static async Task MainAsync(string[] args)
{
var keyClient = new KeyVaultClient((authority, resource, scope) =>
{
var adCredential = new ClientCredential(applicationId, applicationSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return authenticationContext.AcquireToken(resource, adCredential).AccessToken;
});
// Get the key details
var keyIdentifier = "https://testvaultrahul.vault.azure.net/keys/rahulkey/0f653b06c1d94159bc7090596bbf7784";
var key = await keyClient.GetKeyAsync(keyIdentifier);
var publicKey = Convert.ToBase64String(key.Key.N);
using (var rsa = new RSACryptoServiceProvider())
{
var p = new RSAParameters() { Modulus = key.Key.N, Exponent = key.Key.E };
rsa.ImportParameters(p);
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
// Encrypt and Decrypt
var encryptedText = rsa.Encrypt(byteData, true);
var decryptedData = await keyClient.DecryptDataAsync(keyIdentifier, "RSA_OAEP", encryptedText);
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);
// Sign and Verify
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest);
var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result);
}
}
static async Task <byte[]> SignWithKeyVault(string keyIdentifier, string accessToken, byte[] bytesToSign, string alg)
{
// We already have an access token for the resource
Task <string> Authenticate(string authority, string resource, string scope)
{
return(Task.FromResult(accessToken));
}
var client = new KeyVaultClient(Authenticate, new HttpClient());
var signed = await client.SignAsync(keyIdentifier, alg, bytesToSign);
return(signed.Result);
}
public async Task <byte[]> SignAsync(Stream source)
{
Logger.LogInformation($"start {nameof(SignAsync)}");
await InitializeAsync();
byte[] hash;
using (var sha = System.Security.Cryptography.SHA256.Create())
{
hash = sha.ComputeHash(source);
}
var result = await KeyVault.SignAsync(TekExportKeyVaultKeyUrl, Microsoft.Azure.KeyVault.Cryptography.Algorithms.Es256.AlgorithmName, hash);
return(result.Result);
}
static void Main()
{
var x = new CredentialsService();
var serviceClientCredentials = x.GetCredentials().Result;
var client = new KeyVaultClient(serviceClientCredentials);
var key = client.CreateKeyAsync("https://kv-???????.vault.azure.net/", "testkey1", JsonWebKeyType.Rsa).Result;
var csr = GetCSR(key.Key);
var keyOperationResult = client.SignAsync("testkey1", "RS256", csr.GetDataToSign()).Result;
csr.SignRequest(keyOperationResult.Result);
Console.Out.WriteLine("done");
Console.In.ReadLine();
}
public static string Sign(byte[] inputBytes)
{
// signature
SHA256 sha256 = SHA256Managed.Create();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
(authority, resource, scope) => KeyVaultUtil.GetToken(authority, resource, scope)));
KeyOperationResult resultSign = Task.Run(() => keyVaultClient.SignAsync(SignKey(),
JsonWebKeySignatureAlgorithm.RS256, sha256.ComputeHash(inputBytes)))
.ConfigureAwait(false).GetAwaiter().GetResult();
var signatureEncoded = System.Convert.ToBase64String(resultSign.Result);
return(signatureEncoded);
}
private static async Task MainAsync(string[] args)
{
Console.WriteLine("Application started...");
const string clientId = "{appId}";
const string clientSecret = "{appSecret}";
const string keyIdentifier = "{keyIdentifier}";
Console.WriteLine("Configuration built...");
var kv = new KeyVaultClient(async(authority, resource, scope) =>
{
var authContext = new AuthenticationContext(authority);
var clientCred = new ClientCredential(clientId, clientSecret);
var result = await authContext.AcquireTokenAsync(resource, clientCred);
return(result.AccessToken);
});
Console.WriteLine("KeyVaultClient created...");
const string data = "digest";
var byteData = Encoding.UTF8.GetBytes(data);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signResult = await kv.SignAsync(
keyIdentifier : keyIdentifier,
algorithm : JsonWebKeySignatureAlgorithm.RS256,
digest : digest
);
Console.WriteLine("Data signed...");
var signature = Convert.ToBase64String(signResult.Result);
var verifyResult = await kv.VerifyAsync(
keyIdentifier : keyIdentifier,
algorithm : JsonWebKeySignatureAlgorithm.RS256,
digest : digest,
signature : Convert.FromBase64String(signature)
);
Console.WriteLine("Data verified...");
Console.ReadKey();
}
public async Task<byte[]> Sign(byte[] digest)
{
if (digest == null) throw new ArgumentNullException("digest");
if (digest.Length != 32) throw new ArgumentException("The value must have 32 bytes", "digest");
var client = new KeyVaultClient(GetAccessToken);
var keyVaultSettings = Settings.Get<KeyVaultSettings>();
var signResult =
await client.SignAsync(
keyVaultSettings.KeyId,
keyVaultSettings.Algorithm,
digest);
return signResult.Result;
}
public async Task <byte[]> SignAsync(byte[] input)
{
try
{
var digest = _hashAlgorithm.ComputeHash(input);
var cacheData = await _jwksUriHandler.FetchCacheDataAsync();
var result = await _keyVaultClient.SignAsync(
cacheData.KeyIdentifier.Identifier,
_algorithm, digest);
return(result.Result);
}
catch (Exception ex)
{
_logger.LogError(ex, ex.Message);
throw;
}
}
public async Task <TEKSignature> CreateSignatureAsync(MemoryStream source, int batchNum, int batchSize)
{
var s = new TEKSignature();
s.SignatureInfo = SigInfo;
s.BatchNum = batchNum;
s.BatchSize = batchSize;
// Signature
var ecdsap256 = System.Security.Cryptography.ECDsaCng.Create(ECCurve.NamedCurves.nistP256);
var hash = ecdsap256.SignData(source, HashAlgorithmName.SHA256);
#if DEBUG
s.Signature = ByteString.CopyFrom(ecdsap256.SignHash(hash));
#else
var result = await KeyVault.SignAsync(TekExportKeyVaultKeyUrl, Microsoft.Azure.KeyVault.Cryptography.Algorithms.Es256.AlgorithmName, hash);
s.Signature = ByteString.CopyFrom(result.Result);
#endif
return(s);
}
private static void SignVerify(KeyBundle key, string algorithm, string textToSign, string keyVersion, string keyName, string keyVaultAddress)
{
KeyOperationResult signature;
var bytes = Encoding.ASCII.GetBytes(textToSign);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(bytes);
signature = Task.Run(() => keyVaultClient.SignAsync(keyVaultAddress, keyName, keyVersion, algorithm, digest)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format(
"The signature is created using key id {0} and algorithm {1} \n\t\n\t SIGNATURE: {2} ",
signature.Kid, algorithm, Convert.ToBase64String(signature.Result)));
// Verify the signature
bool isVerified = Task.Run(() => keyVaultClient.VerifyAsync(signature.Kid, algorithm, digest, signature.Result)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format("The signature is {0} verified!", isVerified ? "" : "not "));
}
// https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials
public async Task <string> GetClientAssertionAsync(string tenantId, string appId)
{
try
{
var cert = await _kvClient.GetCertificateAsync($"https://{_kvName}.vault.azure.net/certificates/func-cred-cert/{_signingKeyId}").ConfigureAwait(false);
//var thumbprint = cert.X509Thumbprint.Aggregate(new StringBuilder(),
// (sb, v) => sb.Append(v.ToString("X2"))).ToString();
var x509 = new System.Security.Cryptography.X509Certificates.X509Certificate2(cert.Cer);
var jwk = JsonWebKeyConverter.ConvertFromX509SecurityKey(new X509SecurityKey(x509));
var token = new JwtSecurityToken(
issuer: appId,
audience: $"https://login.microsoftonline.com/{tenantId}/oauth2/token",
claims: new Claim[]
{
new Claim("jti", Guid.NewGuid().ToString("D")),
new Claim("sub", appId)
},
notBefore: DateTime.UtcNow,
expires: DateTime.UtcNow.AddMinutes(10)
);
var header = Base64UrlEncoder.Encode(JsonConvert.SerializeObject(new Dictionary <string, string>()
{
{ JwtHeaderParameterNames.Alg, "RS256" },
{ JwtHeaderParameterNames.X5t, jwk.X5t }, // "CM2UiOQMKph-SkcT5_Ejki2Kzik"; initially, used B2C to get this value; see https://stackoverflow.microsoft.com/questions/179774
{ JwtHeaderParameterNames.Typ, "JWT" }
}));
var unsignedToken = $"{header}.{token.EncodedPayload}";
var byteData = Encoding.UTF8.GetBytes(unsignedToken);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await _kvClient.SignAsync($"https://{_kvName}.vault.azure.net/keys/func-cred-cert/{_signingKeyId}", "RS256", digest);
return($"{unsignedToken}.{Base64UrlEncoder.Encode(signature.Result)}");
}
catch (Exception ex)
{
return(ex.Message);
}
}
//Option 2
//static void Main(string[] args)
//{
// Task t = MainAsync(args);
// t.Wait();
//}
static async Task MainAsync(string[] args)
{
var keyClient = new KeyVaultClient(async(authority, resource, scope) =>
{
var adCredential = new ClientCredential(config["AzureActiveDirectory:ClientId"], config["AzureActiveDirectory:ClientSecret"]);
var authenticationContext = new AuthenticationContext(authority, null);
return((await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken);
});
// Get the key details
var keyIdentifier = "https://rahulkeyvault.vault.azure.net:443/keys/NewKey";
var key = await keyClient.GetKeyAsync(config["KeyVault:Url"]);
var publicKey = Convert.ToBase64String(key.Key.N);
using (var rsa = new RSACryptoServiceProvider())
{
var p = new RSAParameters()
{
Modulus = key.Key.N, Exponent = key.Key.E
};
rsa.ImportParameters(p);
var byteData = Encoding.Unicode.GetBytes(args[0]);
// Encrypt and Decrypt
var encryptedText = rsa.Encrypt(byteData, true);
var decryptedData = await keyClient.DecryptAsync(keyIdentifier, "RSA-OAEP", encryptedText);
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);
// Sign and Verify
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest);
var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result);
}
}
static async Task MainAsync(string[] args)
{
var keyClient = new KeyVaultClient((authority, resource, scope) =>
{
var adCredential = new ClientCredential(applicationId, applicationSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return(authenticationContext.AcquireToken(resource, adCredential).AccessToken);
});
// Get the key details
var keyIdentifier = "https://testvaultrahul.vault.azure.net/keys/rahulkey/0f653b06c1d94159bc7090596bbf7784";
var key = await keyClient.GetKeyAsync(keyIdentifier);
var publicKey = Convert.ToBase64String(key.Key.N);
using (var rsa = new RSACryptoServiceProvider())
{
var p = new RSAParameters()
{
Modulus = key.Key.N, Exponent = key.Key.E
};
rsa.ImportParameters(p);
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
// Encrypt and Decrypt
var encryptedText = rsa.Encrypt(byteData, true);
var decryptedData = await keyClient.DecryptDataAsync(keyIdentifier, "RSA_OAEP", encryptedText);
var decryptedText = Encoding.Unicode.GetString(decryptedData.Result);
// Sign and Verify
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signature = await keyClient.SignAsync(keyIdentifier, "RS256", digest);
var isVerified = rsa.VerifyHash(digest, "Sha256", signature.Result);
}
}
private static async Task<string> GetKeys(KeyVaultClient keyVaultClient)
{
var keyIdentifier = "keyIdentifier";
var textToEncrypt = "This is a test message";
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signedResult = await keyVaultClient.SignAsync(
keyIdentifier, JsonWebKeySignatureAlgorithm.RS256, digest);
var isVerified = await keyVaultClient.VerifyAsync(keyIdentifier, "RS256", digest, signedResult.Result);
var keyResult = await keyVaultClient.GetKeyAsync(keyIdentifier);
var jsonWebKey = keyResult.Key.ToString();
var key = JsonConvert.DeserializeObject<JsonWebKey>(jsonWebKey);
var rsa = new RSACryptoServiceProvider();
var p = new RSAParameters() { Modulus = key.N, Exponent = key.E };
rsa.ImportParameters(p);
isVerified = rsa.VerifyHash(digest, "Sha256", signedResult.Result);
return null;
}
public async Task <byte[]> Sign(byte[] digest)
{
if (digest == null)
{
throw new ArgumentNullException("digest");
}
if (digest.Length != 32)
{
throw new ArgumentException("The value must have 32 bytes", "digest");
}
var client = new KeyVaultClient(GetAccessToken);
var keyVaultSettings = Settings.Get <KeyVaultSettings>();
var signResult =
await client.SignAsync(
keyVaultSettings.KeyId,
keyVaultSettings.Algorithm,
digest);
return(signResult.Result);
}
public async Task <byte[]> Sign(string keyId, byte[] hash)
{
var bundle = await KeyVaultClient.SignAsync(keyId, "RS256", hash);
return(bundle.Result);
}
public async Task <byte[]> SignAsync(string algorithm, byte[] digest)
{
return((await _keyVaultClient.SignAsync(_keyVaultOptions.KeyIdentifier, algorithm, digest)).Result);
}
public override byte[] Sign(byte[] input)
{
var digest = _hashAlgorithm.ComputeHash(input);
return(_keyVaultClient.SignAsync(_keyIdentifier, _algorithm, digest).Result.Result);
}
public async Task <byte[]> Sign(string keyName, string keyVersion, string algorithm, byte[] digest, CancellationToken cancellationToken)
{
var sign = await _keyVaultClient.SignAsync(_baseUrl, keyName, keyVersion, algorithm, digest, cancellationToken);
return(sign.Result);
}
static void Main(string[] args)
{
var sourceQueue = QueueClient.CreateFromConnectionString(InternalConfiguration.QueueConnectionString, "03ValidaRFCToSigner");
var destinationQueue = QueueClient.CreateFromConnectionString(InternalConfiguration.QueueConnectionString, "04ToCosmosDb");
var keyName = "SignKey";
var keyVaultAddress = "https://keyvaultname.vault.azure.net/";
var keyVersion = InternalConfiguration.KeyVersion;
Console.WriteLine(keyVersion);
var applicationId = InternalConfiguration.ApplicationId;
var clientSecret = InternalConfiguration.ApplicationKey;
keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(
(authority, resource, scope) => GetAccessToken(authority, resource, applicationId, clientSecret)),
new HttpClient());
var count = 0;
do
{
try
{
Stopwatch swProcess = Stopwatch.StartNew();
var files = sourceQueue.ReceiveBatch(1000);
count = files.Count();
Console.WriteLine(count);
if (count > 0)
{
var rnd = new Random(DateTime.Now.Millisecond);
Parallel.ForEach(files, (currentFile) =>
{
try
{
string selectedVault = selectKeyVault(keyVaultAddress, rnd);
var tuple = currentFile.GetBody <Tuple <CfdiFile, Cfdi> >();
var algorithm = JsonWebKeySignatureAlgorithm.RS256;
var cfdi = tuple.Item2;
var signature = Task.Run(() => keyVaultClient.SignAsync(selectedVault, keyName, keyVersion, algorithm, Convert.FromBase64String(tuple.Item2.Sha256))).ConfigureAwait(false).GetAwaiter().GetResult();
cfdi.Signature = signature.Result;
destinationQueue.Send(new BrokeredMessage(cfdi)
{
SessionId = cfdi.Guid
});
currentFile.Complete();
}
catch (Exception ex)
{
Console.WriteLine(ex);
Console.WriteLine(keyVersion);
Console.WriteLine(InternalConfiguration.Name);
currentFile.Abandon();
}
}
);
}
if (swProcess.ElapsedMilliseconds > 1000)
{
Console.WriteLine($"-> [{count} / {swProcess.ElapsedMilliseconds / 1000}] = {count / (swProcess.ElapsedMilliseconds / 1000)} x segundo");
}
}
catch (Exception ex)
{
Console.WriteLine(ex);
}
if (count == 0)
{
Thread.Sleep(1000);
}
} while (true);
}
/// <summary>
/// Creates a new firmware update ready to be rolled out. Call asynchronously because it can take some time. Don't use await.
/// </summary>
/// <param name="file">File of firmware update. Must be a tar.</param>
/// <param name="location">Directory of where file will be stored on server.</param>
/// <param name="id">Key of software version in databse.</param>
/// <returns></returns>
public static async Task CreateNewFirmwareUpdateTask(string fileUrl, string location, int id)
{
IsmIoTPortalContext db = new IsmIoTPortalContext();
// Get reference to software
var software = db.Releases.Find(id);
try
{
// Filename is always the same
var fileName = "update.tar";
// Creates all directories in path that do not exist
Directory.CreateDirectory(location);
// Full path of file
string filePath = Path.Combine(location, fileName);
// Save file to disk
var retval = await DownloadFromBlobStorage(fileUrl, filePath).ConfigureAwait(false);
if (retval.Equals("Error"))
{
// Update software status
software.Status = "Error during download of file.";
db.SaveChanges();
return;
}
// Update software status
software.Status = "Saved";
db.SaveChanges();
// Calculate SHA 256 hash
var checksum = await Sha256Sum(filePath).ConfigureAwait(false);
// Get checksum string
var checksum_string = BitConverter.ToString(checksum).Replace("-", String.Empty).ToLower();
// Add checksum string to database
software.Checksum = checksum_string;
db.SaveChanges();
// Get access to key vault
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetToken));
// Sign Checksum
var sig = await kv.SignAsync(
// Key ID is in appsettings
keyIdentifier : ConfigurationManager.AppSettings["kv:fw-signing-key"],
// Sign with RS256
algorithm : Microsoft.Azure.KeyVault.WebKey.JsonWebKeySignatureAlgorithm.RS256,
// We want to sign the checksum
digest : checksum).ConfigureAwait(false);
// Save byte data as sig
string checksumPath = Path.Combine(location, "sig");
File.WriteAllBytes(checksumPath, sig.Result);
software.Status = "Signed";
db.SaveChanges();
// Create tarball (.tar.gz file containing signed checksum and tarfile with update)
var tarball = CreateTarBall(location);
software.Status = "Compressed";
db.SaveChanges();
// Upload
var uri = await UploadToBlobStorage(Path.GetFileName(tarball), tarball).ConfigureAwait(false);
if (uri.Equals("Error"))
{
software.Status = "Error during upload.";
db.SaveChanges();
return;
}
// Remove old file from BLOB storage
var retVal = RemoveFromBlobStorage(fileUrl);
if (retval.Equals("Error"))
{
software.Status = "Error during removal of old file from BLOB storage.";
db.SaveChanges();
return;
}
// Everything is ok
software.Status = "Ready";
software.Url = uri;
db.SaveChanges();
}
catch (Exception e)
{
software.Status = "Error";
db.SaveChanges();
}
}
