/// <inheritdoc/>
public async Task <Key> GetPublicKeyAsync(KeyHandle handle, CancellationToken ct)
{
var bundle = await _keyVaultClient.GetKeyAsync(_vaultBaseUrl,
KeyVaultKeyHandle.GetBundle(handle).KeyIdentifier, ct);
return(bundle.Key.ToKey());
}
/// <inheritdoc/>
public async Task DisableKeyAsync(KeyHandle handle, CancellationToken ct)
{
var bundle = KeyVaultKeyHandle.GetBundle(handle);
try {
if (!string.IsNullOrEmpty(bundle.KeyIdentifier))
{
await _keyVaultClient.UpdateKeyAsync(bundle.KeyIdentifier, null,
new KeyAttributes {
Enabled = false,
Expires = DateTime.UtcNow
}, null, ct);
}
if (!string.IsNullOrEmpty(bundle.SecretIdentifier))
{
// Delete private key secret also
await _keyVaultClient.UpdateSecretAsync(bundle.SecretIdentifier,
ContentEncodings.MimeTypeJson, new SecretAttributes {
Enabled = false,
Expires = DateTime.UtcNow
}, null, ct);
}
}
catch (KeyVaultErrorException kex) {
throw new ExternalDependencyException("Failed to create key", kex);
}
}
/// <inheritdoc/>
public async Task <bool> VerifyAsync(KeyHandle handle, byte[] digest,
SignatureType algorithm, byte[] signature, CancellationToken ct)
{
var signingKey = KeyVaultKeyHandle.GetBundle(handle).KeyIdentifier;
try {
return(await _keyVaultClient.VerifyAsync(signingKey,
algorithm.ToJsonWebKeySignatureAlgorithm(), digest, signature, ct));
}
catch (KeyVaultErrorException kex) {
throw new ExternalDependencyException("Failed to Sign", kex);
}
}
/// <inheritdoc/>
public async Task DeleteKeyAsync(KeyHandle handle, CancellationToken ct)
{
var bundle = KeyVaultKeyHandle.GetBundle(handle);
try {
if (!string.IsNullOrEmpty(bundle.KeyIdentifier))
{
await _keyVaultClient.DeleteKeyAsync(
_vaultBaseUrl, bundle.KeyIdentifier, ct);
}
if (!string.IsNullOrEmpty(bundle.SecretIdentifier))
{
await _keyVaultClient.DeleteSecretAsync(
_vaultBaseUrl, bundle.SecretIdentifier, ct);
}
}
catch (KeyVaultErrorException kex) {
throw new ExternalDependencyException("Failed to delete key", kex);
}
}
/// <inheritdoc/>
public async Task <Key> ExportKeyAsync(KeyHandle handle, CancellationToken ct)
{
var bundle = KeyVaultKeyHandle.GetBundle(handle);
if (string.IsNullOrEmpty(bundle.SecretIdentifier))
{
throw new InvalidOperationException("Non-exportable key.");
}
try {
var secretBundle = await _keyVaultClient.GetSecretAsync(
bundle.SecretIdentifier, ct);
// Check whether this is an imported key
if (secretBundle.ContentType.EqualsIgnoreCase(ContentEncodings.MimeTypeJson))
{
// Decode json web key and convert to key
var key = JsonConvert.DeserializeObject <JsonWebKey>(secretBundle.Value);
return(key.ToKey());
}
// Check whether this is a certificate backing secret
if (secretBundle.ContentType.EqualsIgnoreCase(CertificateContentType.Pfx))
{
// Decode pfx from secret and get key
var pfx = Convert.FromBase64String(secretBundle.Value);
using (var cert = new X509Certificate2(pfx, (string)null,
X509KeyStorageFlags.Exportable)) {
return(cert.PrivateKey.ToKey());
}
}
throw new ResourceNotFoundException(
$"Key handle points to invalid content {secretBundle.ContentType}");
}
catch (KeyVaultErrorException kex) {
throw new ExternalDependencyException("Failed to export key", kex);
}
}