw.
await Client.DeleteCertificateOperationAsync(certName);
}
catch (RequestFailedException e) when(e.Status == 403)
{
Assert.Inconclusive("The create operation completed before it could be canceled.");
}
InvalidOperationException ex = Assert.ThrowsAsync <InvalidOperationException>(() => WaitForCompletion(operation));
Assert.AreEqual("The operation was deleted so no value is available.", ex.Message);
Assert.IsTrue(operation.HasCompleted);
Assert.IsFalse(operation.HasValue);
Assert.AreEqual(404, operation.GetRawResponse().Status);
}
public async Task VerifyCertificateGetWithPolicyInProgress()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown;
await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
KeyVaultCertificateWithPolicy certificateWithPolicy = await Client.GetCertificateAsync(certName);
Assert.NotNull(certificateWithPolicy);
Assert.AreEqual(certificateWithPolicy.Name, certName);
Assert.NotNull(certificateWithPolicy.Properties.Version);
KeyVaultCertificate certificate = await Client.GetCertificateVersionAsync(certName, certificateWithPolicy.Properties.Version);
Assert.NotNull(certificate);
Assert.AreEqual(certificate.Name, certName);
}
public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName)
{
var policy = new CertificatePolicy()
{
X509CertificateProperties = new X509CertificateProperties
{
Subject = $"CN={displayName}"
},
KeyProperties = new KeyProperties
{
KeySize = 2048,
KeyType = "RSA-HSM"
},
IssuerParameters = new IssuerParameters
{
Name = "Unknown" // External CA
}
};
var vault = await GetVaultAsync(vaultName).ConfigureAwait(false);
var op = await kvClient.CreateCertificateAsync(vault.VaultUri, certificateName, policy).ConfigureAwait(false);
return(op);
}
public CertificatePolicy ToCertificatePolicy()
{
var subjectAlternativeNames = new SubjectAlternativeNames();
foreach (var dnsName in DnsNames)
{
subjectAlternativeNames.DnsNames.Add(dnsName);
}
var certificatePolicy = new CertificatePolicy(WellKnownIssuerNames.Unknown, subjectAlternativeNames)
{
KeySize = KeySize,
ReuseKey = ReuseKey
};
if (!string.IsNullOrEmpty(KeyType))
{
certificatePolicy.KeyType = KeyType;
}
if (!string.IsNullOrEmpty(KeyCurveName))
{
certificatePolicy.KeyCurveName = KeyCurveName;
}
return(certificatePolicy);
}
internal static KeyVaultCertificatePolicy FromCertificatePolicy(CertificatePolicy certificatePolicy)
{
return(new KeyVaultCertificatePolicy
{
SecretContentType = certificatePolicy.SecretProperties == null ? null : certificatePolicy.SecretProperties.ContentType,
Kty = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeyType,
KeySize = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeySize,
Exportable = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.Exportable,
ReuseKeyOnRenewal = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.ReuseKey,
SubjectName = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Subject,
DnsNames = certificatePolicy.X509CertificateProperties == null || certificatePolicy.X509CertificateProperties.SubjectAlternativeNames == null ?
null : new List <string>(certificatePolicy.X509CertificateProperties.SubjectAlternativeNames.DnsNames),
KeyUsage = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.KeyUsage == null ? null : new List <string>(certificatePolicy.X509CertificateProperties.KeyUsage),
Ekus = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Ekus == null ? null : new List <string>(certificatePolicy.X509CertificateProperties.Ekus),
ValidityInMonths = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.ValidityInMonths,
IssuerName = certificatePolicy.IssuerReference == null ? null : certificatePolicy.IssuerReference.Name,
RenewAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry),
RenewAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage),
EmailAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry),
EmailAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage),
Enabled = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Enabled,
Created = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Created,
Updated = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Updated,
});
}
/// <summary>
/// Create certificate policy
/// </summary>
/// <param name="subject"></param>
/// <param name="keyParams"></param>
/// <param name="selfSigned"></param>
/// <param name="reuseKey"></param>
/// <param name="exportable"></param>
/// <param name="isHsm"></param>
/// <returns></returns>
private static CertificatePolicy CreateCertificatePolicy(string subject,
CreateKeyParams keyParams, bool selfSigned, bool isHsm, bool reuseKey,
bool exportable)
{
ValidateKeyParameters(keyParams);
var policy = new CertificatePolicy {
IssuerParameters = new IssuerParameters {
Name = selfSigned ? "Self" : "Unknown"
},
KeyProperties = new KeyProperties {
Exportable = exportable,
KeySize = (int?)keyParams.KeySize,
Curve = keyParams.Curve?.ToJsonWebKeyCurveName(),
KeyType = keyParams.Type.ToKty(isHsm && !exportable),
ReuseKey = reuseKey
},
SecretProperties = new SecretProperties {
ContentType = CertificateContentType.Pfx
},
X509CertificateProperties = new X509CertificateProperties {
Subject = subject
},
LifetimeActions = new List <LifetimeAction>(),
};
return(policy);
}
public async Task VerifyUnexpectedCancelCertificateOperation()
{
// Log details why this fails often for live tests on net461.
using AzureEventSourceListener listener = AzureEventSourceListener.CreateConsoleLogger(EventLevel.Verbose);
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
try
{
// Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw.
await Client.CancelCertificateOperationAsync(certName);
}
catch (RequestFailedException e) when(e.Status == 403)
{
Assert.Inconclusive("The create operation completed before it could be canceled.");
}
OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>(() => WaitForCompletion(operation));
Assert.AreEqual("The operation was canceled so no value is available.", ex.Message);
Assert.IsTrue(operation.HasCompleted);
Assert.IsFalse(operation.HasValue);
Assert.AreEqual(200, operation.GetRawResponse().Status);
}
public async Task CreateSelfSignedCertificateAsync(string certificateName, KeyProperties keyProperties, string subject, IEnumerable <string> subjectAlternativeNames, Dictionary <string, string> tags)
{
var certificatePolicy = new CertificatePolicy()
{
KeyProperties = keyProperties,
X509CertificateProperties = new X509CertificateProperties()
{
Subject = subject,
SubjectAlternativeNames = new SubjectAlternativeNames(dnsNames: subjectAlternativeNames.ToList()),
},
IssuerParameters = new IssuerParameters()
{
Name = "Self",
},
};
try
{
var certificateOperation = await keyVaultClient.CreateCertificateAsync(settings.VaultBaseUri.AbsoluteUri, certificateName, certificatePolicy, tags : tags);
var encodedCertificate = Encoding.UTF8.GetString(certificateOperation.Csr);
}
catch (KeyVaultErrorException keyVaultErrorException)
{
Console.WriteLine($"Error ({keyVaultErrorException.Body.Error.Code}): {keyVaultErrorException.Body.Error.Message}");
if (keyVaultErrorException.Body.Error.InnerError != null)
{
var innerError = keyVaultErrorException.Body.Error.InnerError;
Console.WriteLine($"Inner Error ({innerError.Code}): {innerError.Message}");
}
}
}
public async Task <byte[]> CreateLetsEncryptCertificateAsync(string certificateName, KeyProperties keyProperties, string subject, IEnumerable <string> subjectAlternativeNames, Dictionary <string, string> tags)
{
var certificatePolicy = new CertificatePolicy()
{
KeyProperties = keyProperties,
X509CertificateProperties = new X509CertificateProperties()
{
Subject = subject,
SubjectAlternativeNames = new SubjectAlternativeNames(dnsNames: subjectAlternativeNames.ToList()),
}
};
try
{
var certificateOperation = await keyVaultClient.CreateCertificateAsync(settings.VaultBaseUri.AbsoluteUri, certificateName, certificatePolicy, tags : tags);
return(certificateOperation.Csr);
}
catch (KeyVaultErrorException keyVaultErrorException)
{
Console.WriteLine($"Error ({keyVaultErrorException.Body.Error.Code}): {keyVaultErrorException.Body.Error.Message}");
if (keyVaultErrorException.Body.Error.InnerError != null)
{
var innerError = keyVaultErrorException.Body.Error.InnerError;
Console.WriteLine($"Inner Error ({innerError.Code}): {innerError.Message}");
}
}
throw new InvalidOperationException("Creating a certificate failed...");
}
private CertificatePolicy CreateCertificatePolicy(
string subject,
int keySize,
bool selfSigned,
bool reuseKey = false,
bool exportable = false)
{
var policy = new CertificatePolicy
{
IssuerParameters = new IssuerParameters
{
Name = selfSigned ? "Self" : "Unknown"
},
KeyProperties = new KeyProperties
{
Exportable = exportable,
KeySize = keySize,
KeyType = "RSA",
ReuseKey = reuseKey
},
SecretProperties = new SecretProperties
{
ContentType = CertificateContentType.Pfx
},
X509CertificateProperties = new X509CertificateProperties
{
Subject = subject
},
};
return(policy);
}
public async Task VerifyCertificateGetWithPolicyInProgress()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = Client.CreateDefaultPolicy();
certificatePolicy.IssuerName = "UNKNOWN";
await Client.StartCreateCertificateAsync(certName);
RegisterForCleanup(certName);
CertificateWithPolicy certificateWithPolicy = await Client.GetCertificateWithPolicyAsync(certName);
Assert.NotNull(certificateWithPolicy);
Assert.AreEqual(certificateWithPolicy.Name, certName);
Assert.NotNull(certificateWithPolicy.Version);
Certificate certificate = await Client.GetCertificateAsync(certName, certificateWithPolicy.Version);
Assert.NotNull(certificate);
Assert.AreEqual(certificate.Name, certName);
}
public async Task DownloadECDsaCertificateSignLocalVerifyRemote([EnumValues] CertificateContentType contentType, [EnumValues] CertificateKeyCurveName keyCurveName)
{
#if NET461
Assert.Ignore("ECC is not supported before .NET Framework 4.7");
#endif
if (keyCurveName == CertificateKeyCurveName.P256K && RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
Assert.Ignore("https://github.com/Azure/azure-sdk-for-net/issues/25472");
}
string name = Recording.GenerateId();
CertificatePolicy policy = new CertificatePolicy
{
IssuerName = WellKnownIssuerNames.Self,
Subject = "CN=default",
KeyType = CertificateKeyType.Ec,
KeyCurveName = keyCurveName,
Exportable = true,
KeyUsage =
{
CertificateKeyUsage.DigitalSignature,
},
ContentType = contentType,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy);
RegisterForCleanup(name);
await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
// Download the certificate and sign data locally.
byte[] plaintext = Encoding.UTF8.GetBytes(nameof(DownloadECDsaCertificateSignRemoteVerifyLocal));
X509Certificate2 certificate = null;
try
{
certificate = await Client.DownloadCertificateAsync(name, operation.Value.Properties.Version);
using ECDsa privateKey = certificate.GetECDsaPrivateKey();
byte[] signature = privateKey.SignData(plaintext, keyCurveName.GetHashAlgorithmName());
// Verify data remotely.
CryptographyClient cryptoClient = GetCryptographyClient(operation.Value.KeyId);
VerifyResult result = await cryptoClient.VerifyDataAsync(keyCurveName.GetSignatureAlgorithm(), plaintext, signature);
Assert.IsTrue(result.IsValid);
}
catch (Exception ex) when(IsExpectedP256KException(ex, keyCurveName))
{
Assert.Ignore("The curve is not supported by the current platform");
}
finally
{
certificate?.Dispose();
}
}
public async Task <CertificateOperation> CreateCertificateAsync(
string certificateName,
string certificateCN,
IDictionary <string, string> tags = null,
CancellationToken cancellationToken = default
)
{
try {
tags ??= new Dictionary <string, string>();
Log.Information($"Adding certificate to Azure KeyVault: {certificateName} ...");
// ToDo: Add support of PEM certificate creation: CertificateContentType.Pem
var contentType = CertificateContentType.Pfx;
var certificatePolicy = new CertificatePolicy {
KeyProperties = new KeyProperties {
Exportable = true,
KeyType = "RSA",
KeySize = 2048,
ReuseKey = false
},
SecretProperties = new SecretProperties {
ContentType = contentType
},
X509CertificateProperties = new X509CertificateProperties {
Subject = $"CN={certificateCN}",
SubjectAlternativeNames = new SubjectAlternativeNames {
DnsNames = new string[] { certificateCN }
}
},
IssuerParameters = new IssuerParameters {
Name = "Self"
}
};
certificatePolicy.Validate();
var certificateAttributes = new CertificateAttributes();
var certificateOperation = await _keyVaultClient
.CreateCertificateAsync(
_keyVault.Properties.VaultUri,
certificateName,
certificatePolicy,
certificateAttributes,
tags,
cancellationToken
);
Log.Information($"Added certificate to Azure KeyVault: {certificateName}");
return(certificateOperation);
}
catch (Exception ex) {
Log.Error(ex, $"Failed to add certificate to Azure KeyVault: {certificateName}");
throw;
}
}
static CertificateOperationTests()
{
var policy = new CertificatePolicy();
((IJsonDeserializable)policy).ReadProperties(JsonDocument.Parse(s_policyJson).RootElement);
s_policy = policy;
}
public async Task DownloadVersionedCertificate(string contentType)
{
string name = Recording.GenerateId();
CertificatePolicy policy = new CertificatePolicy
{
IssuerName = WellKnownIssuerNames.Self,
Subject = "CN=default",
KeyType = CertificateKeyType.Rsa,
Exportable = true,
ReuseKey = false,
KeyUsage =
{
CertificateKeyUsage.DataEncipherment,
},
CertificateTransparency = false,
ContentType = contentType,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy);
RegisterForCleanup(name);
await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
KeyVaultCertificate certificate = await Client.GetCertificateAsync(name);
string version = certificate.Properties.Version;
using X509Certificate2 pub = new X509Certificate2(certificate.Cer);
#if NET6_0_OR_GREATER
using RSA pubkey = (RSA)pub.PublicKey.GetRSAPublicKey();
#else
using RSA pubkey = (RSA)pub.PublicKey.Key;
#endif
byte[] plaintext = Encoding.UTF8.GetBytes("Hello, world!");
byte[] ciphertext = pubkey.Encrypt(plaintext, RSAEncryptionPadding.Pkcs1);
// Create a new certificate version that is not exportable just to further prove we are not downloading it.
policy.Exportable = false;
operation = await Client.StartCreateCertificateAsync(name, policy);
await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
certificate = await Client.GetCertificateAsync(name);
Assert.AreNotEqual(version, certificate.Properties.Version);
// Now download the certificate and test decryption.
using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name, version);
Assert.IsTrue(x509certificate.HasPrivateKey);
using RSA rsa = (RSA)x509certificate.GetRSAPrivateKey();
byte[] decrypted = rsa.Decrypt(ciphertext, RSAEncryptionPadding.Pkcs1);
CollectionAssert.AreEqual(plaintext, decrypted);
}
public void KeyPolicySerialized(CertificatePolicy policy, string expectedJson)
{
using (JsonStream json = new JsonStream())
{
json.WriteObject(policy);
Assert.That(json.ToString(), Is.EqualTo(expectedJson));
}
}
public async Task <CertificatePolicyItem> GetCertificatePolicy([ActivityTrigger] string certificateName)
{
CertificatePolicy certificatePolicy = await _certificateClient.GetCertificatePolicyAsync(certificateName);
var dnsNames = certificatePolicy.SubjectAlternativeNames.DnsNames.ToArray();
return(new CertificatePolicyItem
{
CertificateName = certificateName,
DnsNames = dnsNames.Length > 0 ? dnsNames : new[] { certificatePolicy.Subject[3..] },
public async Task VerifyCertificateOperationError()
{
string issuerName = Recording.GenerateId();
string certName = Recording.GenerateId();
CertificateIssuer certIssuer = new CertificateIssuer(issuerName, "DigiCert")
{
AccountId = "test",
Password = "******",
OrganizationId = "test",
};
await Client.CreateIssuerAsync(certIssuer);
CertificateOperation operation = null;
try
{
CertificatePolicy certificatePolicy = DefaultPolicy;
certificatePolicy.IssuerName = issuerName;
operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy);
operation = InstrumentOperation(operation);
RegisterForCleanup(certName);
using CancellationTokenSource cts = new CancellationTokenSource(TimeSpan.FromMinutes(2));
TimeSpan pollingInterval = Mode == RecordedTestMode.Playback ? TimeSpan.Zero : KeyVaultTestEnvironment.DefaultPollingInterval;
while (!operation.HasCompleted)
{
await Task.Delay(pollingInterval, cts.Token);
await operation.UpdateStatusAsync(cts.Token);
}
InvalidOperationException ex = Assert.Throws <InvalidOperationException>(() => { KeyVaultCertificateWithPolicy cert = operation.Value; });
StringAssert.StartsWith("The certificate operation failed: ", ex.Message);
Assert.IsTrue(operation.HasCompleted);
Assert.IsFalse(operation.HasValue);
Assert.AreEqual(200, operation.GetRawResponse().Status);
Assert.AreEqual("failed", operation.Properties.Status);
}
catch (TaskCanceledException) when(operation != null)
{
Assert.Inconclusive("Timed out while waiting for operation {0}", operation.Id);
}
finally
{
await Client.DeleteIssuerAsync(issuerName);
}
}
public void UpdateCertificatePolicyArgumentValidation()
{
CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Self, "CN=Azure SDK");
ArgumentException ex = Assert.ThrowsAsync <ArgumentNullException>(() => Client.UpdateCertificatePolicyAsync(null, policy));
Assert.AreEqual("certificateName", ex.ParamName);
ex = Assert.ThrowsAsync <ArgumentException>(() => Client.UpdateCertificatePolicyAsync(string.Empty, policy));
Assert.AreEqual("certificateName", ex.ParamName);
StringAssert.StartsWith("Value cannot be an empty string.", ex.Message);
}
public async Task DownloadECDsaCertificateSignRemoteVerifyLocal([EnumValues] CertificateContentType contentType, [EnumValues] CertificateKeyCurveName keyCurveName)
{
#if NET461
Assert.Ignore("ECC is not supported before .NET Framework 4.7");
#endif
string name = Recording.GenerateId();
CertificatePolicy policy = new CertificatePolicy
{
IssuerName = WellKnownIssuerNames.Self,
Subject = "CN=default",
KeyType = CertificateKeyType.Ec,
KeyCurveName = keyCurveName,
Exportable = true,
KeyUsage =
{
CertificateKeyUsage.DigitalSignature,
},
ContentType = contentType,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy);
RegisterForCleanup(name);
await WaitForCompletion(operation, TimeSpan.FromSeconds(5));
// Sign data remotely.
byte[] plaintext = Encoding.UTF8.GetBytes(nameof(DownloadECDsaCertificateSignRemoteVerifyLocal));
CryptographyClient cryptoClient = GetCryptographyClient(operation.Value.KeyId);
SignResult result = await cryptoClient.SignDataAsync(keyCurveName.GetSignatureAlgorithm(), plaintext);
// Download the certificate and verify data locally.
X509Certificate2 certificate = null;
try
{
certificate = await Client.DownloadCertificateAsync(name, operation.Value.Properties.Version);
using ECDsa publicKey = certificate.GetECDsaPublicKey();
Assert.IsTrue(publicKey.VerifyData(plaintext, result.Signature, keyCurveName.GetHashAlgorithmName()));
}
catch (Exception ex) when(IsExpectedP256KException(ex, keyCurveName))
{
Assert.Ignore("The curve is not supported by the current platform");
}
finally
{
certificate?.Dispose();
}
}
protected override async Task <CertificateBundle> OnVersionChangeAsync(CustomVersion cv)
{
var cb = await _session.CurrentVault.GetCertificateAsync(cv.Id.Name, (cv.Index == 0)?null : cv.Id.Version); // Pass NULL as a version to fetch current CertificatePolicy
var cert = await _session.CurrentVault.GetCertificateWithExportableKeysAsync(cv.Id.Name, cv.Id.Version);
if ((_certificatePolicy == null) && (cb.Policy != null)) // cb.Policy will be NULL when version is not current
{
_certificatePolicy = cb.Policy;
}
RefreshCertificateObject(cb, _certificatePolicy, cert);
return(cb);
}
public async Task <CertificatePolicyItem> GetCertificatePolicy([ActivityTrigger] string certificateName)
{
CertificatePolicy certificatePolicy = await _certificateClient.GetCertificatePolicyAsync(certificateName);
return(new CertificatePolicyItem
{
CertificateName = certificateName,
DnsNames = certificatePolicy.SubjectAlternativeNames.DnsNames.ToArray(),
KeyType = certificatePolicy.KeyType?.ToString(),
KeySize = certificatePolicy.KeySize,
KeyCurveName = certificatePolicy.KeyCurveName?.ToString(),
ReuseKey = certificatePolicy.ReuseKey
});
}
/// <summary>
/// Imports a certificate
/// </summary>
/// <param name="certificateName"> the name of the created certificate </param>
/// <returns> The imported certificate </returns>
private static CertificateBundle ImportCertificate(out string certificateName)
{
var vaultAddress = inputValidator.GetVaultAddress();
certificateName = inputValidator.GetCertificateName();
var pfxPath = inputValidator.GetPfxPath();
var pfxPassword = inputValidator.GetPfxPassword();
var policy = new CertificatePolicy
{
KeyProperties = new KeyProperties
{
Exportable = true,
KeyType = "RSA"
},
SecretProperties = new SecretProperties
{
ContentType = "application/x-pem-file"
//ContentType = CertificateContentType.Pfx
}
};
var base64X509 = string.Empty;
if (File.Exists(pfxPath))
{
var x509Collection = new X509Certificate2Collection();
x509Collection.Import(pfxPath, pfxPassword, X509KeyStorageFlags.Exportable);
// A pfx can contain a chain
var x509Bytes = x509Collection.Cast <X509Certificate2>().Single(s => s.HasPrivateKey).Export(X509ContentType.Pfx, pfxPassword);
base64X509 = Convert.ToBase64String(x509Bytes);
}
else
{
//base64X509 = "aaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaa";
base64X509 = "yourcert";
}
var name = certificateName;
var certificate = Task.Run(() => keyVaultClient.ImportCertificateAsync(vaultAddress, name, base64X509, pfxPassword,
policy)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine("Created certificate:---------------");
PrintoutCertificate(certificate);
return(certificate);
}
public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName)
{
var policy = new CertificatePolicy("Unknown", $"CN={displayName}")
{
KeyType = CertificateKeyType.RsaHsm,
KeySize = 2048
};
var vault = await GetVaultAsync(vaultName).ConfigureAwait(false);
var client = new CertificateClient(vault.VaultUri, appTokenCredential);
var op = await client.StartCreateCertificateAsync(certificateName, policy).ConfigureAwait(false);
return(op);
}
public void StartCreateCertificateError()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = new CertificatePolicy("invalid", "Self")
{
KeyUsage =
{
"invalid",
},
};
RequestFailedException ex = Assert.ThrowsAsync <RequestFailedException>(() => Client.StartCreateCertificateAsync(certName, certificatePolicy));
Assert.AreEqual(400, ex.Status);
}
public async Task VerifyGetCertificateOperation()
{
string certName = Recording.GenerateId();
CertificatePolicy certificatePolicy = DefaultPolicy;
certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown;
await Client.StartCreateCertificateAsync(certName, certificatePolicy);
RegisterForCleanup(certName);
CertificateOperation getOperation = await Client.GetCertificateOperationAsync(certName);
Assert.IsNotNull(getOperation);
}
public void TestAes1000WithCertificate()
{
var cert2 = LoadCertificate();
//var publicKey = X509CertificateHelper.GetRSACryptoServiceProviderFromPublicKey(cert2);
var keyProtector = X509CertificateHelper.GetKeyEncryptionKey(cert2);
// generate a protected key
var gen = new ProtectedX509Certificate2Generator();
var policy = new CertificatePolicy()
{
CommonName = "Testing protected certs",
AllPurposes = true,
ValidForDays = 2
};
var protectedKey = Task.Run(() => gen.IssueNewCertificateAsync(keyProtector, policy)).GetAwaiter().GetResult();
// save the key to test
var keyOutputFilePath = (CERT_FOLDER + "temp\\pk-" + protectedKey.KeyId + ".kpk");
var fi = new FileInfo(keyOutputFilePath);
if (!fi.Directory.Exists)
{
fi.Directory.Create();
}
var bytes = Task.Run(() => protectedKey.ToByteArrayAsync()).GetAwaiter().GetResult();
File.WriteAllBytes(fi.FullName, bytes);
Console.WriteLine(fi.FullName);
var list = new List<string>();
var listEnc = new List<AsymmetricallyEncryptedObject>();
using (var privateKey = Task.Run(() => protectedKey.ToKeyEncyrptionKeyAsync(keyProtector)).GetAwaiter().GetResult())
{
//var publicKey = privateKey.PublicKey.Key as RSACryptoServiceProvider;
//File.WriteAllText(fi.FullName + "_A.cer", privateKey.PublicKeyToPEM());
int length = 100;
var rand = new RandomGenerator();
for (int i = 0; i < length; i++)
{
var stringToEncrypt = Guid.NewGuid().ToString("N") + ":* d’une secrétairE chargée des affaires des étudiants de la section";
list.Add(stringToEncrypt);
var asymEnc = new AsymmetricEncryptor(AsymmetricStrategyOption.Aes256_1000);
var asymObj = asymEnc.EncryptObjectAsync(stringToEncrypt, privateKey).GetAwaiter().GetResult();
listEnc.Add(asymObj);
var decrypted = asymEnc.DecryptObjectAsync(asymObj, privateKey).GetAwaiter().GetResult();
Assert.AreEqual(stringToEncrypt, decrypted);
}
}
// lets reload a new private key
var fileBytes = File.ReadAllBytes(fi.FullName);
var encKey = new AsymmetricallyEncryptedObject();
encKey.LoadFromByteArray(fileBytes);
var protectedKey2 = new ProtectedX509Certificate2(protectedKey.KeyId, encKey);
using (var privateKey = Task.Run(() => protectedKey2.ToKeyEncyrptionKeyAsync(keyProtector)).GetAwaiter().GetResult())
{
var asymEnc = new AsymmetricEncryptor(AsymmetricStrategyOption.Aes256_1000);
int i = 0;
foreach (var line in list)
{
var asymObj = listEnc[i];
var decrypted = asymEnc.DecryptObject(asymObj, privateKey);
Assert.AreEqual(line, decrypted);
i++;
}
}
}
internal static KeyVaultCertificatePolicy FromCertificatePolicy(CertificatePolicy certificatePolicy)
{
return new KeyVaultCertificatePolicy
{
SecretContentType = certificatePolicy.SecretProperties == null ? null : certificatePolicy.SecretProperties.ContentType,
Kty = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeyType,
KeySize = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeySize,
Exportable = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.Exportable,
ReuseKeyOnRenewal = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.ReuseKey,
SubjectName = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Subject,
DnsNames = certificatePolicy.X509CertificateProperties == null || certificatePolicy.X509CertificateProperties.SubjectAlternativeNames == null ?
null : new List<string>(certificatePolicy.X509CertificateProperties.SubjectAlternativeNames.DnsNames),
KeyUsage = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.KeyUsage == null ? null : new List<string>(certificatePolicy.X509CertificateProperties.KeyUsage),
Ekus = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Ekus == null ? null : new List<string>(certificatePolicy.X509CertificateProperties.Ekus),
ValidityInMonths = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.ValidityInMonths,
IssuerName = certificatePolicy.IssuerReference == null ? null : certificatePolicy.IssuerReference.Name,
RenewAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry),
RenewAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage),
EmailAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry),
EmailAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage),
Enabled = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Enabled,
Created = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Created,
Updated = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Updated,
};
}
internal CertificatePolicy ToCertificatePolicy()
{
var certificatePolicy = new CertificatePolicy();
if (!string.IsNullOrWhiteSpace(SecretContentType))
{
certificatePolicy.SecretProperties = new SecretProperties { ContentType = SecretContentType };
}
if (!string.IsNullOrWhiteSpace(Kty) ||
KeySize.HasValue ||
ReuseKeyOnRenewal.HasValue ||
Exportable.HasValue)
{
certificatePolicy.KeyProperties = new KeyProperties
{
KeyType = Kty,
KeySize = KeySize,
Exportable = Exportable,
ReuseKey = ReuseKeyOnRenewal,
};
}
if (!string.IsNullOrWhiteSpace(IssuerName))
{
certificatePolicy.IssuerReference = new IssuerReference { Name = IssuerName };
}
if (Enabled.HasValue)
{
certificatePolicy.Attributes = new CertificateAttributes
{
Enabled = Enabled,
};
}
if (!string.IsNullOrWhiteSpace(SubjectName) ||
DnsNames != null ||
Ekus != null ||
KeyUsage != null |
ValidityInMonths.HasValue)
{
var x509CertificateProperties = new X509CertificateProperties
{
Subject = SubjectName,
};
if (KeyUsage != null)
{
x509CertificateProperties.KeyUsage = new List<string>(KeyUsage);
}
if (Ekus != null)
{
x509CertificateProperties.Ekus = Ekus == null ? null : new List<string>(Ekus);
}
if (DnsNames != null)
{
x509CertificateProperties.SubjectAlternativeNames = new SubjectAlternativeNames
{
DnsNames = new string[DnsNames.Count],
};
x509CertificateProperties.SubjectAlternativeNames.DnsNames = new List<string>(DnsNames);
}
if (ValidityInMonths.HasValue)
{
x509CertificateProperties.ValidityInMonths = ValidityInMonths.Value;
}
certificatePolicy.X509CertificateProperties = x509CertificateProperties;
}
if (RenewAtNumberOfDaysBeforeExpiry.HasValue ||
RenewAtPercentageLifetime.HasValue ||
EmailAtNumberOfDaysBeforeExpiry.HasValue ||
EmailAtPercentageLifetime.HasValue)
{
if ((RenewAtNumberOfDaysBeforeExpiry.HasValue ? 1:0) +
(RenewAtPercentageLifetime.HasValue ? 1:0) +
(EmailAtNumberOfDaysBeforeExpiry.HasValue ? 1:0) +
(EmailAtPercentageLifetime.HasValue ? 1:0) > 1)
{
throw new ArgumentException("Only one of the values for RenewAtNumberOfDaysBeforeExpiry, RenewAtPercentageLifetime, EmailAtNumberOfDaysBeforeExpiry, EmailAtPercentageLifetime can be set.");
}
if (certificatePolicy.LifetimeActions == null)
{
certificatePolicy.LifetimeActions = new List<LifetimeAction>();
}
if (RenewAtNumberOfDaysBeforeExpiry.HasValue)
{
certificatePolicy.LifetimeActions.Add(
new LifetimeAction
{
Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.AutoRenew },
Trigger = new Trigger { DaysBeforeExpiry = RenewAtNumberOfDaysBeforeExpiry },
}
);
}
if (RenewAtPercentageLifetime.HasValue)
{
certificatePolicy.LifetimeActions.Add(
new LifetimeAction
{
Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.AutoRenew },
Trigger = new Trigger { LifetimePercentage = RenewAtPercentageLifetime },
}
);
}
if (EmailAtNumberOfDaysBeforeExpiry.HasValue)
{
certificatePolicy.LifetimeActions.Add(
new LifetimeAction
{
Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.EmailContacts },
Trigger = new Trigger { DaysBeforeExpiry = EmailAtNumberOfDaysBeforeExpiry },
}
);
}
if (EmailAtPercentageLifetime.HasValue)
{
certificatePolicy.LifetimeActions.Add(
new LifetimeAction
{
Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.EmailContacts },
Trigger = new Trigger { LifetimePercentage = EmailAtPercentageLifetime },
}
);
}
}
return certificatePolicy;
}
public CertificatePolicy UpdateCertificatePolicy(string vaultName, string certificateName, CertificatePolicy certificatePolicy)
{
if (string.IsNullOrEmpty(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrEmpty(certificateName))
throw new ArgumentNullException("certificateName");
if (certificatePolicy == null)
throw new ArgumentNullException("certificatePolicy");
string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName);
CertificatePolicy resultantCertificatePolicy;
try
{
resultantCertificatePolicy = this.keyVaultClient.UpdateCertificatePolicyAsync(vaultAddress, certificateName, certificatePolicy).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return resultantCertificatePolicy;
}
public CertificateOperation EnrollCertificate(string vaultName, string certificateName, CertificatePolicy certificatePolicy, IDictionary<string, string> tags)
{
if (string.IsNullOrEmpty(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrEmpty(certificateName))
throw new ArgumentNullException("certificateName");
string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName);
CertificateOperation certificateOperation;
try
{
certificateOperation = this.keyVaultClient.CreateCertificateAsync(vaultAddress, certificateName, certificatePolicy, null, tags).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return certificateOperation;
}
