public async Task DownloadNonExportableCertificate(string contentType) { string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Rsa, Exportable = false, ReuseKey = false, KeyUsage = { CertificateKeyUsage.DataEncipherment, }, CertificateTransparency = false, ContentType = contentType, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await operation.WaitForCompletionAsync(); using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name); Assert.IsFalse(x509certificate.HasPrivateKey); }
public async Task VerifyUnexpectedCancelCertificateOperation() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); try { // Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw. await Client.CancelCertificateOperationAsync(certName); } catch (RequestFailedException e) when(e.Status == 403) { Assert.Inconclusive("The create operation completed before it could be canceled."); } OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>( async() => await WaitForCompletion(operation), $"Expected exception {nameof(OperationCanceledException)} not thrown. Operation status: {operation?.Properties?.Status}, error: {operation?.Properties?.Error?.Message}"); Assert.AreEqual("The operation was canceled so no value is available.", ex.Message); Assert.IsTrue(operation.HasCompleted); Assert.IsFalse(operation.HasValue); Assert.AreEqual(200, operation.GetRawResponse().Status); }
public async Task VerifyUpdateCertificatePolicy() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); KeyVaultCertificateWithPolicy original = await WaitForCompletion(operation); Assert.NotNull(original); RegisterForCleanup(certName); certificatePolicy = new CertificatePolicy(WellKnownIssuerNames.Self, "CN=Azure SDK") { ReuseKey = true, CertificateTransparency = true, Exportable = false, ContentType = CertificateContentType.Pem, KeySize = 3072 }; CertificatePolicy updatePolicy = await Client.UpdateCertificatePolicyAsync(certName, certificatePolicy); Assert.NotNull(updatePolicy); Assert.NotNull(updatePolicy.UpdatedOn); Assert.AreEqual(certificatePolicy.Subject, updatePolicy.Subject); Assert.AreEqual(certificatePolicy.ReuseKey, updatePolicy.ReuseKey); Assert.AreEqual(certificatePolicy.Exportable, updatePolicy.Exportable); Assert.AreEqual(certificatePolicy.CertificateTransparency, updatePolicy.CertificateTransparency); Assert.AreEqual(certificatePolicy.ContentType, updatePolicy.ContentType); Assert.AreEqual(certificatePolicy.KeySize, updatePolicy.KeySize); }
public async Task VerifyCancelCertificateOperation() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); try { await operation.CancelAsync(); } catch (RequestFailedException e) when(e.Status == 403) { Assert.Inconclusive("The create operation completed before it could be canceled."); } OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>(() => WaitForCompletion(operation)); Assert.AreEqual("The operation was canceled so no value is available.", ex.Message); Assert.IsTrue(operation.HasCompleted); Assert.IsFalse(operation.HasValue); Assert.AreEqual(200, operation.GetRawResponse().Status); }
public async Task VerifyUnexpectedDeleteCertificateOperation() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown; CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); try { // Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw. await Client.DeleteCertificateOperationAsync(certName); } catch (RequestFailedException e) when(e.Status == 403) { Assert.Inconclusive("The create operation completed before it could be canceled."); } InvalidOperationException ex = Assert.ThrowsAsync <InvalidOperationException>(() => WaitForCompletion(operation)); Assert.AreEqual("The operation was deleted so no value is available.", ex.Message); Assert.IsTrue(operation.HasCompleted); Assert.IsFalse(operation.HasValue); Assert.AreEqual(404, operation.GetRawResponse().Status); }
public async Task VerifyCertificateGetWithPolicyInProgress() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown; await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); KeyVaultCertificateWithPolicy certificateWithPolicy = await Client.GetCertificateAsync(certName); Assert.NotNull(certificateWithPolicy); Assert.AreEqual(certificateWithPolicy.Name, certName); Assert.NotNull(certificateWithPolicy.Properties.Version); KeyVaultCertificate certificate = await Client.GetCertificateVersionAsync(certName, certificateWithPolicy.Properties.Version); Assert.NotNull(certificate); Assert.AreEqual(certificate.Name, certName); }
public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName) { var policy = new CertificatePolicy() { X509CertificateProperties = new X509CertificateProperties { Subject = $"CN={displayName}" }, KeyProperties = new KeyProperties { KeySize = 2048, KeyType = "RSA-HSM" }, IssuerParameters = new IssuerParameters { Name = "Unknown" // External CA } }; var vault = await GetVaultAsync(vaultName).ConfigureAwait(false); var op = await kvClient.CreateCertificateAsync(vault.VaultUri, certificateName, policy).ConfigureAwait(false); return(op); }
public CertificatePolicy ToCertificatePolicy() { var subjectAlternativeNames = new SubjectAlternativeNames(); foreach (var dnsName in DnsNames) { subjectAlternativeNames.DnsNames.Add(dnsName); } var certificatePolicy = new CertificatePolicy(WellKnownIssuerNames.Unknown, subjectAlternativeNames) { KeySize = KeySize, ReuseKey = ReuseKey }; if (!string.IsNullOrEmpty(KeyType)) { certificatePolicy.KeyType = KeyType; } if (!string.IsNullOrEmpty(KeyCurveName)) { certificatePolicy.KeyCurveName = KeyCurveName; } return(certificatePolicy); }
internal static KeyVaultCertificatePolicy FromCertificatePolicy(CertificatePolicy certificatePolicy) { return(new KeyVaultCertificatePolicy { SecretContentType = certificatePolicy.SecretProperties == null ? null : certificatePolicy.SecretProperties.ContentType, Kty = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeyType, KeySize = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeySize, Exportable = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.Exportable, ReuseKeyOnRenewal = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.ReuseKey, SubjectName = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Subject, DnsNames = certificatePolicy.X509CertificateProperties == null || certificatePolicy.X509CertificateProperties.SubjectAlternativeNames == null ? null : new List <string>(certificatePolicy.X509CertificateProperties.SubjectAlternativeNames.DnsNames), KeyUsage = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.KeyUsage == null ? null : new List <string>(certificatePolicy.X509CertificateProperties.KeyUsage), Ekus = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Ekus == null ? null : new List <string>(certificatePolicy.X509CertificateProperties.Ekus), ValidityInMonths = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.ValidityInMonths, IssuerName = certificatePolicy.IssuerReference == null ? null : certificatePolicy.IssuerReference.Name, RenewAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry), RenewAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage), EmailAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry), EmailAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage), Enabled = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Enabled, Created = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Created, Updated = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Updated, }); }
/// <summary> /// Create certificate policy /// </summary> /// <param name="subject"></param> /// <param name="keyParams"></param> /// <param name="selfSigned"></param> /// <param name="reuseKey"></param> /// <param name="exportable"></param> /// <param name="isHsm"></param> /// <returns></returns> private static CertificatePolicy CreateCertificatePolicy(string subject, CreateKeyParams keyParams, bool selfSigned, bool isHsm, bool reuseKey, bool exportable) { ValidateKeyParameters(keyParams); var policy = new CertificatePolicy { IssuerParameters = new IssuerParameters { Name = selfSigned ? "Self" : "Unknown" }, KeyProperties = new KeyProperties { Exportable = exportable, KeySize = (int?)keyParams.KeySize, Curve = keyParams.Curve?.ToJsonWebKeyCurveName(), KeyType = keyParams.Type.ToKty(isHsm && !exportable), ReuseKey = reuseKey }, SecretProperties = new SecretProperties { ContentType = CertificateContentType.Pfx }, X509CertificateProperties = new X509CertificateProperties { Subject = subject }, LifetimeActions = new List <LifetimeAction>(), }; return(policy); }
public async Task VerifyUnexpectedCancelCertificateOperation() { // Log details why this fails often for live tests on net461. using AzureEventSourceListener listener = AzureEventSourceListener.CreateConsoleLogger(EventLevel.Verbose); string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; CertificateOperation operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); try { // Calling through the CertificateClient directly won't affect the CertificateOperation, so subsequent status updates should throw. await Client.CancelCertificateOperationAsync(certName); } catch (RequestFailedException e) when(e.Status == 403) { Assert.Inconclusive("The create operation completed before it could be canceled."); } OperationCanceledException ex = Assert.ThrowsAsync <OperationCanceledException>(() => WaitForCompletion(operation)); Assert.AreEqual("The operation was canceled so no value is available.", ex.Message); Assert.IsTrue(operation.HasCompleted); Assert.IsFalse(operation.HasValue); Assert.AreEqual(200, operation.GetRawResponse().Status); }
public async Task CreateSelfSignedCertificateAsync(string certificateName, KeyProperties keyProperties, string subject, IEnumerable <string> subjectAlternativeNames, Dictionary <string, string> tags) { var certificatePolicy = new CertificatePolicy() { KeyProperties = keyProperties, X509CertificateProperties = new X509CertificateProperties() { Subject = subject, SubjectAlternativeNames = new SubjectAlternativeNames(dnsNames: subjectAlternativeNames.ToList()), }, IssuerParameters = new IssuerParameters() { Name = "Self", }, }; try { var certificateOperation = await keyVaultClient.CreateCertificateAsync(settings.VaultBaseUri.AbsoluteUri, certificateName, certificatePolicy, tags : tags); var encodedCertificate = Encoding.UTF8.GetString(certificateOperation.Csr); } catch (KeyVaultErrorException keyVaultErrorException) { Console.WriteLine($"Error ({keyVaultErrorException.Body.Error.Code}): {keyVaultErrorException.Body.Error.Message}"); if (keyVaultErrorException.Body.Error.InnerError != null) { var innerError = keyVaultErrorException.Body.Error.InnerError; Console.WriteLine($"Inner Error ({innerError.Code}): {innerError.Message}"); } } }
public async Task <byte[]> CreateLetsEncryptCertificateAsync(string certificateName, KeyProperties keyProperties, string subject, IEnumerable <string> subjectAlternativeNames, Dictionary <string, string> tags) { var certificatePolicy = new CertificatePolicy() { KeyProperties = keyProperties, X509CertificateProperties = new X509CertificateProperties() { Subject = subject, SubjectAlternativeNames = new SubjectAlternativeNames(dnsNames: subjectAlternativeNames.ToList()), } }; try { var certificateOperation = await keyVaultClient.CreateCertificateAsync(settings.VaultBaseUri.AbsoluteUri, certificateName, certificatePolicy, tags : tags); return(certificateOperation.Csr); } catch (KeyVaultErrorException keyVaultErrorException) { Console.WriteLine($"Error ({keyVaultErrorException.Body.Error.Code}): {keyVaultErrorException.Body.Error.Message}"); if (keyVaultErrorException.Body.Error.InnerError != null) { var innerError = keyVaultErrorException.Body.Error.InnerError; Console.WriteLine($"Inner Error ({innerError.Code}): {innerError.Message}"); } } throw new InvalidOperationException("Creating a certificate failed..."); }
private CertificatePolicy CreateCertificatePolicy( string subject, int keySize, bool selfSigned, bool reuseKey = false, bool exportable = false) { var policy = new CertificatePolicy { IssuerParameters = new IssuerParameters { Name = selfSigned ? "Self" : "Unknown" }, KeyProperties = new KeyProperties { Exportable = exportable, KeySize = keySize, KeyType = "RSA", ReuseKey = reuseKey }, SecretProperties = new SecretProperties { ContentType = CertificateContentType.Pfx }, X509CertificateProperties = new X509CertificateProperties { Subject = subject }, }; return(policy); }
public async Task VerifyCertificateGetWithPolicyInProgress() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = Client.CreateDefaultPolicy(); certificatePolicy.IssuerName = "UNKNOWN"; await Client.StartCreateCertificateAsync(certName); RegisterForCleanup(certName); CertificateWithPolicy certificateWithPolicy = await Client.GetCertificateWithPolicyAsync(certName); Assert.NotNull(certificateWithPolicy); Assert.AreEqual(certificateWithPolicy.Name, certName); Assert.NotNull(certificateWithPolicy.Version); Certificate certificate = await Client.GetCertificateAsync(certName, certificateWithPolicy.Version); Assert.NotNull(certificate); Assert.AreEqual(certificate.Name, certName); }
public async Task DownloadECDsaCertificateSignLocalVerifyRemote([EnumValues] CertificateContentType contentType, [EnumValues] CertificateKeyCurveName keyCurveName) { #if NET461 Assert.Ignore("ECC is not supported before .NET Framework 4.7"); #endif if (keyCurveName == CertificateKeyCurveName.P256K && RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) { Assert.Ignore("https://github.com/Azure/azure-sdk-for-net/issues/25472"); } string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Ec, KeyCurveName = keyCurveName, Exportable = true, KeyUsage = { CertificateKeyUsage.DigitalSignature, }, ContentType = contentType, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); // Download the certificate and sign data locally. byte[] plaintext = Encoding.UTF8.GetBytes(nameof(DownloadECDsaCertificateSignRemoteVerifyLocal)); X509Certificate2 certificate = null; try { certificate = await Client.DownloadCertificateAsync(name, operation.Value.Properties.Version); using ECDsa privateKey = certificate.GetECDsaPrivateKey(); byte[] signature = privateKey.SignData(plaintext, keyCurveName.GetHashAlgorithmName()); // Verify data remotely. CryptographyClient cryptoClient = GetCryptographyClient(operation.Value.KeyId); VerifyResult result = await cryptoClient.VerifyDataAsync(keyCurveName.GetSignatureAlgorithm(), plaintext, signature); Assert.IsTrue(result.IsValid); } catch (Exception ex) when(IsExpectedP256KException(ex, keyCurveName)) { Assert.Ignore("The curve is not supported by the current platform"); } finally { certificate?.Dispose(); } }
public async Task <CertificateOperation> CreateCertificateAsync( string certificateName, string certificateCN, IDictionary <string, string> tags = null, CancellationToken cancellationToken = default ) { try { tags ??= new Dictionary <string, string>(); Log.Information($"Adding certificate to Azure KeyVault: {certificateName} ..."); // ToDo: Add support of PEM certificate creation: CertificateContentType.Pem var contentType = CertificateContentType.Pfx; var certificatePolicy = new CertificatePolicy { KeyProperties = new KeyProperties { Exportable = true, KeyType = "RSA", KeySize = 2048, ReuseKey = false }, SecretProperties = new SecretProperties { ContentType = contentType }, X509CertificateProperties = new X509CertificateProperties { Subject = $"CN={certificateCN}", SubjectAlternativeNames = new SubjectAlternativeNames { DnsNames = new string[] { certificateCN } } }, IssuerParameters = new IssuerParameters { Name = "Self" } }; certificatePolicy.Validate(); var certificateAttributes = new CertificateAttributes(); var certificateOperation = await _keyVaultClient .CreateCertificateAsync( _keyVault.Properties.VaultUri, certificateName, certificatePolicy, certificateAttributes, tags, cancellationToken ); Log.Information($"Added certificate to Azure KeyVault: {certificateName}"); return(certificateOperation); } catch (Exception ex) { Log.Error(ex, $"Failed to add certificate to Azure KeyVault: {certificateName}"); throw; } }
static CertificateOperationTests() { var policy = new CertificatePolicy(); ((IJsonDeserializable)policy).ReadProperties(JsonDocument.Parse(s_policyJson).RootElement); s_policy = policy; }
public async Task DownloadVersionedCertificate(string contentType) { string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Rsa, Exportable = true, ReuseKey = false, KeyUsage = { CertificateKeyUsage.DataEncipherment, }, CertificateTransparency = false, ContentType = contentType, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); KeyVaultCertificate certificate = await Client.GetCertificateAsync(name); string version = certificate.Properties.Version; using X509Certificate2 pub = new X509Certificate2(certificate.Cer); #if NET6_0_OR_GREATER using RSA pubkey = (RSA)pub.PublicKey.GetRSAPublicKey(); #else using RSA pubkey = (RSA)pub.PublicKey.Key; #endif byte[] plaintext = Encoding.UTF8.GetBytes("Hello, world!"); byte[] ciphertext = pubkey.Encrypt(plaintext, RSAEncryptionPadding.Pkcs1); // Create a new certificate version that is not exportable just to further prove we are not downloading it. policy.Exportable = false; operation = await Client.StartCreateCertificateAsync(name, policy); await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default); certificate = await Client.GetCertificateAsync(name); Assert.AreNotEqual(version, certificate.Properties.Version); // Now download the certificate and test decryption. using X509Certificate2 x509certificate = await Client.DownloadCertificateAsync(name, version); Assert.IsTrue(x509certificate.HasPrivateKey); using RSA rsa = (RSA)x509certificate.GetRSAPrivateKey(); byte[] decrypted = rsa.Decrypt(ciphertext, RSAEncryptionPadding.Pkcs1); CollectionAssert.AreEqual(plaintext, decrypted); }
public void KeyPolicySerialized(CertificatePolicy policy, string expectedJson) { using (JsonStream json = new JsonStream()) { json.WriteObject(policy); Assert.That(json.ToString(), Is.EqualTo(expectedJson)); } }
public async Task <CertificatePolicyItem> GetCertificatePolicy([ActivityTrigger] string certificateName) { CertificatePolicy certificatePolicy = await _certificateClient.GetCertificatePolicyAsync(certificateName); var dnsNames = certificatePolicy.SubjectAlternativeNames.DnsNames.ToArray(); return(new CertificatePolicyItem { CertificateName = certificateName, DnsNames = dnsNames.Length > 0 ? dnsNames : new[] { certificatePolicy.Subject[3..] },
public async Task VerifyCertificateOperationError() { string issuerName = Recording.GenerateId(); string certName = Recording.GenerateId(); CertificateIssuer certIssuer = new CertificateIssuer(issuerName, "DigiCert") { AccountId = "test", Password = "******", OrganizationId = "test", }; await Client.CreateIssuerAsync(certIssuer); CertificateOperation operation = null; try { CertificatePolicy certificatePolicy = DefaultPolicy; certificatePolicy.IssuerName = issuerName; operation = await Client.StartCreateCertificateAsync(certName, certificatePolicy); operation = InstrumentOperation(operation); RegisterForCleanup(certName); using CancellationTokenSource cts = new CancellationTokenSource(TimeSpan.FromMinutes(2)); TimeSpan pollingInterval = Mode == RecordedTestMode.Playback ? TimeSpan.Zero : KeyVaultTestEnvironment.DefaultPollingInterval; while (!operation.HasCompleted) { await Task.Delay(pollingInterval, cts.Token); await operation.UpdateStatusAsync(cts.Token); } InvalidOperationException ex = Assert.Throws <InvalidOperationException>(() => { KeyVaultCertificateWithPolicy cert = operation.Value; }); StringAssert.StartsWith("The certificate operation failed: ", ex.Message); Assert.IsTrue(operation.HasCompleted); Assert.IsFalse(operation.HasValue); Assert.AreEqual(200, operation.GetRawResponse().Status); Assert.AreEqual("failed", operation.Properties.Status); } catch (TaskCanceledException) when(operation != null) { Assert.Inconclusive("Timed out while waiting for operation {0}", operation.Id); } finally { await Client.DeleteIssuerAsync(issuerName); } }
public void UpdateCertificatePolicyArgumentValidation() { CertificatePolicy policy = new CertificatePolicy(WellKnownIssuerNames.Self, "CN=Azure SDK"); ArgumentException ex = Assert.ThrowsAsync <ArgumentNullException>(() => Client.UpdateCertificatePolicyAsync(null, policy)); Assert.AreEqual("certificateName", ex.ParamName); ex = Assert.ThrowsAsync <ArgumentException>(() => Client.UpdateCertificatePolicyAsync(string.Empty, policy)); Assert.AreEqual("certificateName", ex.ParamName); StringAssert.StartsWith("Value cannot be an empty string.", ex.Message); }
public async Task DownloadECDsaCertificateSignRemoteVerifyLocal([EnumValues] CertificateContentType contentType, [EnumValues] CertificateKeyCurveName keyCurveName) { #if NET461 Assert.Ignore("ECC is not supported before .NET Framework 4.7"); #endif string name = Recording.GenerateId(); CertificatePolicy policy = new CertificatePolicy { IssuerName = WellKnownIssuerNames.Self, Subject = "CN=default", KeyType = CertificateKeyType.Ec, KeyCurveName = keyCurveName, Exportable = true, KeyUsage = { CertificateKeyUsage.DigitalSignature, }, ContentType = contentType, }; CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy); RegisterForCleanup(name); await WaitForCompletion(operation, TimeSpan.FromSeconds(5)); // Sign data remotely. byte[] plaintext = Encoding.UTF8.GetBytes(nameof(DownloadECDsaCertificateSignRemoteVerifyLocal)); CryptographyClient cryptoClient = GetCryptographyClient(operation.Value.KeyId); SignResult result = await cryptoClient.SignDataAsync(keyCurveName.GetSignatureAlgorithm(), plaintext); // Download the certificate and verify data locally. X509Certificate2 certificate = null; try { certificate = await Client.DownloadCertificateAsync(name, operation.Value.Properties.Version); using ECDsa publicKey = certificate.GetECDsaPublicKey(); Assert.IsTrue(publicKey.VerifyData(plaintext, result.Signature, keyCurveName.GetHashAlgorithmName())); } catch (Exception ex) when(IsExpectedP256KException(ex, keyCurveName)) { Assert.Ignore("The curve is not supported by the current platform"); } finally { certificate?.Dispose(); } }
protected override async Task <CertificateBundle> OnVersionChangeAsync(CustomVersion cv) { var cb = await _session.CurrentVault.GetCertificateAsync(cv.Id.Name, (cv.Index == 0)?null : cv.Id.Version); // Pass NULL as a version to fetch current CertificatePolicy var cert = await _session.CurrentVault.GetCertificateWithExportableKeysAsync(cv.Id.Name, cv.Id.Version); if ((_certificatePolicy == null) && (cb.Policy != null)) // cb.Policy will be NULL when version is not current { _certificatePolicy = cb.Policy; } RefreshCertificateObject(cb, _certificatePolicy, cert); return(cb); }
public async Task <CertificatePolicyItem> GetCertificatePolicy([ActivityTrigger] string certificateName) { CertificatePolicy certificatePolicy = await _certificateClient.GetCertificatePolicyAsync(certificateName); return(new CertificatePolicyItem { CertificateName = certificateName, DnsNames = certificatePolicy.SubjectAlternativeNames.DnsNames.ToArray(), KeyType = certificatePolicy.KeyType?.ToString(), KeySize = certificatePolicy.KeySize, KeyCurveName = certificatePolicy.KeyCurveName?.ToString(), ReuseKey = certificatePolicy.ReuseKey }); }
/// <summary> /// Imports a certificate /// </summary> /// <param name="certificateName"> the name of the created certificate </param> /// <returns> The imported certificate </returns> private static CertificateBundle ImportCertificate(out string certificateName) { var vaultAddress = inputValidator.GetVaultAddress(); certificateName = inputValidator.GetCertificateName(); var pfxPath = inputValidator.GetPfxPath(); var pfxPassword = inputValidator.GetPfxPassword(); var policy = new CertificatePolicy { KeyProperties = new KeyProperties { Exportable = true, KeyType = "RSA" }, SecretProperties = new SecretProperties { ContentType = "application/x-pem-file" //ContentType = CertificateContentType.Pfx } }; var base64X509 = string.Empty; if (File.Exists(pfxPath)) { var x509Collection = new X509Certificate2Collection(); x509Collection.Import(pfxPath, pfxPassword, X509KeyStorageFlags.Exportable); // A pfx can contain a chain var x509Bytes = x509Collection.Cast <X509Certificate2>().Single(s => s.HasPrivateKey).Export(X509ContentType.Pfx, pfxPassword); base64X509 = Convert.ToBase64String(x509Bytes); } else { //base64X509 = "aaaaaaaaaaaaaaa\naaaaaaaaaaaaaaaa"; base64X509 = "yourcert"; } var name = certificateName; var certificate = Task.Run(() => keyVaultClient.ImportCertificateAsync(vaultAddress, name, base64X509, pfxPassword, policy)).ConfigureAwait(false).GetAwaiter().GetResult(); Console.Out.WriteLine("Created certificate:---------------"); PrintoutCertificate(certificate); return(certificate); }
public async Task <CertificateOperation> CreateCsrAsync(string vaultName, string certificateName, string displayName) { var policy = new CertificatePolicy("Unknown", $"CN={displayName}") { KeyType = CertificateKeyType.RsaHsm, KeySize = 2048 }; var vault = await GetVaultAsync(vaultName).ConfigureAwait(false); var client = new CertificateClient(vault.VaultUri, appTokenCredential); var op = await client.StartCreateCertificateAsync(certificateName, policy).ConfigureAwait(false); return(op); }
public void StartCreateCertificateError() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = new CertificatePolicy("invalid", "Self") { KeyUsage = { "invalid", }, }; RequestFailedException ex = Assert.ThrowsAsync <RequestFailedException>(() => Client.StartCreateCertificateAsync(certName, certificatePolicy)); Assert.AreEqual(400, ex.Status); }
public async Task VerifyGetCertificateOperation() { string certName = Recording.GenerateId(); CertificatePolicy certificatePolicy = DefaultPolicy; certificatePolicy.IssuerName = WellKnownIssuerNames.Unknown; await Client.StartCreateCertificateAsync(certName, certificatePolicy); RegisterForCleanup(certName); CertificateOperation getOperation = await Client.GetCertificateOperationAsync(certName); Assert.IsNotNull(getOperation); }
public void TestAes1000WithCertificate() { var cert2 = LoadCertificate(); //var publicKey = X509CertificateHelper.GetRSACryptoServiceProviderFromPublicKey(cert2); var keyProtector = X509CertificateHelper.GetKeyEncryptionKey(cert2); // generate a protected key var gen = new ProtectedX509Certificate2Generator(); var policy = new CertificatePolicy() { CommonName = "Testing protected certs", AllPurposes = true, ValidForDays = 2 }; var protectedKey = Task.Run(() => gen.IssueNewCertificateAsync(keyProtector, policy)).GetAwaiter().GetResult(); // save the key to test var keyOutputFilePath = (CERT_FOLDER + "temp\\pk-" + protectedKey.KeyId + ".kpk"); var fi = new FileInfo(keyOutputFilePath); if (!fi.Directory.Exists) { fi.Directory.Create(); } var bytes = Task.Run(() => protectedKey.ToByteArrayAsync()).GetAwaiter().GetResult(); File.WriteAllBytes(fi.FullName, bytes); Console.WriteLine(fi.FullName); var list = new List<string>(); var listEnc = new List<AsymmetricallyEncryptedObject>(); using (var privateKey = Task.Run(() => protectedKey.ToKeyEncyrptionKeyAsync(keyProtector)).GetAwaiter().GetResult()) { //var publicKey = privateKey.PublicKey.Key as RSACryptoServiceProvider; //File.WriteAllText(fi.FullName + "_A.cer", privateKey.PublicKeyToPEM()); int length = 100; var rand = new RandomGenerator(); for (int i = 0; i < length; i++) { var stringToEncrypt = Guid.NewGuid().ToString("N") + ":* d’une secrétairE chargée des affaires des étudiants de la section"; list.Add(stringToEncrypt); var asymEnc = new AsymmetricEncryptor(AsymmetricStrategyOption.Aes256_1000); var asymObj = asymEnc.EncryptObjectAsync(stringToEncrypt, privateKey).GetAwaiter().GetResult(); listEnc.Add(asymObj); var decrypted = asymEnc.DecryptObjectAsync(asymObj, privateKey).GetAwaiter().GetResult(); Assert.AreEqual(stringToEncrypt, decrypted); } } // lets reload a new private key var fileBytes = File.ReadAllBytes(fi.FullName); var encKey = new AsymmetricallyEncryptedObject(); encKey.LoadFromByteArray(fileBytes); var protectedKey2 = new ProtectedX509Certificate2(protectedKey.KeyId, encKey); using (var privateKey = Task.Run(() => protectedKey2.ToKeyEncyrptionKeyAsync(keyProtector)).GetAwaiter().GetResult()) { var asymEnc = new AsymmetricEncryptor(AsymmetricStrategyOption.Aes256_1000); int i = 0; foreach (var line in list) { var asymObj = listEnc[i]; var decrypted = asymEnc.DecryptObject(asymObj, privateKey); Assert.AreEqual(line, decrypted); i++; } } }
internal static KeyVaultCertificatePolicy FromCertificatePolicy(CertificatePolicy certificatePolicy) { return new KeyVaultCertificatePolicy { SecretContentType = certificatePolicy.SecretProperties == null ? null : certificatePolicy.SecretProperties.ContentType, Kty = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeyType, KeySize = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.KeySize, Exportable = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.Exportable, ReuseKeyOnRenewal = certificatePolicy.KeyProperties == null ? null : certificatePolicy.KeyProperties.ReuseKey, SubjectName = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Subject, DnsNames = certificatePolicy.X509CertificateProperties == null || certificatePolicy.X509CertificateProperties.SubjectAlternativeNames == null ? null : new List<string>(certificatePolicy.X509CertificateProperties.SubjectAlternativeNames.DnsNames), KeyUsage = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.KeyUsage == null ? null : new List<string>(certificatePolicy.X509CertificateProperties.KeyUsage), Ekus = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.Ekus == null ? null : new List<string>(certificatePolicy.X509CertificateProperties.Ekus), ValidityInMonths = certificatePolicy.X509CertificateProperties == null ? null : certificatePolicy.X509CertificateProperties.ValidityInMonths, IssuerName = certificatePolicy.IssuerReference == null ? null : certificatePolicy.IssuerReference.Name, RenewAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry), RenewAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForAutoRenewAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage), EmailAtNumberOfDaysBeforeExpiry = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.DaysBeforeExpiry), EmailAtPercentageLifetime = certificatePolicy.LifetimeActions == null ? null : FindIntValueForEmailAction(certificatePolicy.LifetimeActions, (trigger) => trigger.LifetimePercentage), Enabled = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Enabled, Created = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Created, Updated = certificatePolicy.Attributes == null ? null : certificatePolicy.Attributes.Updated, }; }
internal CertificatePolicy ToCertificatePolicy() { var certificatePolicy = new CertificatePolicy(); if (!string.IsNullOrWhiteSpace(SecretContentType)) { certificatePolicy.SecretProperties = new SecretProperties { ContentType = SecretContentType }; } if (!string.IsNullOrWhiteSpace(Kty) || KeySize.HasValue || ReuseKeyOnRenewal.HasValue || Exportable.HasValue) { certificatePolicy.KeyProperties = new KeyProperties { KeyType = Kty, KeySize = KeySize, Exportable = Exportable, ReuseKey = ReuseKeyOnRenewal, }; } if (!string.IsNullOrWhiteSpace(IssuerName)) { certificatePolicy.IssuerReference = new IssuerReference { Name = IssuerName }; } if (Enabled.HasValue) { certificatePolicy.Attributes = new CertificateAttributes { Enabled = Enabled, }; } if (!string.IsNullOrWhiteSpace(SubjectName) || DnsNames != null || Ekus != null || KeyUsage != null | ValidityInMonths.HasValue) { var x509CertificateProperties = new X509CertificateProperties { Subject = SubjectName, }; if (KeyUsage != null) { x509CertificateProperties.KeyUsage = new List<string>(KeyUsage); } if (Ekus != null) { x509CertificateProperties.Ekus = Ekus == null ? null : new List<string>(Ekus); } if (DnsNames != null) { x509CertificateProperties.SubjectAlternativeNames = new SubjectAlternativeNames { DnsNames = new string[DnsNames.Count], }; x509CertificateProperties.SubjectAlternativeNames.DnsNames = new List<string>(DnsNames); } if (ValidityInMonths.HasValue) { x509CertificateProperties.ValidityInMonths = ValidityInMonths.Value; } certificatePolicy.X509CertificateProperties = x509CertificateProperties; } if (RenewAtNumberOfDaysBeforeExpiry.HasValue || RenewAtPercentageLifetime.HasValue || EmailAtNumberOfDaysBeforeExpiry.HasValue || EmailAtPercentageLifetime.HasValue) { if ((RenewAtNumberOfDaysBeforeExpiry.HasValue ? 1:0) + (RenewAtPercentageLifetime.HasValue ? 1:0) + (EmailAtNumberOfDaysBeforeExpiry.HasValue ? 1:0) + (EmailAtPercentageLifetime.HasValue ? 1:0) > 1) { throw new ArgumentException("Only one of the values for RenewAtNumberOfDaysBeforeExpiry, RenewAtPercentageLifetime, EmailAtNumberOfDaysBeforeExpiry, EmailAtPercentageLifetime can be set."); } if (certificatePolicy.LifetimeActions == null) { certificatePolicy.LifetimeActions = new List<LifetimeAction>(); } if (RenewAtNumberOfDaysBeforeExpiry.HasValue) { certificatePolicy.LifetimeActions.Add( new LifetimeAction { Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.AutoRenew }, Trigger = new Trigger { DaysBeforeExpiry = RenewAtNumberOfDaysBeforeExpiry }, } ); } if (RenewAtPercentageLifetime.HasValue) { certificatePolicy.LifetimeActions.Add( new LifetimeAction { Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.AutoRenew }, Trigger = new Trigger { LifetimePercentage = RenewAtPercentageLifetime }, } ); } if (EmailAtNumberOfDaysBeforeExpiry.HasValue) { certificatePolicy.LifetimeActions.Add( new LifetimeAction { Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.EmailContacts }, Trigger = new Trigger { DaysBeforeExpiry = EmailAtNumberOfDaysBeforeExpiry }, } ); } if (EmailAtPercentageLifetime.HasValue) { certificatePolicy.LifetimeActions.Add( new LifetimeAction { Action = new Azure.KeyVault.Models.Action { ActionType = ActionType.EmailContacts }, Trigger = new Trigger { LifetimePercentage = EmailAtPercentageLifetime }, } ); } } return certificatePolicy; }
public CertificatePolicy UpdateCertificatePolicy(string vaultName, string certificateName, CertificatePolicy certificatePolicy) { if (string.IsNullOrEmpty(vaultName)) throw new ArgumentNullException("vaultName"); if (string.IsNullOrEmpty(certificateName)) throw new ArgumentNullException("certificateName"); if (certificatePolicy == null) throw new ArgumentNullException("certificatePolicy"); string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName); CertificatePolicy resultantCertificatePolicy; try { resultantCertificatePolicy = this.keyVaultClient.UpdateCertificatePolicyAsync(vaultAddress, certificateName, certificatePolicy).GetAwaiter().GetResult(); } catch (Exception ex) { throw GetInnerException(ex); } return resultantCertificatePolicy; }
public CertificateOperation EnrollCertificate(string vaultName, string certificateName, CertificatePolicy certificatePolicy, IDictionary<string, string> tags) { if (string.IsNullOrEmpty(vaultName)) throw new ArgumentNullException("vaultName"); if (string.IsNullOrEmpty(certificateName)) throw new ArgumentNullException("certificateName"); string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName); CertificateOperation certificateOperation; try { certificateOperation = this.keyVaultClient.CreateCertificateAsync(vaultAddress, certificateName, certificatePolicy, null, tags).GetAwaiter().GetResult(); } catch (Exception ex) { throw GetInnerException(ex); } return certificateOperation; }