public async Task Restore(byte[] backup)
{
var keyBundle = await Client.RestoreKeyAsync(Identifier.Vault, backup);
SetFromRetrievedObject(keyBundle);
Identifier = new KeyIdentifier(keyBundle.KeyIdentifier.Identifier);
}
public KeyBundle UpdateKey(string vaultName, string keyName, string keyVersion, KeyAttributes keyAttributes)
{
if (string.IsNullOrEmpty(vaultName))
{
throw new ArgumentNullException("vaultName");
}
if (string.IsNullOrEmpty(keyName))
{
throw new ArgumentNullException("keyName");
}
if (keyAttributes == null)
{
throw new ArgumentNullException("keyAttributes");
}
var attributes = (Azure.KeyVault.Models.KeyAttributes)keyAttributes;
var keyIdentifier = new KeyIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), keyName, keyVersion);
Azure.KeyVault.Models.KeyBundle keyBundle;
try
{
keyBundle = this.keyVaultClient.UpdateKeyAsync(
keyIdentifier.Identifier, keyAttributes.KeyOps, attributes: attributes, tags: keyAttributes.TagsDirectionary).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return(new KeyBundle(keyBundle, this.vaultUriHelper));
}
static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var plainText = "Hello World";
var encryptedData = Encrypt(rsa, plainText);
Console.WriteLine("-------------encrypted string------------");
Console.WriteLine(Convert.ToBase64String(encryptedData));
var decryptedData = Decrypt(rsa, encryptedData);
Console.WriteLine("-------------decrypted string------------");
Console.WriteLine(decryptedData);
Console.WriteLine("Press any key to continue");
Console.Read();
}
//[Fact]
public void KeyVaultImportHsmByoKeyTest()
{
using (var undoContext = UndoContext.Current)
{
undoContext.Start();
var client = GetKeyVaultClient();
var request = GetImportKeyBundle(keyType: JsonWebKeyType.RsaHsm, keyToken: Resource.Key);
var importedKey =
client.ImportKeyAsync(_vaultAddress, "ImportHsmKeyTest", request).GetAwaiter().GetResult();
VerifyKeyAttributesAreEqual(request.Attributes, importedKey.Attributes);
Assert.Equal(request.Key.Kty, importedKey.Key.Kty);
var retrievedKey = client.GetKeyAsync(importedKey.Key.Kid).GetAwaiter().GetResult();
// Delete the key
var identifier = new KeyIdentifier(importedKey.Key.Kid);
client.DeleteKeyAsync(identifier.Vault, identifier.Name).Wait();
VerifyKeyAttributesAreEqual(importedKey.Attributes, retrievedKey.Attributes);
VerifyWebKeysAreEqual(importedKey.Key, retrievedKey.Key);
}
}
public void SetFixture(KeyVaultTestFixture data)
{
data.Initialize(TestUtilities.GetCallingClass());
if (HttpMockServer.Mode == HttpRecorderMode.Record)
{
// SECURITY: DO NOT USE IN PRODUCTION CODE; FOR TEST PURPOSES ONLY
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;
this._credential = data._ClientCredential;
this._tokenCache = new TokenCache();
this._vaultAddress = data.vaultAddress;
//Create one key to use for testing. Key creation is expensive.
var myClient = CreateKeyVaultClient();
var keyName = "sdktestkey";
var attributes = new KeyAttributes();
var createdKey = myClient.CreateKeyAsync(_vaultAddress, keyName, JsonWebKeyType.Rsa, 2048,
JsonWebKeyOperation.AllOperations, attributes).GetAwaiter().GetResult();
var keyIdentifier = new KeyIdentifier(createdKey.Key.Kid);
_keyName = keyIdentifier.Name;
_keyVersion = keyIdentifier.Version;
_keyIdentifier = new KeyIdentifier(_vaultAddress, _keyName, _keyVersion);
}
}
void Keyboard_KeyPressed(KeyboardButtonCode keyCode, uint keyChar)
{
KeyIdentifier key = InputMap.GetKey(keyCode);
repeatTimeout = REPEAT_INTERVAL_START;
context.ProcessKeyDown(key, buildModifier());
if (key == KeyIdentifier.KI_BACK || key == KeyIdentifier.KI_DELETE)
{
holdChar = 0;
holdKey = key;
}
else if (keyChar >= 32)
{
holdKey = key;
holdChar = (ushort)keyChar;
context.ProcessTextInput(holdChar);
}
else if (key == KeyIdentifier.KI_RETURN)
{
holdKey = key;
holdChar = (ushort)'\n';
context.ProcessTextInput(holdChar);
}
else if (key == KeyIdentifier.KI_LEFT || key == KeyIdentifier.KI_RIGHT || key == KeyIdentifier.KI_UP || key == KeyIdentifier.KI_DOWN)
{
holdKey = key;
holdChar = 0;
}
else
{
holdChar = 0;
holdKey = KeyIdentifier.KI_UNKNOWN;
}
}
/// <summary>
/// Creates a signature and verifies it
/// </summary>
/// <param name="keyIdentifier"> key identifier </param>
/// <param name="algorithm"> sign algorithm </param>
/// <param name="digest"> digest hash </param>
private void SignVerify(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] digest)
{
var signResult = client.SignAsync(keyIdentifier.BaseIdentifier, algorithm, digest).GetAwaiter().GetResult();
var verifyResult = client.VerifyAsync(signResult.Kid, algorithm, digest, signResult.Result).GetAwaiter().GetResult();
Assert.True(verifyResult, "Signature was not verified");
}
public async Task <Dictionary <string, (byte[] V, byte[] R, byte[] S)> > SignTransactionsAsync(
string address, Dictionary <string, byte[]> rawTxHashes)
{
var result = new Dictionary <string, (byte[] V, byte[] R, byte[] S)>();
var keyIdentifier = new KeyIdentifier
(
vaultBaseUrl: _vaultBaseUrl,
name: address
);
var publicKey = await _walletRepository.GetPublicKeyAsync(address);
var batches = rawTxHashes.Batch(_batchSize);
foreach (var batch in batches)
{
var tasks = new List <Task <(string, byte[], byte[], byte[])> >();
tasks.AddRange(
batch.Select(b => SignTransactionAsync(
keyIdentifier,
b.Key,
b.Value,
publicKey)));
await Task.WhenAll(tasks);
foreach (var task in tasks)
{
var signedData = task.Result;
result.Add(signedData.Item1, (signedData.Item2, signedData.Item3, signedData.Item4));
}
}
return(result);
}
void Keyboard_KeyReleased(KeyboardButtonCode keyCode)
{
KeyIdentifier key = InputMap.GetKey(keyCode);
context.ProcessKeyUp(key, buildModifier());
if (holdKey == key)
{
holdKey = KeyIdentifier.KI_UNKNOWN;
}
}
public async Task <X509Certificate2> GetCertificateAsync()
{
if (certificate == null)
{
var cert = await client.GetCertificateAsync(CertificateInfo.KeyVaultUrl, CertificateInfo.CertificateName).ConfigureAwait(false);
certificate = new X509Certificate2(cert.Cer);
keyIdentifier = cert.KeyIdentifier;
}
return(certificate);
}
void imageBox_KeyButtonPressed(Widget source, EventArgs e)
{
context.addReference(); //Keep context alive even if this widget is disposed during this event
try
{
KeyEventArgs ke = (KeyEventArgs)e;
KeyIdentifier key = InputMap.GetKey(ke.Key);
char keyChar = ke.Char;
context.ProcessKeyDown(key, buildModifier());
switch (key)
{
case KeyIdentifier.KI_DELETE:
keyChar = (char)0;
break;
case KeyIdentifier.KI_RETURN:
keyChar = (char)0;
context.ProcessTextInput('\n');
break;
case KeyIdentifier.KI_LEFT:
keyChar = (char)0;
break;
case KeyIdentifier.KI_RIGHT:
keyChar = (char)0;
break;
case KeyIdentifier.KI_UP:
keyChar = (char)0;
break;
case KeyIdentifier.KI_DOWN:
keyChar = (char)0;
break;
case KeyIdentifier.KI_BACK:
keyChar = (char)0;
break;
}
if (keyChar >= 32)
{
context.ProcessTextInput(keyChar);
}
}
finally
{
context.removeReference();
}
}
private async Task <(string, byte[], byte[], byte[])> SignTransactionAsync(
KeyIdentifier keyIdentifier,
string txHash,
byte[] rawTxHash,
byte[] publicKey)
{
using (_log.BeginScope($"{nameof(SignTransactionAsync)}-{Guid.NewGuid()}"))
{
try
{
var rs = await _keyVaultClient.SignAsync
(
keyIdentifier : keyIdentifier.Identifier,
algorithm : "ECDSA256",
digest : rawTxHash
);
var ecdsaSignature = ECDSASignatureFactory.FromComponents(rs.Result).MakeCanonical();
var recId = CalculateRecId(ecdsaSignature, rawTxHash, publicKey);
var r = ecdsaSignature.R.ToByteArray();
var s = ecdsaSignature.S.ToByteArray();
var v = new[] { (byte)(recId + 27) };
#region Logging
_log.Info
(
"Transaction has been signed.",
new { address = keyIdentifier.Name, rawTxHash = rawTxHash.ToHex(true) }
);
#endregion
return(txHash, v, r, s);
}
catch (Exception e)
{
#region Logging
_log.Error
(
e,
"Transaction signing failed.",
new { address = keyIdentifier.Name, rawTxHash = rawTxHash.ToHex(true) }
);
#endregion
throw;
}
}
}
public async Task <JsonWebKey> GetAsync()
{
if (_jwk == null)
{
var keyBundle = await GetSigningKeyAsync();
_keyBundle = keyBundle;
_keyIdentifier = keyBundle.KeyIdentifier;
_jwk = new JsonWebKey(keyBundle.Key.ToString());
}
return(_jwk);
}
public async Task <IActionResult> Authenticate(string id, [FromBody] AuthenticateRequest request)
{
var identity = await enclave.AuthenticateToken(KeyIdentifier.Parse(id), request.Scheme, request.Token);
if (identity == null)
{
return(Unauthorized());
}
return(Ok(new AuthenticateResult {
Identity = identity.Serialize()
}));
}
public override SecurityTokenReference CreateReference()
{
var keyIdentifier = new KeyIdentifier(_token.Id)
{
ValueType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID",
};
var reference = new SecurityTokenReference(keyIdentifier)
{
TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"
};
return(reference);
}
/// <summary>
/// Wraps and unwraps symmetric key
/// </summary>
/// <param name="algorithm"> the wrao and unwrap algorithm </param>
private void WrapAndUnwrap(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] symmetricKeyBytes)
{
var wrapResult = client.WrapKeyAsync(keyIdentifier.BaseIdentifier, algorithm, symmetricKeyBytes).GetAwaiter().GetResult();
Assert.NotNull(wrapResult);
Assert.NotNull(wrapResult.Kid);
Assert.NotNull(wrapResult.Result);
var unwrapResult = client.UnwrapKeyAsync(wrapResult.Kid, algorithm, wrapResult.Result).GetAwaiter().GetResult();
Assert.NotNull(unwrapResult);
Assert.NotNull(unwrapResult.Kid);
Assert.True(unwrapResult.Result.SequenceEqual(symmetricKeyBytes), "the symmetric key after unwrap should match the initial key");
}
public void EncryptDecrypt(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm)
{
var plainText = RandomBytes(10);
var encryptResult = client.EncryptAsync(keyIdentifier.BaseIdentifier, algorithm, plainText).GetAwaiter().GetResult();
Assert.NotNull(encryptResult);
Assert.NotNull(encryptResult.Kid);
var decryptResult = client.DecryptAsync(encryptResult.Kid, algorithm, encryptResult.Result).GetAwaiter().GetResult();
Assert.NotNull(decryptResult);
Assert.NotNull(decryptResult.Kid);
Assert.True(plainText.SequenceEqual(decryptResult.Result));
}
public AzureKeyVaultMaterializedConfiguration(KeyVaultClient client,
KeyIdentifier keyIdentifier,
JsonWebKey key = null,
X509Certificate2 publicCertificate = null)
{
PublicCertificate = publicCertificate;
Client = client ?? throw new ArgumentNullException(nameof(client));
KeyIdentifier = keyIdentifier ?? throw new ArgumentNullException(nameof(keyIdentifier));
if (publicCertificate == null && key == null)
{
throw new ArgumentNullException(nameof(key), "Either key or publicCertificate must be set");
}
Key = key;
}
public override string ToString()
{
var sb = new StringBuilder();
if (ValueIdentifier == null)
{
sb.Append($"for {KeyIdentifier.ToString()}");
}
else
{
sb.Append($"for {KeyIdentifier.ToString()}, {ValueIdentifier.ToString()}");
}
sb.Append($" in {Collection.ToString()} {{\n{Body.ToString()}\n}}");
return(sb.ToString());
}
private KeyVaultClient GetKeyVaultClient()
{
if (HttpMockServer.Mode == HttpRecorderMode.Record)
{
HttpMockServer.Variables["VaultAddress"] = _vaultAddress;
HttpMockServer.Variables["KeyName"] = _keyName;
HttpMockServer.Variables["KeyVersion"] = _keyVersion;
}
else
{
_vaultAddress = HttpMockServer.Variables["VaultAddress"];
_keyName = HttpMockServer.Variables["KeyName"];
_keyVersion = HttpMockServer.Variables["KeyVersion"];
}
_keyIdentifier = new KeyIdentifier(_vaultAddress, _keyName, _keyVersion);
return(CreateKeyVaultClient());
}
public async Task <(byte[] V, byte[] R, byte[] S)> SignTransactionAsync(string address, byte[] rawTxHash)
{
var keyIdentifier = new KeyIdentifier
(
vaultBaseUrl: _vaultBaseUrl,
name: address
);
var publicKey = await _walletRepository.GetPublicKeyAsync(address);
var signedData = await SignTransactionAsync(
keyIdentifier,
null,
rawTxHash,
publicKey);
return(signedData.Item2, signedData.Item3, signedData.Item4);
}
public KeyVaultTestFixture()
{
Initialize(string.Empty);
if (vaultAddress != null && HttpMockServer.Mode == HttpRecorderMode.Record)
{
//Create one key to use for testing. Key creation is expensive.
var myClient = new KeyVaultClient(new TestKeyVaultCredential(GetAccessToken), GetHandlers());
keyName = "sdktestkey";
var attributes = new KeyAttributes();
var createdKey = myClient.CreateKeyAsync(vaultAddress, keyName, JsonWebKeyType.Rsa, 2048,
JsonWebKeyOperation.AllOperations, attributes).GetAwaiter().GetResult();
keyIdentifier = new KeyIdentifier(createdKey.Key.Kid);
keyName = keyIdentifier.Name;
keyVersion = keyIdentifier.Version;
tokenCache = new TokenCache();
}
}
static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault02.vault.azure.net/keys/Document-Signing01/797aef42588b4a7a8638edc7de08b400");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault02.vault.azure.net/secrets/Document-Signing01/797aef42588b4a7a8638edc7de08b400");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var xml = GetXml();
var signedXml = SignXml(rsa, xml);
Console.WriteLine("-------------signed xml------------");
Console.WriteLine(signedXml);
Console.WriteLine("Press any key to continue");
Console.Read();
}
static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/SigningCertificate01/2c86727652f14814b77018601a2e5ed4");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/SigningCertificate01/2c86727652f14814b77018601a2e5ed4");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var xml = GetXml();
var signedXml = SignXml(rsa, xml);
Console.WriteLine("-------------signed xml------------");
Console.WriteLine(signedXml);
Console.WriteLine("Press any key to continue");
Console.Read();
}
public async Task <Response <BlobContentInfo> > UploadEncryptedAsync(string blobName, Stream stream, BlobHttpHeaders headers)
{
using var all = new MemoryStream();
await stream.CopyToAsync(all);
using var aes = new AesManaged();
aes.GenerateKey();
aes.GenerateIV();
var keyIdentifier = new KeyIdentifier($"https://{Configuration["KeyVaultName"].ToLower()}.vault.azure.net", EncryptionKeyName).ToString();
var keyVersion = (await KeyVault.GetKeyAsync(keyIdentifier)).KeyIdentifier.Version;
var envelope = new Envelope()
{
Key = await WrapKey(aes.Key, keyIdentifier),
IV = await WrapKey(aes.IV, keyIdentifier),
Content = Convert.ToBase64String(PerformCryptography(all.ToArray(), aes.CreateEncryptor()))
};
using var upstream = new MemoryStream();
var serializedEnvelope = JsonSerializer.SerializeAsync(upstream, envelope);
upstream.Position = 0;
var blob = Container.GetBlobClient(blobName);
var result = await blob.UploadAsync(upstream,
metadata : new Dictionary <string, string>()
{
{ "EBP_KeyName", EncryptionKeyName },
{ "EBP_KeyVersion", keyVersion },
{ "EBP_WrapAlgorithm", JsonWebKeyEncryptionAlgorithm.RSAOAEP256 },
{ "EBP_ContentType", headers.ContentType }
});
return(result);
}
private KeyVaultClient GetKeyVaultClient()
{
if (HttpMockServer.Mode == HttpRecorderMode.Record)
{
HttpMockServer.Variables["VaultAddress"] = _vaultAddress;
HttpMockServer.Variables["KeyName"] = _keyName;
HttpMockServer.Variables["KeyVersion"] = _keyVersion;
HttpMockServer.Variables["SoftDeleteEnabled"] = _softDeleteEnabled.ToString( );
}
else
{
_vaultAddress = HttpMockServer.Variables["VaultAddress"];
_keyName = HttpMockServer.Variables["KeyName"];
_keyVersion = HttpMockServer.Variables["KeyVersion"];
string softDeleteSetting = String.Empty;
if (HttpMockServer.Variables.TryGetValue("SoftDeleteEnabled", out softDeleteSetting))
{
Boolean.TryParse(softDeleteSetting, out _softDeleteEnabled);
}
}
_keyIdentifier = new KeyIdentifier(_vaultAddress, _keyName, _keyVersion);
return(fixture.CreateKeyVaultClient());
}
public void KeyIdentifierTest()
{
string baseId = string.Format("{0}/keys/{1}", vault, name);
string versionedId = string.Format("{0}/{1}", baseId, version);
//unversioned
var id = new KeyIdentifier(baseId);
Assert.Equal(baseId, id.BaseIdentifier);
Assert.Equal(baseId, id.Identifier);
Assert.Equal(vault, id.Vault);
Assert.Equal(name, id.Name);
Assert.Equal(string.Empty, id.Version);
Assert.True(KeyIdentifier.IsKeyIdentifier(baseId));
//versioned
id = new KeyIdentifier(versionedId);
Assert.Equal(baseId, id.BaseIdentifier);
Assert.Equal(versionedId, id.Identifier);
Assert.Equal(vault, id.Vault);
Assert.Equal(name, id.Name);
Assert.Equal(version, id.Version);
Assert.True(KeyIdentifier.IsKeyIdentifier(versionedId));
}
public KeyVaultTestFixture()
{
Initialize(string.Empty);
if (vaultAddress != null && HttpMockServer.Mode == HttpRecorderMode.Record)
{
//Create one key to use for testing. Key creation is expensive.
var myClient = new KeyVaultClient(new TestKeyVaultCredential(GetAccessToken), GetHandlers());
keyName = "sdktestkey";
var attributes = new KeyAttributes();
var createdKey = myClient.CreateKeyAsync(vaultAddress, keyName, JsonWebKeyType.Rsa, 2048,
JsonWebKeyOperation.AllOperations, attributes).GetAwaiter().GetResult();
keyIdentifier = new KeyIdentifier(createdKey.Key.Kid);
keyName = keyIdentifier.Name;
keyVersion = keyIdentifier.Version;
tokenCache = new TokenCache();
_deviceCodeForStorageTests = null;
retryExecutor = new RetryPolicy <SoftDeleteErrorDetectionStrategy>(new ExponentialBackoffRetryStrategy(8, TimeSpan.FromSeconds(1), TimeSpan.FromSeconds(60), TimeSpan.FromSeconds(5)));
}
else
{
retryExecutor = new RetryPolicy <SoftDeleteErrorDetectionStrategy>(new FixedIntervalRetryStrategy(5, TimeSpan.FromSeconds(5.0)));
}
}
public WsSecurityTokenReference(KeyIdentifier keyIdentifier)
: base(keyIdentifier)
{
}
public string GetPassphraseForPrivateKey(KeyIdentifier keyIdentifier)
{
return(Passphrase);
}
