static async Task MainAsync(string[] args) { var keyClient = new KeyVaultClient((authority, resource, scope) => { var adCredential = new ClientCredential(applicationId, applicationSecret); var authenticationContext = new AuthenticationContext(authority, null); return authenticationContext.AcquireToken(resource, adCredential).AccessToken; }); // Get the key details var keyIdentifier = "https://testvaultrahul.vault.azure.net/keys/rahulkey/0f653b06c1d94159bc7090596bbf7784"; var key = await keyClient.GetKeyAsync(keyIdentifier); var publicKey = Convert.ToBase64String(key.Key.N); using (var rsa = new RSACryptoServiceProvider()) { var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E }; rsa.ImportParameters(p); var byteData = Encoding.Unicode.GetBytes(textToEncrypt); // Encrypt and Decrypt var encryptedText = rsa.Encrypt(byteData, true); var decryptedData = await keyClient.DecryptDataAsync(keyIdentifier, "RSA_OAEP", encryptedText); var decryptedText = Encoding.Unicode.GetString(decryptedData.Result); // Sign and Verify var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest); var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result); } }
static async Task <byte[]> SignWithKeyVault(string keyIdentifier, string accessToken, byte[] bytesToSign, string alg) { // We already have an access token for the resource Task <string> Authenticate(string authority, string resource, string scope) { return(Task.FromResult(accessToken)); } var client = new KeyVaultClient(Authenticate, new HttpClient()); var signed = await client.SignAsync(keyIdentifier, alg, bytesToSign); return(signed.Result); }
public async Task <byte[]> SignAsync(Stream source) { Logger.LogInformation($"start {nameof(SignAsync)}"); await InitializeAsync(); byte[] hash; using (var sha = System.Security.Cryptography.SHA256.Create()) { hash = sha.ComputeHash(source); } var result = await KeyVault.SignAsync(TekExportKeyVaultKeyUrl, Microsoft.Azure.KeyVault.Cryptography.Algorithms.Es256.AlgorithmName, hash); return(result.Result); }
static void Main() { var x = new CredentialsService(); var serviceClientCredentials = x.GetCredentials().Result; var client = new KeyVaultClient(serviceClientCredentials); var key = client.CreateKeyAsync("https://kv-???????.vault.azure.net/", "testkey1", JsonWebKeyType.Rsa).Result; var csr = GetCSR(key.Key); var keyOperationResult = client.SignAsync("testkey1", "RS256", csr.GetDataToSign()).Result; csr.SignRequest(keyOperationResult.Result); Console.Out.WriteLine("done"); Console.In.ReadLine(); }
public static string Sign(byte[] inputBytes) { // signature SHA256 sha256 = SHA256Managed.Create(); KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback( (authority, resource, scope) => KeyVaultUtil.GetToken(authority, resource, scope))); KeyOperationResult resultSign = Task.Run(() => keyVaultClient.SignAsync(SignKey(), JsonWebKeySignatureAlgorithm.RS256, sha256.ComputeHash(inputBytes))) .ConfigureAwait(false).GetAwaiter().GetResult(); var signatureEncoded = System.Convert.ToBase64String(resultSign.Result); return(signatureEncoded); }
private static async Task MainAsync(string[] args) { Console.WriteLine("Application started..."); const string clientId = "{appId}"; const string clientSecret = "{appSecret}"; const string keyIdentifier = "{keyIdentifier}"; Console.WriteLine("Configuration built..."); var kv = new KeyVaultClient(async(authority, resource, scope) => { var authContext = new AuthenticationContext(authority); var clientCred = new ClientCredential(clientId, clientSecret); var result = await authContext.AcquireTokenAsync(resource, clientCred); return(result.AccessToken); }); Console.WriteLine("KeyVaultClient created..."); const string data = "digest"; var byteData = Encoding.UTF8.GetBytes(data); var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signResult = await kv.SignAsync( keyIdentifier : keyIdentifier, algorithm : JsonWebKeySignatureAlgorithm.RS256, digest : digest ); Console.WriteLine("Data signed..."); var signature = Convert.ToBase64String(signResult.Result); var verifyResult = await kv.VerifyAsync( keyIdentifier : keyIdentifier, algorithm : JsonWebKeySignatureAlgorithm.RS256, digest : digest, signature : Convert.FromBase64String(signature) ); Console.WriteLine("Data verified..."); Console.ReadKey(); }
public async Task<byte[]> Sign(byte[] digest) { if (digest == null) throw new ArgumentNullException("digest"); if (digest.Length != 32) throw new ArgumentException("The value must have 32 bytes", "digest"); var client = new KeyVaultClient(GetAccessToken); var keyVaultSettings = Settings.Get<KeyVaultSettings>(); var signResult = await client.SignAsync( keyVaultSettings.KeyId, keyVaultSettings.Algorithm, digest); return signResult.Result; }
public async Task <byte[]> SignAsync(byte[] input) { try { var digest = _hashAlgorithm.ComputeHash(input); var cacheData = await _jwksUriHandler.FetchCacheDataAsync(); var result = await _keyVaultClient.SignAsync( cacheData.KeyIdentifier.Identifier, _algorithm, digest); return(result.Result); } catch (Exception ex) { _logger.LogError(ex, ex.Message); throw; } }
public async Task <TEKSignature> CreateSignatureAsync(MemoryStream source, int batchNum, int batchSize) { var s = new TEKSignature(); s.SignatureInfo = SigInfo; s.BatchNum = batchNum; s.BatchSize = batchSize; // Signature var ecdsap256 = System.Security.Cryptography.ECDsaCng.Create(ECCurve.NamedCurves.nistP256); var hash = ecdsap256.SignData(source, HashAlgorithmName.SHA256); #if DEBUG s.Signature = ByteString.CopyFrom(ecdsap256.SignHash(hash)); #else var result = await KeyVault.SignAsync(TekExportKeyVaultKeyUrl, Microsoft.Azure.KeyVault.Cryptography.Algorithms.Es256.AlgorithmName, hash); s.Signature = ByteString.CopyFrom(result.Result); #endif return(s); }
private static void SignVerify(KeyBundle key, string algorithm, string textToSign, string keyVersion, string keyName, string keyVaultAddress) { KeyOperationResult signature; var bytes = Encoding.ASCII.GetBytes(textToSign); var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(bytes); signature = Task.Run(() => keyVaultClient.SignAsync(keyVaultAddress, keyName, keyVersion, algorithm, digest)).ConfigureAwait(false).GetAwaiter().GetResult(); Console.Out.WriteLine(string.Format( "The signature is created using key id {0} and algorithm {1} \n\t\n\t SIGNATURE: {2} ", signature.Kid, algorithm, Convert.ToBase64String(signature.Result))); // Verify the signature bool isVerified = Task.Run(() => keyVaultClient.VerifyAsync(signature.Kid, algorithm, digest, signature.Result)).ConfigureAwait(false).GetAwaiter().GetResult(); Console.Out.WriteLine(string.Format("The signature is {0} verified!", isVerified ? "" : "not ")); }
// https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials public async Task <string> GetClientAssertionAsync(string tenantId, string appId) { try { var cert = await _kvClient.GetCertificateAsync($"https://{_kvName}.vault.azure.net/certificates/func-cred-cert/{_signingKeyId}").ConfigureAwait(false); //var thumbprint = cert.X509Thumbprint.Aggregate(new StringBuilder(), // (sb, v) => sb.Append(v.ToString("X2"))).ToString(); var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(cert.Cer); var jwk = JsonWebKeyConverter.ConvertFromX509SecurityKey(new X509SecurityKey(x509)); var token = new JwtSecurityToken( issuer: appId, audience: $"https://login.microsoftonline.com/{tenantId}/oauth2/token", claims: new Claim[] { new Claim("jti", Guid.NewGuid().ToString("D")), new Claim("sub", appId) }, notBefore: DateTime.UtcNow, expires: DateTime.UtcNow.AddMinutes(10) ); var header = Base64UrlEncoder.Encode(JsonConvert.SerializeObject(new Dictionary <string, string>() { { JwtHeaderParameterNames.Alg, "RS256" }, { JwtHeaderParameterNames.X5t, jwk.X5t }, // "CM2UiOQMKph-SkcT5_Ejki2Kzik"; initially, used B2C to get this value; see https://stackoverflow.microsoft.com/questions/179774 { JwtHeaderParameterNames.Typ, "JWT" } })); var unsignedToken = $"{header}.{token.EncodedPayload}"; var byteData = Encoding.UTF8.GetBytes(unsignedToken); var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signature = await _kvClient.SignAsync($"https://{_kvName}.vault.azure.net/keys/func-cred-cert/{_signingKeyId}", "RS256", digest); return($"{unsignedToken}.{Base64UrlEncoder.Encode(signature.Result)}"); } catch (Exception ex) { return(ex.Message); } }
//Option 2 //static void Main(string[] args) //{ // Task t = MainAsync(args); // t.Wait(); //} static async Task MainAsync(string[] args) { var keyClient = new KeyVaultClient(async(authority, resource, scope) => { var adCredential = new ClientCredential(config["AzureActiveDirectory:ClientId"], config["AzureActiveDirectory:ClientSecret"]); var authenticationContext = new AuthenticationContext(authority, null); return((await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken); }); // Get the key details var keyIdentifier = "https://rahulkeyvault.vault.azure.net:443/keys/NewKey"; var key = await keyClient.GetKeyAsync(config["KeyVault:Url"]); var publicKey = Convert.ToBase64String(key.Key.N); using (var rsa = new RSACryptoServiceProvider()) { var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E }; rsa.ImportParameters(p); var byteData = Encoding.Unicode.GetBytes(args[0]); // Encrypt and Decrypt var encryptedText = rsa.Encrypt(byteData, true); var decryptedData = await keyClient.DecryptAsync(keyIdentifier, "RSA-OAEP", encryptedText); var decryptedText = Encoding.Unicode.GetString(decryptedData.Result); // Sign and Verify var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest); var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result); } }
static async Task MainAsync(string[] args) { var keyClient = new KeyVaultClient((authority, resource, scope) => { var adCredential = new ClientCredential(applicationId, applicationSecret); var authenticationContext = new AuthenticationContext(authority, null); return(authenticationContext.AcquireToken(resource, adCredential).AccessToken); }); // Get the key details var keyIdentifier = "https://testvaultrahul.vault.azure.net/keys/rahulkey/0f653b06c1d94159bc7090596bbf7784"; var key = await keyClient.GetKeyAsync(keyIdentifier); var publicKey = Convert.ToBase64String(key.Key.N); using (var rsa = new RSACryptoServiceProvider()) { var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E }; rsa.ImportParameters(p); var byteData = Encoding.Unicode.GetBytes(textToEncrypt); // Encrypt and Decrypt var encryptedText = rsa.Encrypt(byteData, true); var decryptedData = await keyClient.DecryptDataAsync(keyIdentifier, "RSA_OAEP", encryptedText); var decryptedText = Encoding.Unicode.GetString(decryptedData.Result); // Sign and Verify var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest); var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result); } }
private static async Task<string> GetKeys(KeyVaultClient keyVaultClient) { var keyIdentifier = "keyIdentifier"; var textToEncrypt = "This is a test message"; var byteData = Encoding.Unicode.GetBytes(textToEncrypt); var hasher = new SHA256CryptoServiceProvider(); var digest = hasher.ComputeHash(byteData); var signedResult = await keyVaultClient.SignAsync( keyIdentifier, JsonWebKeySignatureAlgorithm.RS256, digest); var isVerified = await keyVaultClient.VerifyAsync(keyIdentifier, "RS256", digest, signedResult.Result); var keyResult = await keyVaultClient.GetKeyAsync(keyIdentifier); var jsonWebKey = keyResult.Key.ToString(); var key = JsonConvert.DeserializeObject<JsonWebKey>(jsonWebKey); var rsa = new RSACryptoServiceProvider(); var p = new RSAParameters() { Modulus = key.N, Exponent = key.E }; rsa.ImportParameters(p); isVerified = rsa.VerifyHash(digest, "Sha256", signedResult.Result); return null; }
public async Task <byte[]> Sign(byte[] digest) { if (digest == null) { throw new ArgumentNullException("digest"); } if (digest.Length != 32) { throw new ArgumentException("The value must have 32 bytes", "digest"); } var client = new KeyVaultClient(GetAccessToken); var keyVaultSettings = Settings.Get <KeyVaultSettings>(); var signResult = await client.SignAsync( keyVaultSettings.KeyId, keyVaultSettings.Algorithm, digest); return(signResult.Result); }
public async Task <byte[]> Sign(string keyId, byte[] hash) { var bundle = await KeyVaultClient.SignAsync(keyId, "RS256", hash); return(bundle.Result); }
public async Task <byte[]> SignAsync(string algorithm, byte[] digest) { return((await _keyVaultClient.SignAsync(_keyVaultOptions.KeyIdentifier, algorithm, digest)).Result); }
public override byte[] Sign(byte[] input) { var digest = _hashAlgorithm.ComputeHash(input); return(_keyVaultClient.SignAsync(_keyIdentifier, _algorithm, digest).Result.Result); }
public async Task <byte[]> Sign(string keyName, string keyVersion, string algorithm, byte[] digest, CancellationToken cancellationToken) { var sign = await _keyVaultClient.SignAsync(_baseUrl, keyName, keyVersion, algorithm, digest, cancellationToken); return(sign.Result); }
static void Main(string[] args) { var sourceQueue = QueueClient.CreateFromConnectionString(InternalConfiguration.QueueConnectionString, "03ValidaRFCToSigner"); var destinationQueue = QueueClient.CreateFromConnectionString(InternalConfiguration.QueueConnectionString, "04ToCosmosDb"); var keyName = "SignKey"; var keyVaultAddress = "https://keyvaultname.vault.azure.net/"; var keyVersion = InternalConfiguration.KeyVersion; Console.WriteLine(keyVersion); var applicationId = InternalConfiguration.ApplicationId; var clientSecret = InternalConfiguration.ApplicationKey; keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback( (authority, resource, scope) => GetAccessToken(authority, resource, applicationId, clientSecret)), new HttpClient()); var count = 0; do { try { Stopwatch swProcess = Stopwatch.StartNew(); var files = sourceQueue.ReceiveBatch(1000); count = files.Count(); Console.WriteLine(count); if (count > 0) { var rnd = new Random(DateTime.Now.Millisecond); Parallel.ForEach(files, (currentFile) => { try { string selectedVault = selectKeyVault(keyVaultAddress, rnd); var tuple = currentFile.GetBody <Tuple <CfdiFile, Cfdi> >(); var algorithm = JsonWebKeySignatureAlgorithm.RS256; var cfdi = tuple.Item2; var signature = Task.Run(() => keyVaultClient.SignAsync(selectedVault, keyName, keyVersion, algorithm, Convert.FromBase64String(tuple.Item2.Sha256))).ConfigureAwait(false).GetAwaiter().GetResult(); cfdi.Signature = signature.Result; destinationQueue.Send(new BrokeredMessage(cfdi) { SessionId = cfdi.Guid }); currentFile.Complete(); } catch (Exception ex) { Console.WriteLine(ex); Console.WriteLine(keyVersion); Console.WriteLine(InternalConfiguration.Name); currentFile.Abandon(); } } ); } if (swProcess.ElapsedMilliseconds > 1000) { Console.WriteLine($"-> [{count} / {swProcess.ElapsedMilliseconds / 1000}] = {count / (swProcess.ElapsedMilliseconds / 1000)} x segundo"); } } catch (Exception ex) { Console.WriteLine(ex); } if (count == 0) { Thread.Sleep(1000); } } while (true); }
/// <summary> /// Creates a new firmware update ready to be rolled out. Call asynchronously because it can take some time. Don't use await. /// </summary> /// <param name="file">File of firmware update. Must be a tar.</param> /// <param name="location">Directory of where file will be stored on server.</param> /// <param name="id">Key of software version in databse.</param> /// <returns></returns> public static async Task CreateNewFirmwareUpdateTask(string fileUrl, string location, int id) { IsmIoTPortalContext db = new IsmIoTPortalContext(); // Get reference to software var software = db.Releases.Find(id); try { // Filename is always the same var fileName = "update.tar"; // Creates all directories in path that do not exist Directory.CreateDirectory(location); // Full path of file string filePath = Path.Combine(location, fileName); // Save file to disk var retval = await DownloadFromBlobStorage(fileUrl, filePath).ConfigureAwait(false); if (retval.Equals("Error")) { // Update software status software.Status = "Error during download of file."; db.SaveChanges(); return; } // Update software status software.Status = "Saved"; db.SaveChanges(); // Calculate SHA 256 hash var checksum = await Sha256Sum(filePath).ConfigureAwait(false); // Get checksum string var checksum_string = BitConverter.ToString(checksum).Replace("-", String.Empty).ToLower(); // Add checksum string to database software.Checksum = checksum_string; db.SaveChanges(); // Get access to key vault var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken)); // Sign Checksum var sig = await kv.SignAsync( // Key ID is in appsettings keyIdentifier : ConfigurationManager.AppSettings["kv:fw-signing-key"], // Sign with RS256 algorithm : Microsoft.Azure.KeyVault.WebKey.JsonWebKeySignatureAlgorithm.RS256, // We want to sign the checksum digest : checksum).ConfigureAwait(false); // Save byte data as sig string checksumPath = Path.Combine(location, "sig"); File.WriteAllBytes(checksumPath, sig.Result); software.Status = "Signed"; db.SaveChanges(); // Create tarball (.tar.gz file containing signed checksum and tarfile with update) var tarball = CreateTarBall(location); software.Status = "Compressed"; db.SaveChanges(); // Upload var uri = await UploadToBlobStorage(Path.GetFileName(tarball), tarball).ConfigureAwait(false); if (uri.Equals("Error")) { software.Status = "Error during upload."; db.SaveChanges(); return; } // Remove old file from BLOB storage var retVal = RemoveFromBlobStorage(fileUrl); if (retval.Equals("Error")) { software.Status = "Error during removal of old file from BLOB storage."; db.SaveChanges(); return; } // Everything is ok software.Status = "Ready"; software.Url = uri; db.SaveChanges(); } catch (Exception e) { software.Status = "Error"; db.SaveChanges(); } }