/// <summary>
/// Retrieves the signing credential (override to load key from alternative locations)
/// </summary>
/// <returns>The signing credential</returns>
protected virtual async Task <AzureKeyVaultSigningCredentials> GetSigningCredentialsAsync()
{
var jwk = (await _publicKeyProvider.GetAsync()).FirstOrDefault();
if (jwk == null)
{
throw new Exception("The public key provider service did not return a key."); // TODO: What's better than Exception? SecurityTokenSignatureKeyNotFoundException maybe?
}
var rsa = RSA.Create();
rsa.ImportParameters(new RSAParameters
{
Exponent = FromBase64Url(jwk.E),
Modulus = FromBase64Url(jwk.N),
});
var securityKey = new RsaSecurityKey(rsa);
return(new AzureKeyVaultSigningCredentials(securityKey, SecurityAlgorithms.Sha256Digest));
}
public async Task <IEnumerable <X509Certificate2> > GetPublicKeysAsync()
{
var publicKeys = await mPublicKeyProvider.GetAsync();
return(publicKeys.Select(key => key.ToX509Certtificate()));
}
private async Task RefreshCacheData()
{
try
{
DateTime now = DateTime.UtcNow;
DateTime cacheTime = DateTime.UtcNow.AddHours(-7);
var timeStamp = await _cacheTimeStamp.GetAsync(CacheValidationKeyTimeStamp);
if (timeStamp != null)
{
cacheTime = DateTime.ParseExact(timeStamp.UtcTime, "O", CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind);
}
if (now < cacheTime.AddHours(6))
{
return;
}
var keyBundles = await GetKeyBundleVersionsAsync();
var queryKbs = from item in keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled
select item;
keyBundles = queryKbs.ToList();
var keyVaultClient = new KeyVaultClient(_azureKeyVaultAuthentication.KeyVaultClientAuthenticationCallback);
var queryRsaSecurityKeys = from item in keyBundles
let c = new RsaSecurityKey(keyVaultClient.ToRSA(item))
select c;
// var currentKeyBundle = await _publicKeyProvider.GetKeyBundleAsync();
// var securityKey = new RsaSecurityKey(keyVaultClient.ToRSA(currentKeyBundle));
// var signingCredentials = new SigningCredentials(securityKey, securityKey.Rsa.SignatureAlgorithm);
var jwks = new List <JsonWebKey>();
var query = from item in keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled
select item;
_keyBundles = query.ToList();
foreach (var keyBundle in _keyBundles)
{
jwks.Add(new JsonWebKey(keyBundle.Key.ToString()));
}
var kid = await _publicKeyProvider.GetKeyIdentifierAsync();
var jwk = await _publicKeyProvider.GetAsync();
var parameters = new RSAParameters
{
Exponent = Base64UrlEncoder.DecodeBytes(jwk.E),
Modulus = Base64UrlEncoder.DecodeBytes(jwk.N)
};
var securityKey = new RsaSecurityKey(parameters)
{
KeyId = jwk.Kid,
};
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
var tokenCreateSigningCredentials = await GetTokenCreationSigningCredentialsAsync();
CacheData cacheData = new CacheData()
{
RsaSecurityKeys = queryRsaSecurityKeys.ToList(),
SigningCredentials = signingCredentials,
JsonWebKeys = jwks,
KeyIdentifier = kid
};
await _cachedData.SetAsync(CacheValidationKey, cacheData, TimeSpan.FromHours(6));
await _cacheTimeStamp.SetAsync(CacheValidationKeyTimeStamp, new TimeStamp()
{
UtcTime = DateTime.UtcNow.ToString("O")
}, TimeSpan.FromHours(6));
}
catch (Exception e)
{
_logger.LogCritical(e, "KeyVault RefreshCacheData fatal exception");
throw;
}
}