public void VerifyDataStreamAlgorithmNotSupported([EnumValues(Exclude = new[] { nameof(KeyType.Rsa), nameof(KeyType.RsaHsm), nameof(KeyType.Ec), nameof(KeyType.EcHsm) })] KeyType keyType) { JsonWebKey jwk = CreateKey(keyType); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.VerifyDataAsync(new SignatureAlgorithm("ignored"), TestStream, TestData)); }
public void CreateClient() { // Environment variable with the Key Vault endpoint. string keyVaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CreateKeyClient // Create a new key client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Create a new key using the key client. KeyVaultKey key = client.CreateKey("key-name", KeyType.Rsa); // Retrieve a key using the key client. key = client.GetKey("key-name"); #endregion #region Snippet:CreateCryptographyClient // Create a new certificate client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new DefaultAzureCredential()); #endregion this.client = client; this.cryptoClient = cryptoClient; }
public async Task EncryptDecryptRoundTrip([Fields] EncryptionAlgorithm algorithm) { Key key = await CreateTestKey(algorithm); RegisterForCleanup(key.Name); CryptographyClient cryptoClient = GetCryptoClient(key.Id, forceRemote: true); byte[] data = new byte[32]; Recording.Random.NextBytes(data); EncryptResult encResult = await cryptoClient.EncryptAsync(algorithm, data); Assert.AreEqual(algorithm, encResult.Algorithm); Assert.AreEqual(key.Id, encResult.KeyId); Assert.IsNotNull(encResult.Ciphertext); DecryptResult decResult = await cryptoClient.DecryptAsync(algorithm, encResult.Ciphertext); Assert.AreEqual(algorithm, decResult.Algorithm); Assert.AreEqual(key.Id, decResult.KeyId); Assert.IsNotNull(decResult.Plaintext); CollectionAssert.AreEqual(data, decResult.Plaintext); }
public void CreateClient() { // Environment variable with the Key Vault endpoint. string vaultUrl = TestEnvironment.KeyVaultUrl; #region Snippet:CreateKeyClient // Create a new key client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new KeyClient(vaultUri: new Uri(vaultUrl), credential: new DefaultAzureCredential()); // Create a new key using the key client. KeyVaultKey key = client.CreateKey("key-name", KeyType.Rsa); // Retrieve a key using the key client. key = client.GetKey("key-name"); #endregion #region Snippet:CreateCryptographyClient // Create a new cryptography client using the same Key Vault or Managed HSM endpoint, service version, // and options as the KeyClient created earlier. var cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version); #endregion this.client = client; this.cryptoClient = cryptoClient; }
private async Task <CryptographyClient> GetCryptographyClient(CancellationToken cancellationToken) { // Using DefaultAzureCredential to support local development. If developing // locally you'll need to register an AAD application and set the following // variables: // // AZURE_TENANT_ID (the ID of the AAD tenant) // AZURE_CLIENT_ID (the iD of the AAD application you registered) // AZURE_CLIENT_SECRET (the secret for the AAD application you registered) // // You can get these values when you configure the application. Set them in // the Debug section of the project properties. Once this is done you will need // to create a KeyVault instance and then register a GitHub application and upload // the private key into the vault. The AAD application that you just created needs // to have Get and Sign rights - so set an access policy up which grants the app // those rights. // var credential = new DefaultAzureCredential(); var keyClient = GetKeyClient(credential); var key = await GetKey(keyClient, cancellationToken); var cryptographyClient = new CryptographyClient(key.Id, credential); return(cryptographyClient); }
/// <summary> /// Creates a new Key Vault context. /// </summary> public KeyVaultContext(TokenCredential credential, Uri keyId, X509Certificate2 publicCertificate, CryptographyClientOptions options = null) { if (credential is null) { throw new ArgumentNullException(nameof(credential)); } Certificate = publicCertificate ?? throw new ArgumentNullException(nameof(publicCertificate)); KeyIdentifier = keyId ?? throw new ArgumentNullException(nameof(keyId)); cryptographyClient = new CryptographyClient(keyId, credential, options); string algorithm = publicCertificate.GetKeyAlgorithm(); switch (algorithm) { case "1.2.840.113549.1.1.1": //rsa using (var rsa = publicCertificate.GetRSAPublicKey()) { Key = new JsonWebKey(rsa, includePrivateParameters: false); } break; case "1.2.840.10045.2.1": //ec using (var ecdsa = publicCertificate.GetECDsaPublicKey()) { Key = new JsonWebKey(ecdsa, includePrivateParameters: false); } break; default: throw new NotSupportedException($"Certificate algorithm '{algorithm}' is not supported."); } }
public async Task <(string, string)> DecryptAsync() { //string keyVaultName = "myfavouritekeyvault"; string keyVaultUri = "https://joeycrackvault.vault.azure.net"; string keyVaultKeyName = "TestVaultKey"; string textToEncrypt = "cnbTestString"; var defaultAzurecredentialsOption = new DefaultAzureCredentialOptions() { ExcludeManagedIdentityCredential = true, ExcludeVisualStudioCredential = true, ExcludeAzurePowerShellCredential = true, }; var client = new KeyClient(new Uri(keyVaultUri), new DefaultAzureCredential(defaultAzurecredentialsOption)); await client.CreateRsaKeyAsync(new CreateRsaKeyOptions(keyVaultKeyName)).ConfigureAwait(false); KeyVaultKey key = await client.GetKeyAsync(keyVaultKeyName).ConfigureAwait(false); var cryptoClient = new CryptographyClient(key.Id, new DefaultAzureCredential()); string encryptedString = await EncryptStringAsync(cryptoClient, textToEncrypt).ConfigureAwait(false); Console.WriteLine($"Encrypted string: {encryptedString}"); //return $"Encrypted string: {encryptedString}"; string decryptedString = await DecryptStringAsync(cryptoClient, encryptedString).ConfigureAwait(false); Console.WriteLine($"Decrypted string: {decryptedString}"); return($"Encrypted string: {encryptedString}", $"Decrypted string: {decryptedString}"); }
public async Task AlgorithmNotSupportedRsa(string operation, string value, Func <CryptographyClient, string, Task <object> > thunk) { using RSA rsa = RSA.Create(); KeyVaultKey key = new KeyVaultKey { Key = new JsonWebKey(rsa, includePrivateParameters: true) { Id = KeyId, }, }; MockResponse response = new MockResponse(200); response.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":{value ?? @" "" test "" "}}}"); CryptographyClient client = CreateClient(key, new MockTransport(_ => response)); object result = await thunk(client, "invalid"); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.AlgorithmNotSupportedEvent); Assert.AreEqual(EventLevel.Verbose, e.Level); Assert.AreEqual("AlgorithmNotSupported", e.EventName); Assert.AreEqual(operation, e.GetProperty <string>("operation")); Assert.AreEqual("invalid", e.GetProperty <string>("algorithm")); }
/*Creates example container and client side encrypted blob for sample * * NOTE: This program requires the following to be stored in the App.Config file: * Azure Active Directory Tenant ID - tenantId * Service Principal Application ID - clientId * Service Principal Password - clientSecret * Storage Account Connection String- connectionString * Client Side Key Vault Key Uri - clientSideKeyVaultKeyUri * Key Wrap Algorithm - keyWrapAlgorithm * * Creates example objects using names from Constants.cs, which may be edited as needed */ static void Main() { //Credentials of Service Principal TokenCredential credential = new ClientSecretCredential( Constants.TenantId, Constants.ClientId, Constants.ClientSecret ); //Get Uri for Key Vault key Uri keyVaultKeyUri = new Uri(Constants.ClientSideKeyVaultKeyUri); //Create CryptographyClient using Key Vault Key CryptographyClient cryptographyClient = new CryptographyClient(keyVaultKeyUri, credential); //Set up Client Side Encryption Options used for Client Side Encryption ClientSideEncryptionOptions clientSideOptions = new ClientSideEncryptionOptions(ClientSideEncryptionVersion.V1_0) { KeyEncryptionKey = cryptographyClient, KeyWrapAlgorithm = Constants.KeyWrapAlgorithm }; //Create Blob Service Client BlobServiceClient blobServiceClient = new BlobServiceClient(Constants.ConnectionString); //Run Setup Function that creates and example container and blob SetupForExample( blobServiceClient, Constants.ContainerName, Constants.BlobName, clientSideOptions); Console.WriteLine("Completed creation of example container and blob"); }
public void AesEncryptAlgorithmNotSupported([EnumValues(nameof(EncryptionAlgorithm.A128Gcm), nameof(EncryptionAlgorithm.A192Gcm), nameof(EncryptionAlgorithm.A256Gcm))] EncryptionAlgorithm algorithm) { JsonWebKey jwk = CreateKey(KeyType.Oct); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.EncryptAsync(algorithm, TestData)); }
public void DecryptOperationNotSupported() { JsonWebKey jwk = new JsonWebKey(RSA.Create(), keyOps: Array.Empty <KeyOperation>()); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.DecryptAsync(new EncryptionAlgorithm("ignored"), TestData)); }
public void EncryptAlgorithmNotSupported([EnumValues(Exclude = new[] { nameof(KeyType.Rsa), nameof(KeyType.RsaHsm), nameof(KeyType.Oct), nameof(KeyType.OctHsm) })] KeyType keyType) { JsonWebKey jwk = CreateKey(keyType); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.EncryptAsync(new EncryptionAlgorithm("ignored"), TestData)); }
public void UnwrapKeyAlgorithmNotSupported([EnumValues(Exclude = new[] { nameof(KeyType.Ec), nameof(KeyType.EcHsm) })] KeyType keyType) { JsonWebKey jwk = CreateKey(keyType); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.UnwrapKeyAsync(new KeyWrapAlgorithm("ignored"), TestData)); }
public void SignDataStreamRequiresPrivateKey([EnumValues] SignatureAlgorithm algorithm) { JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, keyOps: new[] { KeyOperation.Sign, KeyOperation.Verify }); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync(new InstanceOfTypeConstraint(typeof(CryptographicException)), async() => await client.SignDataAsync(algorithm, TestStream)); }
public async Task AlgorithmNotSupportedAes(string operation, Func <CryptographyClient, string, Task <object> > thunk) { using Aes aes = Aes.Create(); KeyVaultKey key = new KeyVaultKey { Key = new JsonWebKey(aes) { Id = KeyId, }, }; MockResponse response = new MockResponse(200); response.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":" "test" "}}"); MockTransport transport = new MockTransport(response); CryptographyClient client = CreateClient(key, transport); object result = await thunk(client, "invalid"); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.AlgorithmNotSupportedEvent); Assert.AreEqual(EventLevel.Verbose, e.Level); Assert.AreEqual("AlgorithmNotSupported", e.EventName); Assert.AreEqual("invalid", e.GetProperty <string>("algorithm")); }
public static async Task <IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); string name = req.Query["name"]; //var credential = new ClientSecretCredential("231dd9cd-ddc7-4fba-ae78-9f4ac3c912e7", "5f43fe5c-1c2b-4afa-97e6-fda41302e28b", "5ZlLakKHA:DE.6Jq-GbJWF=icJaCwW32"); var credential = new ManagedIdentityCredential(); var kvUri = "https://kvswapana.vault.azure.net/"; var secretClient = new SecretClient(new Uri(kvUri), credential); var encryptedDEK = secretClient.GetSecret("DEK"); var keyClient = new KeyClient(new Uri(kvUri), credential); var encryptedKEY = keyClient.GetKey("KEK"); var cryptoClient = new CryptographyClient(encryptedKEY.Value.Id, credential); DecryptResult decryptDek = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, Convert.FromBase64String(encryptedDEK.Value.Value)); string requestBody = await new StreamReader(req.Body).ReadToEndAsync(); dynamic data = JsonConvert.DeserializeObject(requestBody); name = name ?? data?.name; return(name != null // Create MemoryStream ? (ActionResult) new OkObjectResult($"Hello, {name}, {encryptedKEY.Value.Id}, {Encoding.UTF8.GetString(decryptDek.Plaintext)}") : new BadRequestObjectResult("Please pass a name on the query string or in the request body")); }
public async Task AlgorithmNotSupportedEc(string operation, string value, Func <CryptographyClient, string, Task <object> > thunk) { KeyVaultKey key = new KeyVaultKey { Key = new JsonWebKey(new[] { KeyOperation.Sign, KeyOperation.Verify }) { Id = KeyId, KeyType = KeyType.Ec, CurveName = "invalid", }, }; MockResponse response = new MockResponse(200); response.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":{value ?? @" "" test "" "}}}"); CryptographyClient client = CreateClient(key, new MockTransport(response)); object result = await thunk(client, "invalid"); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.AlgorithmNotSupportedEvent); Assert.AreEqual(EventLevel.Verbose, e.Level); Assert.AreEqual("AlgorithmNotSupported", e.EventName); Assert.AreEqual(operation, e.GetProperty <string>("operation")); Assert.AreEqual("invalid", e.GetProperty <string>("algorithm")); }
private async Task <string> SignAndCreateJwtAsync(JwtSecurityToken jwt) { var algorithm = "RS256";//jwt.SignatureAlgorithm; var plaintext = $"{jwt.EncodedHeader}.{jwt.EncodedPayload}"; byte[] hash; using (var hasher = CryptoHelper.GetHashAlgorithmForSigningAlgorithm(algorithm)) { hash = hasher.ComputeHash(Encoding.UTF8.GetBytes(plaintext)); } var cryptoClient = new CryptographyClient( new Uri("https://cleankey.vault.azure.net/keys/cleankey/82f7ce0323574ab4869565d3bc525793"), new DefaultAzureCredential()); try { //jwt.SignatureAlgorithm var signResult = await cryptoClient.SignAsync(new SignatureAlgorithm(algorithm), hash); return($"{plaintext}.{Base64UrlTextEncoder.Encode(signResult.Signature)}"); } catch (Exception ex) { return(ex.Message); } }
public async Task AesKwWrapUnwrapRoundTrip([EnumValues( nameof(KeyWrapAlgorithm.A128KW), nameof(KeyWrapAlgorithm.A192KW), nameof(KeyWrapAlgorithm.A256KW))] KeyWrapAlgorithm algorithm) { KeyVaultKey key = await CreateTestKey(algorithm); RegisterForCleanup(key.Name); CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true); byte[] plaintext = new byte[32]; Recording.Random.NextBytes(plaintext); WrapResult encrypted = await remoteClient.WrapKeyAsync(algorithm, plaintext); Assert.AreEqual(algorithm, encrypted.Algorithm); Assert.AreEqual(key.Id, encrypted.KeyId); Assert.IsNotNull(encrypted.EncryptedKey); UnwrapResult decrypted = await remoteClient.UnwrapKeyAsync(algorithm, encrypted.EncryptedKey); Assert.AreEqual(algorithm, decrypted.Algorithm); Assert.AreEqual(key.Id, decrypted.KeyId); Assert.IsNotNull(decrypted.Key); CollectionAssert.AreEqual(plaintext, decrypted.Key); }
public async Task SignLocalVerifyRoundTrip([Fields(nameof(SignatureAlgorithm.ES256), nameof(SignatureAlgorithm.ES384), nameof(SignatureAlgorithm.ES512))] SignatureAlgorithm algorithm) { Key key = await CreateTestKey(algorithm); RegisterForCleanup(key); CryptographyClient client = GetCryptoClient(key.Id); byte[] data = new byte[32]; Recording.Random.NextBytes(data); using HashAlgorithm hashAlgo = algorithm.GetHashAlgorithm(); byte[] digest = hashAlgo.ComputeHash(data); // Should sign remotely... SignResult signResult = await client.SignAsync(algorithm, digest); Assert.AreEqual(algorithm, signResult.Algorithm); Assert.AreEqual(key.KeyMaterial.KeyId, signResult.KeyId); Assert.NotNull(signResult.Signature); // ...and verify locally. VerifyResult verifyResult = await client.VerifyAsync(algorithm, digest, signResult.Signature); Assert.AreEqual(algorithm, verifyResult.Algorithm); Assert.AreEqual(key.KeyMaterial.KeyId, verifyResult.KeyId); Assert.IsTrue(verifyResult.IsValid); }
static void Main(string[] args) { string keyVaultUrl = "https://demovault2090.vault.azure.net/"; var client = new KeyClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential()); // Getting the Encryption key from the key vault KeyVaultKey key = client.GetKey("newkey"); var cryptoClient = new CryptographyClient(keyId: key.Id, credential: new DefaultAzureCredential()); byte[] plaintext = Encoding.UTF8.GetBytes("This is sensitive data"); // Encrypting data EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext); //Decrypting data DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext); Console.WriteLine("Plain text"); string txt = Encoding.UTF8.GetString(decryptResult.Plaintext); Console.WriteLine(txt); Console.ReadLine(); }
/// <summary> /// Wrap the Key with latest Key version. /// Only supports bytes in base64 format. /// </summary> /// <param name="key">plain text key.</param> /// <param name="keyVaultUriProperties">Parsed key Vault Uri Properties.Properties as in sample Format: https://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}.</param> /// <param name="cancellationToken">Cancellation token.</param> /// <returns>Result including KeyIdentifier and encrypted bytes in base64 string format.</returns> public async Task <byte[]> WrapKeyAsync( byte[] key, KeyVaultKeyUriProperties keyVaultUriProperties, CancellationToken cancellationToken = default(CancellationToken)) { WrapResult keyOpResult; // Get a Crypto Client for Wrap and UnWrap,this gets init per Key ID CryptographyClient cryptoClient = await this.GetCryptoClientAsync(keyVaultUriProperties, cancellationToken); try { keyOpResult = await cryptoClient.WrapKeyAsync(KeyVaultConstants.RsaOaep256, key, cancellationToken); } catch (RequestFailedException ex) { throw new KeyVaultAccessException( ex.Status, ex.ErrorCode, "WrapKeyAsync: Failed to Wrap the data encryption key.", ex); } return(keyOpResult.EncryptedKey); }
public async Task EncryptLocalDecryptOnKeyVault([EnumValues(nameof(EncryptionAlgorithm.Rsa15), nameof(EncryptionAlgorithm.RsaOaep), nameof(EncryptionAlgorithm.RsaOaep256))] EncryptionAlgorithm algorithm) { KeyVaultKey key = await CreateTestKey(algorithm); RegisterForCleanup(key.Name); CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true); CryptographyClient localClient = GetLocalCryptoClient(key.Key); byte[] plaintext = new byte[32]; Recording.Random.NextBytes(plaintext); EncryptResult encrypted = await localClient.EncryptAsync(algorithm, plaintext); Assert.AreEqual(algorithm, encrypted.Algorithm); Assert.AreEqual(key.Id, encrypted.KeyId); Assert.IsNotNull(encrypted.Ciphertext); DecryptResult decrypted = await remoteClient.DecryptAsync(algorithm, encrypted.Ciphertext); Assert.AreEqual(algorithm, decrypted.Algorithm); Assert.AreEqual(key.Id, decrypted.KeyId); Assert.IsNotNull(decrypted.Plaintext); CollectionAssert.AreEqual(plaintext, decrypted.Plaintext); }
public async Task KeyTypeNotSupported(string operation, string value, Func <CryptographyClient, string, Task <object> > thunk) { MockResponse keyResponse = new MockResponse(200); keyResponse.SetContent($@"{{""key"":{{""kid"":""{KeyId}"",""kty"":""invalid""}}}}"); // Get the same key as above and reset the stream. KeyVaultKey key = new KeyVaultKey(); key.Deserialize(keyResponse.ContentStream); keyResponse.ContentStream.Position = 0; MockResponse resultResponse = new MockResponse(200); resultResponse.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":{value ?? @" "" test "" "}}}"); CryptographyClient client = CreateClient(key, new MockTransport(keyResponse, resultResponse)); object result = await thunk(client, "invalid"); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.KeyTypeNotSupportedEvent); Assert.AreEqual(EventLevel.Verbose, e.Level); Assert.AreEqual("KeyTypeNotSupported", e.EventName); Assert.AreEqual(operation, e.GetProperty <string>("operation")); Assert.AreEqual("invalid", e.GetProperty <string>("keyType")); }
private CryptographyClient GetCryptoClient(Uri keyId, bool forceRemote = false) { CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); CryptographyClient client = new CryptographyClient(keyId, TestEnvironment.Credential, options, forceRemote); return(InstrumentClient(client)); }
public async Task PrivateKeyRequiredEc(string operation, string value, Func <CryptographyClient, string, Task <object> > thunk) { #if NET461 Assert.Ignore("Creating JsonWebKey with ECDsa is not supported on net461."); #endif KeyOperation[] keyOps = new[] { KeyOperation.Sign, KeyOperation.Verify, }; using ECDsa ecdsa = ECDsa.Create(); KeyVaultKey key = new KeyVaultKey { Key = new JsonWebKey(ecdsa, includePrivateParameters: false, keyOps) { Id = KeyId, }, }; MockResponse response = new MockResponse(200); response.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":{value ?? @" "" test "" "}}}"); CryptographyClient client = CreateClient(key, new MockTransport(response)); object result = await thunk(client, "invalid"); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.PrivateKeyRequiredEvent); Assert.AreEqual(EventLevel.Verbose, e.Level); Assert.AreEqual("PrivateKeyRequired", e.EventName); Assert.AreEqual(operation, e.GetProperty <string>("operation")); }
public async Task SignLocalVerifyRoundTripFramework([Fields(nameof(SignatureAlgorithm.PS256), nameof(SignatureAlgorithm.PS384), nameof(SignatureAlgorithm.PS512))] SignatureAlgorithm algorithm) { #if !NETFRAMEWORK // RSA-PSS is not supported on .NET Framework so recorded tests will fall back to the remote client. Assert.Ignore("RSA-PSS is supported on .NET Core so local tests will pass. This test method is to test that on .NET Framework RSA-PSS sign/verify attempts fall back to the remote client."); #endif Key key = await CreateTestKey(algorithm); RegisterForCleanup(key.Name); CryptographyClient client = GetCryptoClient(key.Properties.Id); byte[] data = new byte[32]; Recording.Random.NextBytes(data); using HashAlgorithm hashAlgo = algorithm.GetHashAlgorithm(); byte[] digest = hashAlgo.ComputeHash(data); // Should sign remotely... SignResult signResult = await client.SignAsync(algorithm, digest); Assert.AreEqual(algorithm, signResult.Algorithm); Assert.AreEqual(key.KeyMaterial.KeyId, signResult.KeyId); Assert.NotNull(signResult.Signature); // ...and verify locally. VerifyResult verifyResult = await client.VerifyAsync(algorithm, digest, signResult.Signature); Assert.AreEqual(algorithm, verifyResult.Algorithm); Assert.AreEqual(key.KeyMaterial.KeyId, verifyResult.KeyId); Assert.IsTrue(verifyResult.IsValid); }
public async Task CryptographicException(string operation, string value, Func <CryptographyClient, string, Task <object> > thunk) { using RSA rsa = RSA.Create(); KeyVaultKey key = new KeyVaultKey { Key = new JsonWebKey(rsa, includePrivateParameters: true) { Id = KeyId, }, }; Random rand = new Random(); rand.NextBytes(key.Key.N); MockResponse response = new MockResponse(200); response.SetContent(@$ "{{" "kid" ":" "{KeyId}" "," "value" ":{value ?? @" "" test "" "}}}"); CryptographyClient client = CreateClient(key, new MockTransport(response), new ThrowingCryptographyProvider()); object result = await thunk(client, null); Assert.IsNotNull(result); EventWrittenEventArgs e = _listener.SingleEventById(KeysEventSource.CryptographicExceptionEvent); Assert.AreEqual(EventLevel.Informational, e.Level); Assert.AreEqual("CryptographicException", e.EventName); Assert.AreEqual(operation, e.GetProperty <string>("operation")); StringAssert.StartsWith("System.Security.Cryptography.CryptographicException (0x80092006):", e.GetProperty <string>("message")); }
public async Task WrapUnwrapRoundTrip([Fields] KeyWrapAlgorithm algorithm) { Key key = await CreateTestKey(algorithm); RegisterForCleanup(key.Name); CryptographyClient cryptoClient = GetCryptoClient(key.Id, forceRemote: true); byte[] data = new byte[32]; Recording.Random.NextBytes(data); WrapResult encResult = await cryptoClient.WrapKeyAsync(algorithm, data); Assert.AreEqual(algorithm, encResult.Algorithm); Assert.AreEqual(key.Id, encResult.KeyId); Assert.IsNotNull(encResult.EncryptedKey); UnwrapResult decResult = await cryptoClient.UnwrapKeyAsync(algorithm, encResult.EncryptedKey); Assert.AreEqual(algorithm, decResult.Algorithm); Assert.AreEqual(key.Id, decResult.KeyId); Assert.IsNotNull(decResult.Key); CollectionAssert.AreEqual(data, decResult.Key); }
public void VerifyDataStreamOperationNotSupported() { JsonWebKey jwk = new JsonWebKey(RSA.Create(), keyOps: Array.Empty <KeyOperation>()); CryptographyClient client = CreateClient <CryptographyClient>(jwk); Assert.ThrowsAsync <NotSupportedException>(async() => await client.VerifyDataAsync(new SignatureAlgorithm("ignored"), TestStream, TestData)); }