static async Task MainAsync(string[] args)
{
var keyClient = new KeyVaultClient(async (authority, resource, scope) =>
{
var adCredential = new ClientCredential(applicationId, applicationSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return (await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken;
});
// Get the key details
var keyIdentifier = "https://rahulkeyvault.vault.azure.net:443/keys/NewKey";
var key = await keyClient.GetKeyAsync(keyIdentifier);
var publicKey = Convert.ToBase64String(key.Key.N);
using (var rsa = new RSACryptoServiceProvider())
{
var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E };
rsa.ImportParameters(p);
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
// Encrypt and Decrypt
var encryptedText = rsa.Encrypt(byteData, true);
var decryptedData = await keyClient.DecryptAsync(keyIdentifier, "RSA-OAEP", encryptedText);
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);
// Sign and Verify
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest);
var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result);
}
}
private static void KeyVaultEncryptionDemo()
{
// Use Certificate for authorization AccessToken
var keyVaultClient = new KeyVaultClient(GetAccessCertificateToken, new HttpClient());
Console.Write("Password:"******"KeyId"];
var encryptedPasswordBytes = keyVaultClient.EncryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, System.Text.Encoding.UTF8.GetBytes(password))
.GetAwaiter()
.GetResult()
.Result;
Console.WriteLine("Encrypted password:{0}", System.Text.Encoding.UTF8.GetString(encryptedPasswordBytes));
Console.WriteLine("decrypting...");
var decryptedPasswordBytes = keyVaultClient.DecryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedPasswordBytes)
.GetAwaiter()
.GetResult()
.Result;
Console.WriteLine("Decrypted password:{0}", System.Text.Encoding.UTF8.GetString(decryptedPasswordBytes));
}
static void Main(string[] args)
{
string baseVaultAddress = "https://amethystevault.vault.azure.net";
// Azure AD
//KeyVaultClient keyVaultClient = new KeyVaultClient(
// new KeyVaultClient.AuthenticationCallback(GetAccessToken));
// Certificat
CertificateAccesTokenService cts = new CertificateAccesTokenService();
KeyVaultClient keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(cts.GetAccessToken));
#region Secret
Console.WriteLine("Liste des secrets du vault");
IPage <SecretItem> items = keyVaultClient
.GetSecretsAsync(baseVaultAddress)
.Result;
foreach (SecretItem item in items)
{
string name = item.Identifier.Name;
SecretBundle s = keyVaultClient
.GetSecretAsync(baseVaultAddress, name)
.Result;
Console.WriteLine("{0}: {1}", name, s.Value);
}
Console.WriteLine();
Console.WriteLine("Lecture d'un secret");
SecretBundle secret = keyVaultClient
.GetSecretAsync(baseVaultAddress + "/secrets/password")
.Result;
//SecretBundle secret = keyVaultClient
// .GetSecretAsync(vaultAddress, "password", version)
// .Result;
Console.WriteLine(secret.Value);
#endregion
#region Key
string keyName = "keyDemo";
string identifiant = baseVaultAddress + "/keys/" + keyName;
// proxy
KeyBundle key = keyVaultClient
.GetKeyAsync(baseVaultAddress, keyName)
.Result;
// encode un message
byte[] byteMessage = Encoding.Default.GetBytes("Salut le monde!");
KeyOperationResult result = keyVaultClient
.EncryptAsync(identifiant, JsonWebKeyEncryptionAlgorithm.RSAOAEP, byteMessage)
.Result;
string encoded = Convert.ToBase64String(result.Result);
Console.WriteLine("Message encodé: {0}", encoded);
// décode le message
byteMessage = Convert.FromBase64String(encoded);
result = keyVaultClient
.DecryptAsync(identifiant, JsonWebKeyEncryptionAlgorithm.RSAOAEP, byteMessage)
.Result;
string message = Encoding.Default.GetString(result.Result);
Console.WriteLine("Après décodage: {0}", message);
#endregion
#region Certificate
// proxy
CertificateBundle cert = keyVaultClient
.GetCertificateAsync(baseVaultAddress, "TestCertificate")
.Result;
Console.WriteLine(cert.X509Thumbprint.ToHexString());
// proxy
SecretBundle cert2 = keyVaultClient
.GetSecretAsync(baseVaultAddress + "/secrets/TestCertificate")
.Result;
byte[] privateKeyBytes = Convert.FromBase64String(cert2.Value);
X509Certificate2 pfx = new X509Certificate2(privateKeyBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
Console.WriteLine(pfx.Thumbprint);
#endregion
}
public async Task <byte[]> DecryptAsync(string keyId, byte[] dataToDecrypt)
{
var operationResult = await KeyVaultClient.DecryptAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, dataToDecrypt);
return(operationResult.Result);
}
private async Task KeysMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
#if SNIPPET
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
#else
provider = new AzureServiceTokenProvider();
client = new KeyVaultClient(
#endif
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
// Create RSA key.
NewKeyParameters createRsaParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.Rsa,
KeySize = 4096
};
KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters);
// Create Elliptic-Curve key.
NewKeyParameters createEcParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.EllipticCurve,
CurveName = "P-256"
};
KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net");
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetKeysNextAsync(page.NextPageLink);
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deletedKey.RecoveryId != null)
{
DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier;
// Deleting a key does not happen immediately. Wait a while and check if the deleted key exists.
while (true)
{
try
{
await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// You can also recover the deleted key using RecoverDeletedKeyAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext);
// Decrypt the message.
KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result);
string message = Encoding.UTF8.GetString(decrypted.Result);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
KeyOperationResult wrapped = await client.WrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
KeyOperationResult unwrapped = await client.UnwrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
wrapped.Result);
aes.Key = unwrapped.Result;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
