private CryptographyClient GetCryptoClient(Uri keyId, bool forceRemote = false)
{
CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
CryptographyClient client = new CryptographyClient(keyId, TestEnvironment.Credential, options, forceRemote);
return(InstrumentClient(client));
}
public KeyResolver GetResolver(TestRecording recording = null)
{
recording ??= Recording;
CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
return(InstrumentClient(new KeyResolver(recording.GetCredential(new DefaultAzureCredential()), options)));
}
public KeyResolver GetResolver(TestRecording recording = null)
{
recording ??= Recording;
CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
return(InstrumentClient(new KeyResolver(TestEnvironment.Credential, options)));
}
private CryptographyClient GetCryptoClient(Uri keyId, bool forceRemote = false, TestRecording recording = null)
{
recording ??= Recording;
CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
CryptographyClient client = new CryptographyClient(keyId, recording.GetCredential(new DefaultAzureCredential()), options, forceRemote);
return(InstrumentClient(client));
}
private CryptographyClient CreateClient(KeyVaultKey key, HttpPipelineTransport transport, ICryptographyProvider provider = null)
{
CryptographyClientOptions options = new CryptographyClientOptions
{
Transport = transport,
};
return(InstrumentClient(new CryptographyClient(key, new DefaultAzureCredential(), options, provider)));
}
protected KeyResolver GetResolver(MockTransport transport)
{
Assert.NotNull(transport);
CryptographyClientOptions options = new CryptographyClientOptions
{
Transport = transport,
};
return(InstrumentClient(
new KeyResolver(new NullTokenCredential(), options)));
}
private (CryptographyClient, ICryptographyProvider) GetCryptoClient(KeyVaultKey key)
{
CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
CryptographyClient client = new CryptographyClient(key, TestEnvironment.Credential, options);
CryptographyClient clientProxy = InstrumentClient(client);
ICryptographyProvider remoteClientProxy = null;
if (client.RemoteClient is RemoteCryptographyClient remoteClient)
{
remoteClientProxy = InstrumentClient(remoteClient);
}
return(clientProxy, remoteClientProxy);
}
private (CryptographyClient, ICryptographyProvider) GetCryptoClient(KeyVaultKey key, TestRecording recording = null)
{
recording ??= Recording;
CryptographyClientOptions options = recording.InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
CryptographyClient client = new CryptographyClient(key, recording.GetCredential(new DefaultAzureCredential()), options);
CryptographyClient clientProxy = InstrumentClient(client);
ICryptographyProvider remoteClientProxy = null;
if (client.RemoteClient is RemoteCryptographyClient remoteClient)
{
remoteClientProxy = InstrumentClient(remoteClient);
}
return(clientProxy, remoteClientProxy);
}
public async Task ShouldHashDataAndVerifyWorkWithCustomCryptographyClientOptions()
{
var cryptographyClientOptions = new CryptographyClientOptions
{
Transport = new HttpClientTransport()
};
var materialized = await KeyVaultConfigurationDiscoverer.Materialize(keyConfiguration, cryptographyClientOptions);
using (var rsa = materialized.ToRSA())
{
var data = new byte[] { 1, 2, 3 };
var signature = rsa.SignData(data, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
var result = rsa.VerifyData(data, signature, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
Assert.True(result);
}
}
public AzureKeyVaultMaterializedConfiguration(TokenCredential credential,
Uri keyIdentifier,
JsonWebKey key = null,
X509Certificate2 publicCertificate = null,
CryptographyClientOptions options = null)
{
PublicCertificate = publicCertificate;
TokenCredential = credential ?? throw new ArgumentNullException(nameof(credential));
KeyIdentifier = keyIdentifier ?? throw new ArgumentNullException(nameof(keyIdentifier));
if (publicCertificate == null && key == null)
{
throw new ArgumentNullException(nameof(key), "Either key or publicCertificate must be set");
}
Key = key;
cryptographyClientOptions = options;
}
private async Task MigrationGuide()
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
KeyClient client = new KeyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
CryptographyClient cryptoClient = new CryptographyClient(
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential());
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
KeyClientOptions options = new KeyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
KeyClient client = new KeyClient(
#else
client = new KeyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
options);
CryptographyClientOptions cryptoOptions = new CryptographyClientOptions
{
Transport = new HttpClientTransport(httpClient)
};
#if SNIPPET
CryptographyClient cryptoClient = new CryptographyClient(
#else
cryptoClient = new CryptographyClient(
#endif
new Uri("https://myvault.vault.azure.net"),
new DefaultAzureCredential(),
cryptoOptions);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
// Create RSA key.
CreateRsaKeyOptions createRsaOptions = new CreateRsaKeyOptions("rsa-key-name")
{
KeySize = 4096
};
KeyVaultKey rsaKey = await client.CreateRsaKeyAsync(createRsaOptions);
// Create Elliptic-Curve key.
CreateEcKeyOptions createEcOptions = new CreateEcKeyOptions("ec-key-name")
{
CurveName = KeyCurveName.P256
};
KeyVaultKey ecKey = await client.CreateEcKeyAsync(createEcOptions);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_CreateKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
// List all keys asynchronously.
await foreach (KeyProperties item in client.GetPropertiesOfKeysAsync())
{
KeyVaultKey key = await client.GetKeyAsync(item.Name);
}
// List all keys synchronously.
foreach (KeyProperties item in client.GetPropertiesOfKeys())
{
KeyVaultKey key = client.GetKey(item.Name);
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeleteKeyOperation deleteOperation = await client.StartDeleteKeyAsync("key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deleteOperation.Value.RecoveryId != null)
{
// Deleting a key does not happen immediately. Wait for the key to be deleted.
DeletedKey deletedKey = await deleteOperation.WaitForCompletionAsync();
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKey.Name);
// You can also recover the deleted key using StartRecoverDeletedKeyAsync,
// which returns RecoverDeletedKeyOperation you can await like DeleteKeyOperation above.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
EncryptResult encrypted = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext);
// Decrypt the message.
DecryptResult decrypted = await cryptoClient.DecryptAsync(encrypted.Algorithm, encrypted.Ciphertext);
string message = Encoding.UTF8.GetString(decrypted.Plaintext);
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
WrapResult wrapped = await cryptoClient.WrapKeyAsync(KeyWrapAlgorithm.RsaOaep256, aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
UnwrapResult unwrapped = await cryptoClient.UnwrapKeyAsync(wrapped.Algorithm, wrapped.EncryptedKey);
aes.Key = unwrapped.Key;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Azure_Security_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
public KeyResolver GetResolver()
{
CryptographyClientOptions options = InstrumentClientOptions(new CryptographyClientOptions((CryptographyClientOptions.ServiceVersion)_serviceVersion));
return(InstrumentClient(new KeyResolver(TestEnvironment.Credential, options)));
}
/// <summary>
/// Creates an RSA object
/// </summary>
/// <param name="credential"></param>
/// <param name="keyId"></param>
/// <param name="key"></param>
/// <returns></returns>
public static RSA Create(TokenCredential credential, Uri keyId, JsonWebKey key, CryptographyClientOptions options = null)
{
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
if (keyId == null)
{
throw new ArgumentNullException(nameof(keyId));
}
if (key == null)
{
throw new ArgumentNullException(nameof(key));
}
return(new RSAKeyVault(new KeyVaultContext(credential, keyId, key, options)));
}
/// <summary>
/// Creates an RSA object
/// </summary>
/// <param name="credential"></param>
/// <param name="keyId"></param>
/// <param name="publicCertificate"></param>
/// <returns></returns>
public static RSA Create(TokenCredential credential, Uri keyId, X509Certificate2 publicCertificate, CryptographyClientOptions options = null)
{
if (credential == null)
{
throw new ArgumentNullException(nameof(credential));
}
if (keyId == null)
{
throw new ArgumentNullException(nameof(keyId));
}
if (publicCertificate == null)
{
throw new ArgumentNullException(nameof(publicCertificate));
}
return(new RSAKeyVault(new KeyVaultContext(credential, keyId, publicCertificate, options)));
}
public static async Task <AzureKeyVaultMaterializedConfiguration> Materialize(AzureKeyVaultSignConfigurationSet configuration, CryptographyClientOptions options = null)
{
TokenCredential credential = configuration.ManagedIdentity switch
{
true => new DefaultAzureCredential(),
false => new ClientSecretCredential(configuration.AzureTenantId, configuration.AzureClientId, configuration.AzureClientSecret)
};
if (configuration.Mode == KeyVaultMode.Certificate)
{
var certificateClient = new CertificateClient(configuration.AzureKeyVaultUrl, credential);
var cert = await certificateClient.GetCertificateAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
var x509Certificate = new X509Certificate2(cert.Value.Cer);
var keyId = cert.Value.KeyId;
return(new AzureKeyVaultMaterializedConfiguration(credential, keyId, publicCertificate: x509Certificate, options: options));
}
else if (configuration.Mode == KeyVaultMode.Key)
{
var keyClient = new KeyClient(configuration.AzureKeyVaultUrl, credential);
var key = await keyClient.GetKeyAsync(configuration.AzureKeyVaultKeyName).ConfigureAwait(false);
return(new AzureKeyVaultMaterializedConfiguration(credential, key.Value.Id, key.Value.Key, options: options));
}
throw new ArgumentOutOfRangeException(nameof(configuration));
}
}
/// <summary>
/// Creates a new Key Vault context.
/// </summary>
public KeyVaultContext(TokenCredential credential, Uri keyId, X509Certificate2 publicCertificate, CryptographyClientOptions options = null)
{
if (credential is null)
{
throw new ArgumentNullException(nameof(credential));
}
Certificate = publicCertificate ?? throw new ArgumentNullException(nameof(publicCertificate));
KeyIdentifier = keyId ?? throw new ArgumentNullException(nameof(keyId));
cryptographyClient = new CryptographyClient(keyId, credential, options);
string algorithm = publicCertificate.GetKeyAlgorithm();
switch (algorithm)
{
case "1.2.840.113549.1.1.1": //rsa
using (var rsa = publicCertificate.GetRSAPublicKey())
{
Key = new JsonWebKey(rsa, includePrivateParameters: false);
}
break;
case "1.2.840.10045.2.1": //ec
using (var ecdsa = publicCertificate.GetECDsaPublicKey())
{
Key = new JsonWebKey(ecdsa, includePrivateParameters: false);
}
break;
default:
throw new NotSupportedException($"Certificate algorithm '{algorithm}' is not supported.");
}
}
/// <summary>
/// Creates a new Key Vault context.
/// </summary>
public KeyVaultContext(TokenCredential credential, Uri keyId, JsonWebKey key, CryptographyClientOptions options = null)
{
KeyIdentifier = keyId ?? throw new ArgumentNullException(nameof(keyId));
Key = key ?? throw new ArgumentNullException(nameof(key));
cryptographyClient = new CryptographyClient(keyId, credential, options);
Certificate = null;
}
