static async Task Main(string[] args) { var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f"); var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f"); var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier); var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable); var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate); var plainText = "Hello World"; var encryptedData = Encrypt(rsa, plainText); Console.WriteLine("-------------encrypted string------------"); Console.WriteLine(Convert.ToBase64String(encryptedData)); var decryptedData = Decrypt(rsa, encryptedData); Console.WriteLine("-------------decrypted string------------"); Console.WriteLine(decryptedData); Console.WriteLine("Press any key to continue"); Console.Read(); }
public async Task <RSA> ToRSA() { await GetCertificateAsync() .ConfigureAwait(false); return(client.ToRSA(keyIdentifier, certificate)); }
public async Task <bool> SignAsync(string packagePath, string outputPath, string timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampHashAlgorithm, SignatureType signatureType, bool overwrite, string keyVaultCertificateName, string keyVaultUrl, string keyVaultClientId, string keyVaultClientSecret, string keyVaultAccessToken) { string validatedToken = null; async Task <string> Authenticate(string authority, string resource, string scope) { if (!string.IsNullOrWhiteSpace(keyVaultAccessToken)) { validatedToken = keyVaultAccessToken; return(keyVaultAccessToken); } var context = new AuthenticationContext(authority); var credential = new ClientCredential(keyVaultClientId, keyVaultClientSecret); var result = await context.AcquireTokenAsync(resource, credential) .ConfigureAwait(false); if (result == null) { throw new InvalidOperationException("Authentication to Azure failed."); } validatedToken = result.AccessToken; return(result.AccessToken); } var client = new KeyVaultClient(Authenticate, new HttpClient()); // We call this here to verify it's a valid cert // It also implicitly validates the access token or credentials var kvcert = await client.GetCertificateAsync(keyVaultUrl, keyVaultCertificateName) .ConfigureAwait(false); var publicCertificate = new X509Certificate2(kvcert.Cer); var keyIdentifier = kvcert.KeyIdentifier; var rsa = client.ToRSA(keyIdentifier, publicCertificate); return(await SignAsync(packagePath, outputPath, timestampUrl, signatureHashAlgorithm, timestampHashAlgorithm, overwrite, publicCertificate, rsa)); }
public async Task <X509Certificate2> IssueCertificateAsync(string subjectName, RSAPublicKeyParameters publicKey) { var certificateBundle = await _keyVaultClient.GetCertificateAsync(_rootCertificateId); using var issuerCertificate = new X509Certificate2(certificateBundle.Cer); using RSA certificateKey = CreateCertificateKey(publicKey); CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey, issuerCertificate.Extensions[SubjectIdExtensionOid]); byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync(); using var rsaKeyVault = _keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, issuerCertificate); var generator = X509SignatureGenerator.CreateForRSA(rsaKeyVault, RSASignaturePadding.Pkcs1); return(request.Create(issuerCertificate.SubjectName, generator, DateTime.Today.AddDays(-1), DateTime.Today.AddYears(1), certificateSerialNumber)); }
public static RsaSecurityKey GetSigningKey(string keyVaultEndpoint, string keyPath) { if (string.IsNullOrEmpty(keyVaultEndpoint)) { throw new InvalidOperationException(); } var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient( new KeyVaultClient.AuthenticationCallback( azureServiceTokenProvider.KeyVaultTokenCallback)); var key = keyVaultClient.GetKeyAsync(keyPath).GetAwaiter().GetResult(); if (key == null) { throw new InvalidOperationException( "An error occurred while retrieving the signing key from Azure Key Vault."); } return(new RsaSecurityKey(keyVaultClient.ToRSA(key))); }
static async Task Main(string[] args) { var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/SigningCertificate01/2c86727652f14814b77018601a2e5ed4"); var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/SigningCertificate01/2c86727652f14814b77018601a2e5ed4"); var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier); var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable); var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate); var xml = GetXml(); var signedXml = SignXml(rsa, xml); Console.WriteLine("-------------signed xml------------"); Console.WriteLine(signedXml); Console.WriteLine("Press any key to continue"); Console.Read(); }
static async Task Main(string[] args) { var keyIdentifier = new KeyIdentifier("https://nosecrets-vault02.vault.azure.net/keys/Document-Signing01/797aef42588b4a7a8638edc7de08b400"); var secretIdentifier = new SecretIdentifier("https://nosecrets-vault02.vault.azure.net/secrets/Document-Signing01/797aef42588b4a7a8638edc7de08b400"); var azureServiceTokenProvider = new AzureServiceTokenProvider(); var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)); var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier); var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable); var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate); var xml = GetXml(); var signedXml = SignXml(rsa, xml); Console.WriteLine("-------------signed xml------------"); Console.WriteLine(signedXml); Console.WriteLine("Press any key to continue"); Console.Read(); }
public Saml2Configuration GetSaml2Configuration() { var saml2Configuration = new Saml2Configuration { Issuer = config.Issuer, SignatureAlgorithm = config.SignatureAlgorithm, CertificateValidationMode = config.CertificateValidationMode, RevocationMode = config.RevocationMode }; var certificateBundle = keyVaultClient.GetCertificateAsync(AzureKeyVaultBaseUrl, AzureKeyVaultCertificateName).GetAwaiter().GetResult(); var publicCertificate = new X509Certificate2(certificateBundle.Cer); var rsa = keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, publicCertificate); saml2Configuration.SigningCertificate = new Saml2X509Certificate(publicCertificate, rsa); //saml2Configuration.SignAuthnRequest = true; saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer); var entityDescriptor = new EntityDescriptor(); entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Saml2IdPMetadata)); if (entityDescriptor.IdPSsoDescriptor != null) { saml2Configuration.AllowedIssuer = entityDescriptor.EntityId; saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location; saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location; saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates); } else { throw new Exception("IdPSsoDescriptor not loaded from metadata."); } return(saml2Configuration); }
private async Task RefreshCacheData() { try { DateTime now = DateTime.UtcNow; DateTime cacheTime = DateTime.UtcNow.AddHours(-7); var timeStamp = await _cacheTimeStamp.GetAsync(CacheValidationKeyTimeStamp); if (timeStamp != null) { cacheTime = DateTime.ParseExact(timeStamp.UtcTime, "O", CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind); } if (now < cacheTime.AddHours(6)) { return; } var keyBundles = await GetKeyBundleVersionsAsync(); var queryKbs = from item in keyBundles where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled select item; keyBundles = queryKbs.ToList(); var keyVaultClient = new KeyVaultClient(_azureKeyVaultAuthentication.KeyVaultClientAuthenticationCallback); var queryRsaSecurityKeys = from item in keyBundles let c = new RsaSecurityKey(keyVaultClient.ToRSA(item)) select c; // var currentKeyBundle = await _publicKeyProvider.GetKeyBundleAsync(); // var securityKey = new RsaSecurityKey(keyVaultClient.ToRSA(currentKeyBundle)); // var signingCredentials = new SigningCredentials(securityKey, securityKey.Rsa.SignatureAlgorithm); var jwks = new List <JsonWebKey>(); var query = from item in keyBundles where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled select item; _keyBundles = query.ToList(); foreach (var keyBundle in _keyBundles) { jwks.Add(new JsonWebKey(keyBundle.Key.ToString())); } var kid = await _publicKeyProvider.GetKeyIdentifierAsync(); var jwk = await _publicKeyProvider.GetAsync(); var parameters = new RSAParameters { Exponent = Base64UrlEncoder.DecodeBytes(jwk.E), Modulus = Base64UrlEncoder.DecodeBytes(jwk.N) }; var securityKey = new RsaSecurityKey(parameters) { KeyId = jwk.Kid, }; var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256); var tokenCreateSigningCredentials = await GetTokenCreationSigningCredentialsAsync(); CacheData cacheData = new CacheData() { RsaSecurityKeys = queryRsaSecurityKeys.ToList(), SigningCredentials = signingCredentials, JsonWebKeys = jwks, KeyIdentifier = kid }; await _cachedData.SetAsync(CacheValidationKey, cacheData, TimeSpan.FromHours(6)); await _cacheTimeStamp.SetAsync(CacheValidationKeyTimeStamp, new TimeStamp() { UtcTime = DateTime.UtcNow.ToString("O") }, TimeSpan.FromHours(6)); } catch (Exception e) { _logger.LogCritical(e, "KeyVault RefreshCacheData fatal exception"); throw; } }
private RSA GetRSAKeyVault(TrackKey trackKey) { return(keyVaultClient.ToRSA(new KeyIdentifier(settings.KeyVault.EndpointUri, trackKey.ExternalName), new Microsoft.Azure.KeyVault.WebKey.JsonWebKey(trackKey.Key.ToRsaParameters()))); }
private async Task RefreshCacheData() { try { DateTime now = DateTime.UtcNow; DateTime cacheTime = DateTime.UtcNow.AddHours(-7); var timeStamp = await _cacheTimeStamp.GetAsync(CacheValidationKeyTimeStamp); if (timeStamp != null) { cacheTime = DateTime.ParseExact(timeStamp.UtcTime, "O", CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind); } if (now < cacheTime.AddHours(6)) { return; } _keyBundles = await GetKeyBundleVersionsAsync(); var queryKbs = from item in _keyBundles where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled && (item.Attributes.Expires == null || item.Attributes.Expires > DateTime.UtcNow) select item; _keyBundles = queryKbs.ToList(); var latestKB = GetLatestKeyBundleWithRolloverDelay(_keyBundles); X509Certificate2 x509Certificate2 = null; if (!_keyVaultOptions.UseKeyVaultSigning) { var x509Certificate2s = await GetAllCertificateVersions(); x509Certificate2 = GetLatestCertificateWithRolloverDelay(x509Certificate2s); } var keyVaultClient = new KeyVaultClient(_azureKeyVaultAuthentication.KeyVaultClientAuthenticationCallback); var queryRsaSecurityKeys = from item in _keyBundles let c = new RsaSecurityKey(keyVaultClient.ToRSA(item)) { KeyId = StipPort(item.KeyIdentifier.Identifier) } select c; var jwks = new List <JsonWebKey>(); foreach (var keyBundle in _keyBundles) { jwks.Add(new JsonWebKey(keyBundle.Key.ToString())); } var jwk = latestKB.Key; var kid = latestKB.KeyIdentifier; var parameters = new RSAParameters { Exponent = jwk.E, Modulus = jwk.N }; var securityKey = new RsaSecurityKey(parameters) { KeyId = jwk.Kid, }; SigningCredentials signingCredentials; if (_keyVaultOptions.UseKeyVaultSigning) { signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256); } else { signingCredentials = new MySigningCredentials(x509Certificate2); } CacheData cacheData = new CacheData() { RsaSecurityKeys = queryRsaSecurityKeys.ToList(), SigningCredentials = signingCredentials, JsonWebKeys = jwks, KeyIdentifier = kid, X509Certificate2 = x509Certificate2 }; await _cachedData.SetAsync(CacheValidationKey, cacheData, TimeSpan.FromHours(6)); await _cacheTimeStamp.SetAsync(CacheValidationKeyTimeStamp, new TimeStamp() { UtcTime = DateTime.UtcNow.ToString("O") }, TimeSpan.FromHours(6)); } catch (Exception e) { _logger.LogCritical(e, "KeyVault RefreshCacheData fatal exception"); throw; } }
public async Task <int> SignAsync(string file, string timestampUrl, HashAlgorithmName signatureHashAlgorithm, HashAlgorithmName timestampeHashAlgorithm, string keyVaultCertificateName, string keyVaultUrl, string keyVaultClientId, string keyVaultClientSecret, string keyVaultAccessToken) { string validatedToken = null; async Task <string> Authenticate(string authority, string resource, string scope) { if (!string.IsNullOrWhiteSpace(keyVaultAccessToken)) { validatedToken = keyVaultAccessToken; return(keyVaultAccessToken); } var context = new AuthenticationContext(authority); var credential = new ClientCredential(keyVaultClientId, keyVaultClientSecret); var result = await context.AcquireTokenAsync(resource, credential) .ConfigureAwait(false); if (result == null) { throw new InvalidOperationException("Authentication to Azure failed."); } validatedToken = result.AccessToken; return(result.AccessToken); } var client = new KeyVaultClient(Authenticate, new HttpClient()); // We call this here to verify it's a valid cert // It also implicitly validates the access token or credentials var kvcert = await client.GetCertificateAsync(keyVaultUrl, keyVaultCertificateName) .ConfigureAwait(false); var cert = new X509Certificate2(kvcert.Cer); var rsa = client.ToRSA(kvcert.KeyIdentifier, cert); // TODO: Add Hash Alg choice var request = new SignPackageRequest() { Certificate = cert, SignatureHashAlgorithm = signatureHashAlgorithm, TimestampHashAlgorithm = timestampeHashAlgorithm }; string tempFilePath = null; try { tempFilePath = CopyPackage(file); var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl))); // remove first to overwrite // This command overwrites by default, like signtool using (var packageWriteStream = File.Open(tempFilePath, FileMode.Open)) using (var package = new SignedPackageArchive(packageWriteStream)) { var signer = new Signer(package, signatureProvider); await signer.RemoveSignaturesAsync(new NullLogger(), CancellationToken.None); } // Now sign using (var packageWriteStream = File.Open(tempFilePath, FileMode.Open)) using (var package = new SignedPackageArchive(packageWriteStream)) { var signer = new Signer(package, signatureProvider); await signer.SignAsync(request, new NullLogger(), CancellationToken.None); } OverwritePackage(tempFilePath, file); } catch (Exception e) { Console.Error.WriteLine(e.Message); Console.Error.WriteLine(e.StackTrace); return(-1); } finally { try { FileUtility.Delete(tempFilePath); } catch { } } return(0); }