private CryptographyClient GetCryptoClient(Uri keyId, bool forceRemote = false) { CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); CryptographyClient client = new CryptographyClient(keyId, TestEnvironment.Credential, options, forceRemote); return(InstrumentClient(client)); }
public KeyResolver GetResolver(TestRecording recording = null) { recording ??= Recording; CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); return(InstrumentClient(new KeyResolver(recording.GetCredential(new DefaultAzureCredential()), options))); }
public KeyResolver GetResolver(TestRecording recording = null) { recording ??= Recording; CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); return(InstrumentClient(new KeyResolver(TestEnvironment.Credential, options))); }
private CryptographyClient GetCryptoClient(Uri keyId, bool forceRemote = false, TestRecording recording = null) { recording ??= Recording; CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); CryptographyClient client = new CryptographyClient(keyId, recording.GetCredential(new DefaultAzureCredential()), options, forceRemote); return(InstrumentClient(client)); }
private CryptographyClient CreateClient(KeyVaultKey key, HttpPipelineTransport transport, ICryptographyProvider provider = null) { CryptographyClientOptions options = new CryptographyClientOptions { Transport = transport, }; return(InstrumentClient(new CryptographyClient(key, new DefaultAzureCredential(), options, provider))); }
protected KeyResolver GetResolver(MockTransport transport) { Assert.NotNull(transport); CryptographyClientOptions options = new CryptographyClientOptions { Transport = transport, }; return(InstrumentClient( new KeyResolver(new NullTokenCredential(), options))); }
private (CryptographyClient, ICryptographyProvider) GetCryptoClient(KeyVaultKey key) { CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); CryptographyClient client = new CryptographyClient(key, TestEnvironment.Credential, options); CryptographyClient clientProxy = InstrumentClient(client); ICryptographyProvider remoteClientProxy = null; if (client.RemoteClient is RemoteCryptographyClient remoteClient) { remoteClientProxy = InstrumentClient(remoteClient); } return(clientProxy, remoteClientProxy); }
private (CryptographyClient, ICryptographyProvider) GetCryptoClient(KeyVaultKey key, TestRecording recording = null) { recording ??= Recording; CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); CryptographyClient client = new CryptographyClient(key, recording.GetCredential(new DefaultAzureCredential()), options); CryptographyClient clientProxy = InstrumentClient(client); ICryptographyProvider remoteClientProxy = null; if (client.RemoteClient is RemoteCryptographyClient remoteClient) { remoteClientProxy = InstrumentClient(remoteClient); } return(clientProxy, remoteClientProxy); }
public async Task ShouldHashDataAndVerifyWorkWithCustomCryptographyClientOptions() { var cryptographyClientOptions = new CryptographyClientOptions { Transport = new HttpClientTransport() }; var materialized = await KeyVaultConfigurationDiscoverer.Materialize(keyConfiguration, cryptographyClientOptions); using (var rsa = materialized.ToRSA()) { var data = new byte[] { 1, 2, 3 }; var signature = rsa.SignData(data, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); var result = rsa.VerifyData(data, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1); Assert.True(result); } }
public AzureKeyVaultMaterializedConfiguration(TokenCredential credential, Uri keyIdentifier, JsonWebKey key = null, X509Certificate2 publicCertificate = null, CryptographyClientOptions options = null) { PublicCertificate = publicCertificate; TokenCredential = credential ?? throw new ArgumentNullException(nameof(credential)); KeyIdentifier = keyIdentifier ?? throw new ArgumentNullException(nameof(keyIdentifier)); if (publicCertificate == null && key == null) { throw new ArgumentNullException(nameof(key), "Either key or publicCertificate must be set"); } Key = key; cryptographyClientOptions = options; }
private async Task MigrationGuide() { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create KeyClient client = new KeyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); CryptographyClient cryptoClient = new CryptographyClient( new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential()); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions using (HttpClient httpClient = new HttpClient()) { KeyClientOptions options = new KeyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET KeyClient client = new KeyClient( #else client = new KeyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), options); CryptographyClientOptions cryptoOptions = new CryptographyClientOptions { Transport = new HttpClientTransport(httpClient) }; #if SNIPPET CryptographyClient cryptoClient = new CryptographyClient( #else cryptoClient = new CryptographyClient( #endif new Uri("https://myvault.vault.azure.net"), new DefaultAzureCredential(), cryptoOptions); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys // Create RSA key. CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name") { KeySize = 4096 }; KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions); // Create Elliptic-Curve key. CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name") { CurveName = KeyCurveName.P256 }; KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys // List all keys asynchronously. await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync()) { KeyVaultKey key = await client.GetKeyAsync(item.Name); } // List all keys synchronously. foreach (KeyProperties item in client.GetPropertiesOfKeys()) { KeyVaultKey key = client.GetKey(item.Name); } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey // Delete the key. DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name"); // Purge or recover the deleted key if soft delete is enabled. if (deleteOperation.Value.RecoveryId != null) { // Deleting a key does not happen immediately. Wait for the key to be deleted. DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync(); // Purge the deleted key. await client.PurgeDeletedKeyAsync(deletedKey.Name); // You can also recover the deleted key using StartRecoverDeletedKeyAsync, // which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt // Encrypt a message. The plaintext must be small enough for the chosen algorithm. byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt"); EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext); // Decrypt the message. DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext); string message = Encoding.UTF8.GetString(decrypted.Plaintext); #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt } { #region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap using (Aes aes = Aes.Create()) { // Use a symmetric key to encrypt large amounts of data, possibly streamed... // Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data. WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key); // Read the IV and the encrypted key from the payload, then unwrap the key. UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey); aes.Key = unwrapped.Key; // Decrypt the payload with the symmetric key. } #endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap } }
public KeyResolver GetResolver() { CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion)); return(InstrumentClient(new KeyResolver(TestEnvironment.Credential, options))); }
/// <summary> /// Creates an RSA object /// </summary> /// <param name="credential"></param> /// <param name="keyId"></param> /// <param name="key"></param> /// <returns></returns> public static RSA Create(TokenCredential credential, Uri keyId, JsonWebKey key, CryptographyClientOptions options = null) { if (credential == null) { throw new ArgumentNullException(nameof(credential)); } if (keyId == null) { throw new ArgumentNullException(nameof(keyId)); } if (key == null) { throw new ArgumentNullException(nameof(key)); } return(new RSAKeyVault(new KeyVaultContext(credential, keyId, key, options))); }
/// <summary> /// Creates an RSA object /// </summary> /// <param name="credential"></param> /// <param name="keyId"></param> /// <param name="publicCertificate"></param> /// <returns></returns> public static RSA Create(TokenCredential credential, Uri keyId, X509Certificate2 publicCertificate, CryptographyClientOptions options = null) { if (credential == null) { throw new ArgumentNullException(nameof(credential)); } if (keyId == null) { throw new ArgumentNullException(nameof(keyId)); } if (publicCertificate == null) { throw new ArgumentNullException(nameof(publicCertificate)); } return(new RSAKeyVault(new KeyVaultContext(credential, keyId, publicCertificate, options))); }
public static async Task <AzureKeyVaultMaterializedConfiguration> Materialize(AzureKeyVaultSignConfigurationSet configuration, CryptographyClientOptions options = null) { TokenCredential credential = configuration.ManagedIdentity switch { true => new DefaultAzureCredential(), false => new ClientSecretCredential(configuration.AzureTenantId, configuration.AzureClientId, configuration.AzureClientSecret) }; if (configuration.Mode == KeyVaultMode.Certificate) { var certificateClient = new CertificateClient(configuration.AzureKeyVaultUrl, credential); var cert = await certificateClient.GetCertificateAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false); var x509Certificate = new X509Certificate2(cert.Value.Cer); var keyId = cert.Value.KeyId; return(new AzureKeyVaultMaterializedConfiguration(credential, keyId, publicCertificate: x509Certificate, options: options)); } else if (configuration.Mode == KeyVaultMode.Key) { var keyClient = new KeyClient(configuration.AzureKeyVaultUrl, credential); var key = await keyClient.GetKeyAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false); return(new AzureKeyVaultMaterializedConfiguration(credential, key.Value.Id, key.Value.Key, options: options)); } throw new ArgumentOutOfRangeException(nameof(configuration)); } }
/// <summary> /// Creates a new Key Vault context. /// </summary> public KeyVaultContext(TokenCredential credential, Uri keyId, X509Certificate2 publicCertificate, CryptographyClientOptions options = null) { if (credential is null) { throw new ArgumentNullException(nameof(credential)); } Certificate = publicCertificate ?? throw new ArgumentNullException(nameof(publicCertificate)); KeyIdentifier = keyId ?? throw new ArgumentNullException(nameof(keyId)); cryptographyClient = new CryptographyClient(keyId, credential, options); string algorithm = publicCertificate.GetKeyAlgorithm(); switch (algorithm) { case "1.2.840.113549.1.1.1": //rsa using (var rsa = publicCertificate.GetRSAPublicKey()) { Key = new JsonWebKey(rsa, includePrivateParameters: false); } break; case "1.2.840.10045.2.1": //ec using (var ecdsa = publicCertificate.GetECDsaPublicKey()) { Key = new JsonWebKey(ecdsa, includePrivateParameters: false); } break; default: throw new NotSupportedException($"Certificate algorithm '{algorithm}' is not supported."); } }
/// <summary> /// Creates a new Key Vault context. /// </summary> public KeyVaultContext(TokenCredential credential, Uri keyId, JsonWebKey key, CryptographyClientOptions options = null) { KeyIdentifier = keyId ?? throw new ArgumentNullException(nameof(keyId)); Key = key ?? throw new ArgumentNullException(nameof(key)); cryptographyClient = new CryptographyClient(keyId, credential, options); Certificate = null; }