public RSAKeyVaultProviderTests()
{
var creds = TestAzureCredentials.Credentials;
if (creds == null)
{
return;
}
certificateConfiguration = new AzureKeyVaultSignConfigurationSet
{
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureKeyVaultUrl = creds.AzureKeyVaultUrl,
AzureKeyVaultKeyName = creds.AzureKeyVaultCertificateName,
Mode = KeyVaultMode.Certificate
};
keyConfiguration = new AzureKeyVaultSignConfigurationSet
{
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureKeyVaultUrl = creds.AzureKeyVaultUrl,
AzureKeyVaultKeyName = creds.AzureKeyVaultKeyName,
Mode = KeyVaultMode.Key
};
}
public KeyVaultSigningContextTests()
{
var creds = TestAzureCredentials.Credentials;
if (creds == null)
{
return;
}
_configuration = new AzureKeyVaultSignConfigurationSet
{
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureKeyVaultUrl = creds.AzureKeyVaultUrl,
AzureKeyVaultKeyName = creds.AzureKeyVaultCertificateName,
Mode = KeyVaultMode.Certificate
};
}
public ECDsaKeyVaultProviderTests()
{
var creds = TestAzureCredentials.Credentials;
if (creds is null)
{
return;
}
certificateConfiguration = new AzureKeyVaultSignConfigurationSet
{
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureTenantId = creds.TenantId,
AzureKeyVaultUrl = new Uri(creds.AzureKeyVaultUrl),
AzureKeyVaultKeyName = creds.AzureKeyVaultECDsaCertificateName,
Mode = KeyVaultMode.Certificate
};
keyConfiguration = new AzureKeyVaultSignConfigurationSet
{
AzureClientId = creds.ClientId,
AzureClientSecret = creds.ClientSecret,
AzureTenantId = creds.TenantId,
AzureKeyVaultUrl = new Uri(creds.AzureKeyVaultUrl),
AzureKeyVaultKeyName = creds.AzureKeyVaultECDsaKeyName,
Mode = KeyVaultMode.Key
};
certificateWithMSIConfiguration = new AzureKeyVaultSignConfigurationSet
{
ManagedIdentity = true,
AzureKeyVaultUrl = new Uri(creds.AzureKeyVaultUrl),
AzureKeyVaultKeyName = creds.AzureKeyVaultECDsaCertificateName,
Mode = KeyVaultMode.Certificate
};
}
public static async Task <AzureKeyVaultMaterializedConfiguration> Materialize(AzureKeyVaultSignConfigurationSet configuration, CryptographyClientOptions options = null)
{
TokenCredential credential = configuration.ManagedIdentity switch
{
true => new DefaultAzureCredential(),
false => new ClientSecretCredential(configuration.AzureTenantId, configuration.AzureClientId, configuration.AzureClientSecret)
};
if (configuration.Mode == KeyVaultMode.Certificate)
{
var certificateClient = new CertificateClient(configuration.AzureKeyVaultUrl, credential);
var cert = await certificateClient.GetCertificateAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
var x509Certificate = new X509Certificate2(cert.Value.Cer);
var keyId = cert.Value.KeyId;
return(new AzureKeyVaultMaterializedConfiguration(credential, keyId, publicCertificate: x509Certificate, options: options));
}
else if (configuration.Mode == KeyVaultMode.Key)
{
var keyClient = new KeyClient(configuration.AzureKeyVaultUrl, credential);
var key = await keyClient.GetKeyAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
return(new AzureKeyVaultMaterializedConfiguration(credential, key.Value.Id, key.Value.Key, options: options));
}
throw new ArgumentOutOfRangeException(nameof(configuration));
}
}
public static async Task <AzureKeyVaultMaterializedConfiguration> Materialize(AzureKeyVaultSignConfigurationSet configuration)
{
async Task <string> Authenticate(string authority, string resource, string scope)
{
if (!string.IsNullOrWhiteSpace(configuration.AzureAccessToken))
{
return(configuration.AzureAccessToken);
}
var context = new AuthenticationContext(authority);
var credential = new ClientCredential(configuration.AzureClientId, configuration.AzureClientSecret);
var result = await context.AcquireTokenAsync(resource, credential).ConfigureAwait(false);
if (result == null)
{
throw new InvalidOperationException("Authentication to Azure failed.");
}
return(result.AccessToken);
}
var vault = new KeyVaultClient(Authenticate);
if (configuration.Mode == KeyVaultMode.Certificate)
{
var azureCertificate = await vault.GetCertificateAsync(configuration.AzureKeyVaultUrl, configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
var x509Certificate = new X509Certificate2(azureCertificate.Cer);
var keyId = azureCertificate.KeyIdentifier;
return(new AzureKeyVaultMaterializedConfiguration(vault, keyId, publicCertificate: x509Certificate));
}
else if (configuration.Mode == KeyVaultMode.Key)
{
var bundle = await vault.GetKeyAsync(configuration.AzureKeyVaultUrl, configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
return(new AzureKeyVaultMaterializedConfiguration(vault, bundle.KeyIdentifier, bundle.Key));
}
throw new ArgumentOutOfRangeException(nameof(configuration));
}
