/// <summary>
/// Decrypts a single block of encrypted data.
/// </summary>
/// <param name="key">The web key to use for decryption</param>
/// <param name="algorithm">The encryption algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="cipherText">The encrypted data</param>
/// <returns></returns>
public static async Task<KeyOperationResult> DecryptDataAsync( this KeyVaultClient client, JsonWebKey key, string algorithm, byte[] cipherText )
{
if ( key == null )
throw new ArgumentNullException( "key" );
return await client.DecryptAsync( key.Kid, algorithm, cipherText ).ConfigureAwait( false );
}
/// <summary>
/// Encrypts a single block of data. The amount of data that may be encrypted is determined
/// by the target key type and the encryption algorithm.
/// </summary>
/// <param name="key">The web key to use for encryption</param>
/// <param name="algorithm">The encryption algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="plaintext">The plain text to encrypt</param>
/// <returns></returns>
public static async Task<KeyOperationResult> EncryptDataAsync( this KeyVaultClient client, JsonWebKey key, string algorithm, byte[] plaintext )
{
if ( key == null )
throw new ArgumentNullException( "key" );
if ( string.IsNullOrEmpty( algorithm ) )
throw new ArgumentNullException( "algorithm" );
if ( plaintext == null )
throw new ArgumentNullException( "plaintext" );
return await client.EncryptAsync( key.Kid, algorithm, plaintext ).ConfigureAwait( false );
}
public RemoveKeyVaultKeyTests()
{
base.SetupTest();
cmdlet = new RemoveAzureKeyVaultKey()
{
CommandRuntime = commandRuntimeMock.Object,
DataServiceClient = keyVaultClientMock.Object,
VaultName = VaultName
};
keyAttributes = new KeyAttributes(true, DateTime.Now, DateTime.Now, "HSM", new string[] { "All" }, null);
webKey = new WebKey.JsonWebKey();
keyBundle = new KeyBundle() { Attributes = keyAttributes, Key = webKey, Name = KeyName, VaultName = VaultName };
}
/// <summary>
/// Converts a RSAParameters object to a WebKey of type RSA.
/// </summary>
/// <param name="rsaParameters">The RSA parameters object to convert</param>
/// <returns>A WebKey representing the RSA object</returns>
private JsonWebKey CreateJsonWebKey(RSAParameters rsaParameters)
{
var key = new JsonWebKey
{
Kty = JsonWebKeyType.Rsa,
E = rsaParameters.Exponent,
N = rsaParameters.Modulus,
D = rsaParameters.D,
DP = rsaParameters.DP,
DQ = rsaParameters.DQ,
QI = rsaParameters.InverseQ,
P = rsaParameters.P,
Q = rsaParameters.Q
};
return key;
}
public RemoveKeyVaultKeyTests()
{
base.SetupTest();
cmdlet = new RemoveAzureKeyVaultKey()
{
CommandRuntime = commandRuntimeMock.Object,
DataServiceClient = keyVaultClientMock.Object,
VaultName = VaultName
};
keyAttributes = new KeyAttributes(true, DateTime.Now, DateTime.Now, "HSM", new string[] { "All" }, null);
webKey = new WebKey.JsonWebKey();
keyBundle = new KeyBundle()
{
Attributes = keyAttributes, Key = webKey, Name = KeyName, VaultName = VaultName
};
}
public SetKeyVaultKeyAttributeTests()
{
base.SetupTest();
keyAttributes = new KeyAttributes(true, DateTime.Now, DateTime.Now, null, null, null);
webKey = new WebKey.JsonWebKey();
keyBundle = new KeyBundle() { Attributes = keyAttributes, Key = webKey, Name = KeyName, VaultName = VaultName, Version = KeyVersion };
cmdlet = new SetAzureKeyVaultKeyAttribute()
{
CommandRuntime = commandRuntimeMock.Object,
DataServiceClient = keyVaultClientMock.Object,
VaultName = VaultName,
Enable = (bool)keyAttributes.Enabled,
Expires = keyAttributes.Expires,
NotBefore = keyAttributes.NotBefore,
Name = KeyName,
PassThru = true
};
}
/// <summary>
/// Converts a track 2 JsonWebKey object to track 1 type
/// </summary>
/// <param name="track2Key">track 2 key</param>
/// <returns>equivalent track 1 key</returns>
public static Track1Sdk.JsonWebKey ToTrack1JsonWebKey(this Track2Sdk.JsonWebKey track2Key)
{
Track1Sdk.JsonWebKey track1Key;
// convert key specific properties
if (track2Key.KeyType == Track2Sdk.KeyType.Ec || track2Key.KeyType == Track2Sdk.KeyType.EcHsm)
{
track1Key = new Track1Sdk.JsonWebKey(new Track1Sdk.ECParameters()
{
Curve = track2Key.CurveName.ToString(),
X = track2Key.X,
Y = track2Key.Y,
D = track2Key.D
});
}
else if (track2Key.KeyType == Track2Sdk.KeyType.Rsa || track2Key.KeyType == Track2Sdk.KeyType.RsaHsm)
{
track1Key = new Track1Sdk.JsonWebKey(track2Key.ToRSA());
}
// SDK doesn't have a definition of OctHSM, so I need to use string comparison
else if (track2Key.KeyType == Track2Sdk.KeyType.Oct || track2Key.KeyType.ToString() == @"oct-HSM")
{
track1Key = new Track1Sdk.JsonWebKey();
track1Key.Kty = track2Key.KeyType.ToString();
}
else
{
throw new Exception("Not supported");
}
// metadata
track1Key.KeyOps = new List <string>();
foreach (var op in track2Key.KeyOps)
{
track1Key.KeyOps.Add(op.ToString());
}
track1Key.Kid = track2Key.Id;
return(track1Key);
}
private static Track1Sdk.JsonWebKey CreateJWK(RSA rsa)
{
if (rsa == null)
{
throw new ArgumentNullException("rsa");
}
RSAParameters rsaParameters = rsa.ExportParameters(true);
var webKey = new Track1Sdk.JsonWebKey()
{
Kty = Track1Sdk.JsonWebKeyType.Rsa,
E = rsaParameters.Exponent,
N = rsaParameters.Modulus,
D = rsaParameters.D,
DP = rsaParameters.DP,
DQ = rsaParameters.DQ,
QI = rsaParameters.InverseQ,
P = rsaParameters.P,
Q = rsaParameters.Q
};
return(webKey);
}
public SetKeyVaultKeyAttributeTests()
{
base.SetupTest();
keyAttributes = new KeyAttributes(true, DateTime.Now, DateTime.Now, null, null, null);
webKey = new WebKey.JsonWebKey();
keyBundle = new KeyBundle()
{
Attributes = keyAttributes, Key = webKey, Name = KeyName, VaultName = VaultName, Version = KeyVersion
};
cmdlet = new SetAzureKeyVaultKeyAttribute()
{
CommandRuntime = commandRuntimeMock.Object,
DataServiceClient = keyVaultClientMock.Object,
VaultName = VaultName,
Enable = (bool)keyAttributes.Enabled,
Expires = keyAttributes.Expires,
NotBefore = keyAttributes.NotBefore,
Name = KeyName,
PassThru = true
};
}
public bool Equals( JsonWebKey other )
{
if ( other == null )
return false;
if ( string.Equals( Kty, other.Kty ) )
{
switch ( Kty )
{
case JsonWebKeyType.EllipticCurve:
break;
case JsonWebKeyType.Octet:
return IsEqualOctet( other );
case JsonWebKeyType.Rsa:
return IsEqualRsa( other );
case JsonWebKeyType.RsaHsm:
return IsEqualRsaHsm( other );
}
}
return false;
}
private bool IsEqualOctet(JsonWebKey other)
{
return(K.SequenceEqual(other.K));
}
/// <summary>
/// Converts an AES object to a WebKey of type Octet
/// </summary>
/// <param name="aesProvider"></param>
/// <returns></returns>
private JsonWebKey CreateJsonWebKey(Aes aesProvider)
{
if (aesProvider == null)
throw new System.ArgumentNullException("aesProvider");
var key = new JsonWebKey
{
Kty = JsonWebKeyType.Octet,
K = aesProvider.Key
};
return key;
}
private static JsonWebKey CreateJWK(RSA rsa)
{
if (rsa == null)
throw new ArgumentNullException("rsa");
RSAParameters rsaParameters = rsa.ExportParameters(true);
var webKey = new JsonWebKey()
{
Kty = JsonWebKeyType.Rsa,
E = rsaParameters.Exponent,
N = rsaParameters.Modulus,
D = rsaParameters.D,
DP = rsaParameters.DP,
DQ = rsaParameters.DQ,
QI = rsaParameters.InverseQ,
P = rsaParameters.P,
Q = rsaParameters.Q
};
return webKey;
}
/// <summary>
/// Compares <see cref="JsonWebKey"/> objects
/// </summary>
/// <param name="other"> the <see cref="JsonWebKey"/> object to compare with </param>
/// <returns> whether the <see cref="JsonWebKey"/> objects are equals </returns>
public bool Equals(JsonWebKey other)
{
if (other == this)
{
return(true);
}
if (other == null)
{
return(false);
}
if (!string.Equals(Kid, other.Kid))
{
return(false);
}
if (!string.Equals(Kty, other.Kty))
{
return(false);
}
if (!AreEqual(KeyOps, other.KeyOps))
{
return(false);
}
if (!string.Equals(CurveName, other.CurveName))
{
return(false);
}
if (!AreEqual(K, other.K))
{
return(false);
}
// Public parameters
if (!AreEqual(N, other.N))
{
return(false);
}
if (!AreEqual(E, other.E))
{
return(false);
}
if (!AreEqual(X, other.X))
{
return(false);
}
if (!AreEqual(Y, other.Y))
{
return(false);
}
// Private parameters
if (!AreEqual(D, other.D))
{
return(false);
}
if (!AreEqual(DP, other.DP))
{
return(false);
}
if (!AreEqual(DQ, other.DQ))
{
return(false);
}
if (!AreEqual(QI, other.QI))
{
return(false);
}
if (!AreEqual(P, other.P))
{
return(false);
}
if (!AreEqual(Q, other.Q))
{
return(false);
}
// HSM token
if (!AreEqual(T, other.T))
{
return(false);
}
return(true);
}
/// <summary>
/// Wraps a symmetric key using the specified wrapping key and algorithm.
/// </summary>
/// <param name="wrappingKey">The wrapping key</param>
/// <param name="key">The key to wrap</param>
/// <param name="algorithm">The algorithm to use. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <returns>The wrapped key</returns>
public static async Task<KeyOperationResult> WrapKeyAsync( this KeyVaultClient client, JsonWebKey wrappingKey, byte[] key, string algorithm )
{
if ( wrappingKey == null )
throw new ArgumentNullException( "wrappingKey" );
if ( key == null )
throw new ArgumentNullException( "key" );
return await client.WrapKeyAsync(wrappingKey.Kid, algorithm, key).ConfigureAwait(false);
}
private bool IsEqualRsaHsm( JsonWebKey other )
{
if ( ( T != null && other.T == null ) || ( T == null && other.T != null ) )
return false;
if ( T != null && !T.SequenceEqual( other.T ) )
return false;
return IsEqualRsa( other );
}
private bool IsEqualOctet( JsonWebKey other )
{
return K.SequenceEqual( other.K );
}
public KeyBundle ImportKey(string vaultName, string keyName, KeyAttributes keyAttributes, JsonWebKey webKey, bool? importToHsm)
{
if (string.IsNullOrEmpty(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrEmpty(keyName))
throw new ArgumentNullException("keyName");
if (keyAttributes == null)
throw new ArgumentNullException("keyAttributes");
if (webKey == null)
throw new ArgumentNullException("webKey");
if (webKey.Kty == JsonWebKeyType.RsaHsm && (importToHsm.HasValue && !importToHsm.Value))
throw new ArgumentException(KeyVaultProperties.Resources.ImportByokAsSoftkeyError);
string vaultAddress = this.vaultUriHelper.CreateVaultAddress(vaultName);
webKey.KeyOps = keyAttributes.KeyOps;
var keyBundle = new Azure.KeyVault.Models.KeyBundle()
{
Attributes = (Azure.KeyVault.Models.KeyAttributes)keyAttributes,
Key = webKey,
Tags = keyAttributes.TagsDirectionary
};
try
{
keyBundle = this.keyVaultClient.ImportKeyAsync(vaultAddress, keyName, keyBundle, importToHsm).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return new KeyBundle(keyBundle, this.vaultUriHelper);
}
private bool IsEqualRsa( JsonWebKey other )
{
// Public parameters
if ( !N.SequenceEqual( other.N ) )
return false;
if ( !E.SequenceEqual( other.E ) )
return false;
// Private parameters
var privateKey = HasPrivateKey();
if ( privateKey && privateKey == other.HasPrivateKey() )
{
if ( !D.SequenceEqual( other.D ) )
return false;
if ( !DP.SequenceEqual( other.DP ) )
return false;
if ( !DQ.SequenceEqual( other.DQ ) )
return false;
if ( !QI.SequenceEqual( other.QI ) )
return false;
if ( !P.SequenceEqual( other.P ) )
return false;
if ( !Q.SequenceEqual( other.Q ) )
return false;
}
return true;
}
/// <summary>
/// Creates a signature from a digest using the specified key in the vault.
/// </summary>
/// <param name="key"> The web key of the signing key </param>
/// <param name="algorithm"> The signing algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="digest"> The signing digest hash value </param>
/// <returns> signature </returns>
public static async Task<KeyOperationResult> SignAsync( this KeyVaultClient client, JsonWebKey key, string algorithm, byte[] digest )
{
if ( key == null )
throw new ArgumentNullException( "key" );
return await client.SignAsync( key.Kid, algorithm, digest ).ConfigureAwait( false );
}
/// <summary>
/// Verifies a signature using the specified key.
/// </summary>
/// <param name="verifyKey">The verification key</param>
/// <param name="algorithm">The signing algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="digest">The digest hash value</param>
/// <param name="signature">The signature to verify</param>
/// <returns>true if verification succeeds, false if verification fails</returns>
public static async Task<bool> VerifyAsync( this KeyVaultClient client, JsonWebKey verifyKey, string algorithm, byte[] digest, byte[] signature )
{
if ( verifyKey == null )
throw new ArgumentNullException( "verifyKey" );
if ( digest == null )
throw new ArgumentNullException( "digest" );
if ( signature == null )
throw new ArgumentNullException( "signature" );
return await client.VerifyAsync( verifyKey.Kid, algorithm, digest, signature ).ConfigureAwait( false );
}
/// <summary>
/// Default constructor
/// </summary>
public KeyBundle()
{
Key = new JsonWebKey();
Attributes = new KeyAttributes();
}
