private void ValidateSecondaryTrackKey(RouteTrackKey trackKey)
{
var nowLocal = DateTime.Now;
var certificate = trackKey.SecondaryKey.Key.ToX509Certificate();
if (certificate.NotBefore > nowLocal)
{
throw new KeyException($"Track secondary key certificate not valid yet. Not before {certificate.NotBefore.ToUniversalTime():u}.");
}
if (certificate.NotAfter < nowLocal)
{
throw new KeyException($"Track secondary key certificate has expired. Not after {certificate.NotAfter.ToUniversalTime():u}.");
}
}
public async Task <Saml2X509Certificate> GetPrimarySaml2X509CertificateAsync(RouteTrackKey trackKey)
{
await ValidatePrimaryTrackKeyAsync(trackKey);
switch (trackKey.Type)
{
case TrackKeyType.Contained:
return(trackKey.PrimaryKey.Key.ToSaml2X509Certificate(true));
case TrackKeyType.KeyVaultRenewSelfSigned:
return(new Saml2X509Certificate(trackKey.PrimaryKey.Key.ToX509Certificate(), GetRSAKeyVault(trackKey)));
case TrackKeyType.KeyVaultUpload:
default:
throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported.");
}
}
public async Task <SecurityKey> GetPrimarySecurityKeyAsync(RouteTrackKey trackKey)
{
await ValidatePrimaryTrackKeyAsync(trackKey);
switch (trackKey.Type)
{
case TrackKeyType.Contained:
return(trackKey.PrimaryKey.Key.ToSecurityKey());
case TrackKeyType.KeyVaultRenewSelfSigned:
return(new RsaSecurityKey(GetRSAKeyVault(trackKey)));
case TrackKeyType.KeyVaultUpload:
default:
throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported.");
}
}
private async Task <RouteTrackKey> LoadTrackKeyAsync(TelemetryScopedLogger scopedLogger, Track.IdKey trackIdKey, Track track)
{
switch (track.Key.Type)
{
case TrackKeyType.Contained:
return(new RouteTrackKey
{
Type = track.Key.Type,
PrimaryKey = new RouteTrackKeyItem {
Key = track.Key.Keys[0].Key
},
SecondaryKey = track.Key.Keys.Count > 1 ? new RouteTrackKeyItem {
Key = track.Key.Keys[1].Key
} : null,
});
case TrackKeyType.KeyVaultRenewSelfSigned:
var trackKeyExternal = await GetTrackKeyItemsAsync(scopedLogger, trackIdKey.TenantName, trackIdKey.TrackName, track);
var externalRouteTrackKey = new RouteTrackKey
{
Type = track.Key.Type,
ExternalName = track.Key.ExternalName,
};
if (trackKeyExternal == null)
{
externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem {
ExternalKeyIsNotReady = true
};
}
else
{
externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem {
ExternalId = trackKeyExternal.Keys[0].ExternalId, Key = trackKeyExternal.Keys[0].Key
};
externalRouteTrackKey.SecondaryKey = trackKeyExternal.Keys.Count > 1 ? new RouteTrackKeyItem {
ExternalId = trackKeyExternal.Keys[1].ExternalId, Key = trackKeyExternal.Keys[1].Key
} : null;
}
return(externalRouteTrackKey);
case TrackKeyType.KeyVaultUpload:
default:
throw new Exception($"Track key type not supported '{track.Key.Type}'.");
}
}
public Saml2X509Certificate GetSecondarySaml2X509Certificate(RouteTrackKey trackKey)
{
if (trackKey.SecondaryKey == null || trackKey.SecondaryKey.Key == null)
{
return(null);
}
ValidateSecondaryTrackKey(trackKey);
switch (trackKey.Type)
{
case TrackKeyType.Contained:
return(trackKey.SecondaryKey.Key.ToSaml2X509Certificate(true));
case TrackKeyType.KeyVaultRenewSelfSigned:
return(new Saml2X509Certificate(trackKey.SecondaryKey.Key.ToX509Certificate(), GetRSAKeyVault(trackKey)));
case TrackKeyType.KeyVaultUpload:
default:
throw new NotSupportedException($"Track secondary key type '{trackKey.Type}' not supported.");
}
}
private async Task ValidatePrimaryTrackKeyAsync(RouteTrackKey trackKey)
{
var nowLocal = DateTime.Now;
var certificate = trackKey.PrimaryKey.Key.ToX509Certificate();
try
{
if (certificate.NotBefore > nowLocal)
{
throw new KeyException($"Track primary key certificate not valid yet. Not before {certificate.NotBefore.ToUniversalTime():u}.");
}
if (certificate.NotAfter < nowLocal)
{
throw new KeyException($"Track primary key certificate has expired. Not after {certificate.NotAfter.ToUniversalTime():u}.");
}
}
catch (Exception ex)
{
if (RouteBinding.TrackName == Constants.Routes.MasterTrackName && RouteBinding.Key.Type != TrackKeyType.KeyVaultRenewSelfSigned)
{
var mTrack = await tenantRepository.GetTrackByNameAsync(new Track.IdKey {
TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName
});
mTrack.Key.Type = TrackKeyType.KeyVaultRenewSelfSigned;
mTrack.Key.Keys = null;
mTrack.Key.ExternalName = await externalKeyLogic.CreateExternalKeyAsync(mTrack);
await tenantRepository.UpdateAsync(mTrack);
throw new ExternalKeyIsNotReadyException("The old primary master track key certificate is invalid. A new primary external track key certificate is under construction in Key Vault, it is ready in a little while.", ex);
}
throw;
}
}
private RSA GetRSAKeyVault(RouteTrackKey trackKey)
{
return(RSAFactory.Create(tokenCredential, new Uri(UrlCombine.Combine(settings.KeyVault.EndpointUri, "keys", trackKey.ExternalName, trackKey.PrimaryKey.ExternalId)), new Azure.Security.KeyVault.Keys.JsonWebKey(trackKey.PrimaryKey.Key.ToRsa())));
}
