/// <inheritdoc/> public async Task <Key> GetPublicKeyAsync(KeyHandle handle, CancellationToken ct) { var bundle = await _keyVaultClient.GetKeyAsync(_vaultBaseUrl, KeyVaultKeyHandle.GetBundle(handle).KeyIdentifier, ct); return(bundle.Key.ToKey()); }
/// <inheritdoc/> public async Task DisableKeyAsync(KeyHandle handle, CancellationToken ct) { var bundle = KeyVaultKeyHandle.GetBundle(handle); try { if (!string.IsNullOrEmpty(bundle.KeyIdentifier)) { await _keyVaultClient.UpdateKeyAsync(bundle.KeyIdentifier, null, new KeyAttributes { Enabled = false, Expires = DateTime.UtcNow }, null, ct); } if (!string.IsNullOrEmpty(bundle.SecretIdentifier)) { // Delete private key secret also await _keyVaultClient.UpdateSecretAsync(bundle.SecretIdentifier, ContentEncodings.MimeTypeJson, new SecretAttributes { Enabled = false, Expires = DateTime.UtcNow }, null, ct); } } catch (KeyVaultErrorException kex) { throw new ExternalDependencyException("Failed to create key", kex); } }
/// <inheritdoc/> public async Task <bool> VerifyAsync(KeyHandle handle, byte[] digest, SignatureType algorithm, byte[] signature, CancellationToken ct) { var signingKey = KeyVaultKeyHandle.GetBundle(handle).KeyIdentifier; try { return(await _keyVaultClient.VerifyAsync(signingKey, algorithm.ToJsonWebKeySignatureAlgorithm(), digest, signature, ct)); } catch (KeyVaultErrorException kex) { throw new ExternalDependencyException("Failed to Sign", kex); } }
/// <inheritdoc/> public async Task DeleteKeyAsync(KeyHandle handle, CancellationToken ct) { var bundle = KeyVaultKeyHandle.GetBundle(handle); try { if (!string.IsNullOrEmpty(bundle.KeyIdentifier)) { await _keyVaultClient.DeleteKeyAsync( _vaultBaseUrl, bundle.KeyIdentifier, ct); } if (!string.IsNullOrEmpty(bundle.SecretIdentifier)) { await _keyVaultClient.DeleteSecretAsync( _vaultBaseUrl, bundle.SecretIdentifier, ct); } } catch (KeyVaultErrorException kex) { throw new ExternalDependencyException("Failed to delete key", kex); } }
/// <inheritdoc/> public async Task <Key> ExportKeyAsync(KeyHandle handle, CancellationToken ct) { var bundle = KeyVaultKeyHandle.GetBundle(handle); if (string.IsNullOrEmpty(bundle.SecretIdentifier)) { throw new InvalidOperationException("Non-exportable key."); } try { var secretBundle = await _keyVaultClient.GetSecretAsync( bundle.SecretIdentifier, ct); // Check whether this is an imported key if (secretBundle.ContentType.EqualsIgnoreCase(ContentEncodings.MimeTypeJson)) { // Decode json web key and convert to key var key = JsonConvert.DeserializeObject <JsonWebKey>(secretBundle.Value); return(key.ToKey()); } // Check whether this is a certificate backing secret if (secretBundle.ContentType.EqualsIgnoreCase(CertificateContentType.Pfx)) { // Decode pfx from secret and get key var pfx = Convert.FromBase64String(secretBundle.Value); using (var cert = new X509Certificate2(pfx, (string)null, X509KeyStorageFlags.Exportable)) { return(cert.PrivateKey.ToKey()); } } throw new ResourceNotFoundException( $"Key handle points to invalid content {secretBundle.ContentType}"); } catch (KeyVaultErrorException kex) { throw new ExternalDependencyException("Failed to export key", kex); } }