/// <summary>
/// Decrypts a single block of encrypted data
/// </summary>
/// <param name="keyIdentifier">The full key identifier</param>
/// <param name="algorithm">The algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="cipherText">The cipher text</param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns>The decryption result</returns>
public static async Task <KeyOperationResult> DecryptAsync(this IKeyVaultClient operations, string keyIdentifier, string algorithm, byte[] cipherText, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
if (string.IsNullOrEmpty(algorithm))
{
throw new ArgumentNullException(nameof(algorithm));
}
if (cipherText == null)
{
throw new ArgumentNullException(nameof(cipherText));
}
var keyId = new KeyIdentifier(keyIdentifier);
// TODO: should we allow or not allow in the Key Identifier the version to be empty?
using (var _result = await operations.DecryptWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, algorithm, cipherText, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Creates a new Key Vault context.
/// </summary>
public KeyVaultContext(KeyVaultClient client, KeyIdentifier keyIdentifier, JsonWebKey key)
{
this.client = client ?? throw new ArgumentNullException(nameof(client));
KeyIdentifier = keyIdentifier ?? throw new ArgumentNullException(nameof(keyIdentifier));
Key = key ?? throw new ArgumentNullException(nameof(key));
Certificate = null;
}
/// <summary>
/// Verifies a signature using the specified key
/// </summary>
/// <param name="keyIdentifier"> The global key identifier of the key used for signing </param>
/// <param name="algorithm"> The signing/verification algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.</param>
/// <param name="digest"> The digest used for signing </param>
/// <param name="signature"> The signature to be verified </param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns> true if the signature is verified, false otherwise. </returns>
public static async Task <bool> VerifyAsync(this IKeyVaultClient operations, string keyIdentifier, string algorithm, byte[] digest, byte[] signature, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
if (string.IsNullOrEmpty(algorithm))
{
throw new ArgumentNullException(nameof(algorithm));
}
if (digest == null)
{
throw new ArgumentNullException(nameof(digest));
}
if (signature == null)
{
throw new ArgumentNullException(nameof(signature));
}
var keyId = new KeyIdentifier(keyIdentifier);
using (var _result = await operations.VerifyWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, algorithm, digest, signature, null, cancellationToken).ConfigureAwait(false))
{
var verifyResult = _result.Body;
return((verifyResult.Value == true) ? true : false);
}
}
/// <summary>
/// Provides an IKey implementation for the specified key or secret identifier.
/// </summary>
/// <param name="kid">The key or secret identifier to resolve</param>
/// <param name="token">Cancellation token</param>
/// <returns>The resolved IKey implementation or null</returns>
public async Task <IKey> ResolveKeyAsync(string kid, CancellationToken token)
{
if (string.IsNullOrWhiteSpace(kid))
{
throw new ArgumentNullException("kid");
}
// If the resolver has a name prefix, only handle kid that have that prefix.
if (_name != null)
{
var vaultUrl = new Uri(_name);
var keyUrl = new Uri(kid);
if (string.Compare(vaultUrl.Scheme, keyUrl.Scheme, true) != 0 || string.Compare(vaultUrl.Authority, keyUrl.Authority, true) != 0 || vaultUrl.Port != keyUrl.Port)
{
return(null);
}
}
if (KeyIdentifier.IsKeyIdentifier(kid))
{
return(await ResolveKeyFromKeyAsync(kid, token).ConfigureAwait(false));
}
if (SecretIdentifier.IsSecretIdentifier(kid))
{
return(await ResolveKeyFromSecretAsync(kid, token).ConfigureAwait(false));
}
// Return null rather than throw an exception here
return(null);
}
/// <summary>
/// Provides an IKey implementation for the specified key or secret identifier.
/// </summary>
/// <param name="kid">The key or secret identifier to resolve</param>
/// <param name="token">Cancellation token</param>
/// <returns>The resolved IKey implementation or null</returns>
public async Task <IKey> ResolveKeyAsync(string kid, CancellationToken token)
{
if (string.IsNullOrWhiteSpace(kid))
{
throw new ArgumentNullException("kid");
}
// If the resolver has a name prefix, only handle kid that have that prefix
if (!string.IsNullOrEmpty(_name) && !kid.StartsWith(_name, StringComparison.OrdinalIgnoreCase))
{
return(null);
}
if (KeyIdentifier.IsKeyIdentifier(kid))
{
return(await ResolveKeyFromKeyAsync(kid, token).ConfigureAwait(false));
}
if (SecretIdentifier.IsSecretIdentifier(kid))
{
return(await ResolveKeyFromSecretAsync(kid, token).ConfigureAwait(false));
}
// Return null rather than throw an exception here
return(null);
}
/// <summary>
/// Creates a new Key Vault context.
/// </summary>
public KeyVaultContext(KeyVaultClient client, KeyIdentifier keyIdentifier, X509Certificate2 publicCertificate)
{
Certificate = publicCertificate ?? throw new ArgumentNullException(nameof(publicCertificate));
this.client = client ?? throw new ArgumentNullException(nameof(client));
KeyIdentifier = keyIdentifier ?? throw new ArgumentNullException(nameof(keyIdentifier));
using (var rsa = publicCertificate.GetRSAPublicKey())
{
Key = new JsonWebKey(rsa.ExportParameters(false));
}
}
/// <summary>
/// Updates the Key Attributes associated with the specified key
/// </summary>
/// <param name="keyIdentifier">The key identifier</param>
/// <param name="keyOps">Json web key operations. For more information, see JsonWebKeyOperation.</param>
/// <param name="attributes">The new attributes for the key. For more information on key attributes, see KeyAttributes.</param>
/// <param name="tags">Application-specific metadata in the form of key-value pairs</param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns> The updated key </returns>
public static async Task <KeyBundle> UpdateKeyAsync(this IKeyVaultClient operations, string keyIdentifier, string[] keyOps = null, KeyAttributes attributes = null, Dictionary <string, string> tags = null, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
var keyId = new KeyIdentifier(keyIdentifier);
using (var _result = await operations.UpdateKeyWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, keyOps, attributes, tags, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Retrieves the public portion of a key plus its attributes
/// </summary>
/// <param name="keyIdentifier">The key identifier</param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns>A KeyBundle of the key and its attributes</returns>
public static async Task <KeyBundle> GetKeyAsync(this IKeyVaultClient operations, string keyIdentifier, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
var keyId = new KeyIdentifier(keyIdentifier);
using (var _result = await operations.GetKeyWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Creates an RSA object
/// </summary>
/// <param name="client"></param>
/// <param name="keyIdentifier"></param>
/// <param name="publicCertificate"></param>
/// <returns></returns>
public static RSA ToRSA(this KeyVaultClient client, KeyIdentifier keyIdentifier, X509Certificate2 publicCertificate)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (keyIdentifier == null)
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
if (publicCertificate == null)
{
throw new ArgumentNullException(nameof(publicCertificate));
}
return(new RSAKeyVault(new KeyVaultContext(client, keyIdentifier, publicCertificate)));
}
/// <summary>
/// Creates an RSA object
/// </summary>
/// <param name="client"></param>
/// <param name="keyIdentifier"></param>
/// <param name="key"></param>
/// <returns></returns>
public static RSA ToRSA(this KeyVaultClient client, KeyIdentifier keyIdentifier, JsonWebKey key)
{
if (client == null)
{
throw new ArgumentNullException(nameof(client));
}
if (keyIdentifier == null)
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
return(new RSAKeyVault(new KeyVaultContext(client, keyIdentifier, key)));
}
/// <summary>
/// Creates a signature from a digest using the specified key in the vault
/// </summary>
/// <param name="keyIdentifier"> The global key identifier of the signing key </param>
/// <param name="algorithm">The signing algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. </param>
/// <param name="digest">The digest value to sign</param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns>The signature value</returns>
public static async Task <KeyOperationResult> SignAsync(this IKeyVaultClient operations, string keyIdentifier, string algorithm, byte[] digest, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException(nameof(keyIdentifier));
}
if (string.IsNullOrEmpty(algorithm))
{
throw new ArgumentNullException(nameof(algorithm));
}
if (digest == null)
{
throw new ArgumentNullException(nameof(digest));
}
var keyId = new KeyIdentifier(keyIdentifier);
using (var _result = await operations.SignWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, algorithm, digest, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
/// <summary>
/// Unwraps a symmetric key using the specified key in the vault
/// that has initially been used for wrapping the key.
/// </summary>
/// <param name="keyIdentifier"> The global key identifier of the wrapping/unwrapping key </param>
/// <param name="algorithm">The unwrap algorithm. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.</param>
/// <param name="wrappedKey">The wrapped symmetric key</param>
/// <param name="cancellationToken">Optional cancellation token</param>
/// <returns>The unwrapped symmetric key</returns>
public static async Task <KeyOperationResult> UnwrapKeyAsync(this IKeyVaultClient operations, string keyIdentifier, string algorithm, byte[] wrappedKey, CancellationToken cancellationToken = default(CancellationToken))
{
if (string.IsNullOrEmpty(keyIdentifier))
{
throw new ArgumentNullException("keyIdentifier");
}
if (string.IsNullOrEmpty(algorithm))
{
throw new ArgumentNullException("algorithm");
}
if (wrappedKey == null)
{
throw new ArgumentNullException("wrappedKey");
}
var keyId = new KeyIdentifier(keyIdentifier);
using (var _result = await operations.UnwrapKeyWithHttpMessagesAsync(keyId.Vault, keyId.Name, keyId.Version ?? string.Empty, algorithm, wrappedKey, null, cancellationToken).ConfigureAwait(false))
{
return(_result.Body);
}
}
public KeyBundle UpdateKey(string vaultName, string keyName, string keyVersion, KeyAttributes keyAttributes)
{
if (string.IsNullOrEmpty(vaultName))
throw new ArgumentNullException("vaultName");
if (string.IsNullOrEmpty(keyName))
throw new ArgumentNullException("keyName");
if (keyAttributes == null)
throw new ArgumentNullException("keyAttributes");
var attributes = (Azure.KeyVault.Models.KeyAttributes)keyAttributes;
var keyIdentifier = new KeyIdentifier(this.vaultUriHelper.CreateVaultAddress(vaultName), keyName, keyVersion);
Azure.KeyVault.Models.KeyBundle keyBundle;
try
{
keyBundle = this.keyVaultClient.UpdateKeyAsync(
keyIdentifier.Identifier, keyAttributes.KeyOps, attributes: attributes, tags: keyAttributes.TagsDirectionary).GetAwaiter().GetResult();
}
catch (Exception ex)
{
throw GetInnerException(ex);
}
return new KeyBundle(keyBundle, this.vaultUriHelper);
}
