static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/EncryptionCertificate02/5cc49b815ea349c5bda9d08366ea780f");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var plainText = "Hello World";
var encryptedData = Encrypt(rsa, plainText);
Console.WriteLine("-------------encrypted string------------");
Console.WriteLine(Convert.ToBase64String(encryptedData));
var decryptedData = Decrypt(rsa, encryptedData);
Console.WriteLine("-------------decrypted string------------");
Console.WriteLine(decryptedData);
Console.WriteLine("Press any key to continue");
Console.Read();
}
public async Task <RSA> ToRSA()
{
await GetCertificateAsync()
.ConfigureAwait(false);
return(client.ToRSA(keyIdentifier, certificate));
}
public async Task <bool> SignAsync(string packagePath,
string outputPath,
string timestampUrl,
HashAlgorithmName signatureHashAlgorithm,
HashAlgorithmName timestampHashAlgorithm,
SignatureType signatureType,
bool overwrite,
string keyVaultCertificateName,
string keyVaultUrl,
string keyVaultClientId,
string keyVaultClientSecret,
string keyVaultAccessToken)
{
string validatedToken = null;
async Task <string> Authenticate(string authority, string resource, string scope)
{
if (!string.IsNullOrWhiteSpace(keyVaultAccessToken))
{
validatedToken = keyVaultAccessToken;
return(keyVaultAccessToken);
}
var context = new AuthenticationContext(authority);
var credential = new ClientCredential(keyVaultClientId, keyVaultClientSecret);
var result = await context.AcquireTokenAsync(resource, credential)
.ConfigureAwait(false);
if (result == null)
{
throw new InvalidOperationException("Authentication to Azure failed.");
}
validatedToken = result.AccessToken;
return(result.AccessToken);
}
var client = new KeyVaultClient(Authenticate, new HttpClient());
// We call this here to verify it's a valid cert
// It also implicitly validates the access token or credentials
var kvcert = await client.GetCertificateAsync(keyVaultUrl, keyVaultCertificateName)
.ConfigureAwait(false);
var publicCertificate = new X509Certificate2(kvcert.Cer);
var keyIdentifier = kvcert.KeyIdentifier;
var rsa = client.ToRSA(keyIdentifier, publicCertificate);
return(await SignAsync(packagePath, outputPath, timestampUrl, signatureHashAlgorithm, timestampHashAlgorithm, overwrite, publicCertificate, rsa));
}
public async Task <X509Certificate2> IssueCertificateAsync(string subjectName, RSAPublicKeyParameters publicKey)
{
var certificateBundle = await _keyVaultClient.GetCertificateAsync(_rootCertificateId);
using var issuerCertificate = new X509Certificate2(certificateBundle.Cer);
using RSA certificateKey = CreateCertificateKey(publicKey);
CertificateRequest request = CreateCertificateRequest(subjectName, certificateKey, issuerCertificate.Extensions[SubjectIdExtensionOid]);
byte[] certificateSerialNumber = await _serialNumberGenerator.GenerateSerialAsync();
using var rsaKeyVault = _keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, issuerCertificate);
var generator = X509SignatureGenerator.CreateForRSA(rsaKeyVault, RSASignaturePadding.Pkcs1);
return(request.Create(issuerCertificate.SubjectName, generator, DateTime.Today.AddDays(-1), DateTime.Today.AddYears(1), certificateSerialNumber));
}
public static RsaSecurityKey GetSigningKey(string keyVaultEndpoint, string keyPath)
{
if (string.IsNullOrEmpty(keyVaultEndpoint))
{
throw new InvalidOperationException();
}
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
var key = keyVaultClient.GetKeyAsync(keyPath).GetAwaiter().GetResult();
if (key == null)
{
throw new InvalidOperationException(
"An error occurred while retrieving the signing key from Azure Key Vault.");
}
return(new RsaSecurityKey(keyVaultClient.ToRSA(key)));
}
static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault05.vault.azure.net:443/keys/SigningCertificate01/2c86727652f14814b77018601a2e5ed4");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault05.vault.azure.net:443/secrets/SigningCertificate01/2c86727652f14814b77018601a2e5ed4");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var xml = GetXml();
var signedXml = SignXml(rsa, xml);
Console.WriteLine("-------------signed xml------------");
Console.WriteLine(signedXml);
Console.WriteLine("Press any key to continue");
Console.Read();
}
static async Task Main(string[] args)
{
var keyIdentifier = new KeyIdentifier("https://nosecrets-vault02.vault.azure.net/keys/Document-Signing01/797aef42588b4a7a8638edc7de08b400");
var secretIdentifier = new SecretIdentifier("https://nosecrets-vault02.vault.azure.net/secrets/Document-Signing01/797aef42588b4a7a8638edc7de08b400");
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(secretIdentifier.Identifier);
var publicCertificate = new X509Certificate2(Convert.FromBase64String(secret.Value), string.Empty, X509KeyStorageFlags.Exportable);
var rsa = keyVaultClient.ToRSA(keyIdentifier, publicCertificate);
var xml = GetXml();
var signedXml = SignXml(rsa, xml);
Console.WriteLine("-------------signed xml------------");
Console.WriteLine(signedXml);
Console.WriteLine("Press any key to continue");
Console.Read();
}
public Saml2Configuration GetSaml2Configuration()
{
var saml2Configuration = new Saml2Configuration
{
Issuer = config.Issuer,
SignatureAlgorithm = config.SignatureAlgorithm,
CertificateValidationMode = config.CertificateValidationMode,
RevocationMode = config.RevocationMode
};
var certificateBundle = keyVaultClient.GetCertificateAsync(AzureKeyVaultBaseUrl, AzureKeyVaultCertificateName).GetAwaiter().GetResult();
var publicCertificate = new X509Certificate2(certificateBundle.Cer);
var rsa = keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, publicCertificate);
saml2Configuration.SigningCertificate = new Saml2X509Certificate(publicCertificate, rsa);
//saml2Configuration.SignAuthnRequest = true;
saml2Configuration.AllowedAudienceUris.Add(saml2Configuration.Issuer);
var entityDescriptor = new EntityDescriptor();
entityDescriptor.ReadIdPSsoDescriptorFromUrl(new Uri(Saml2IdPMetadata));
if (entityDescriptor.IdPSsoDescriptor != null)
{
saml2Configuration.AllowedIssuer = entityDescriptor.EntityId;
saml2Configuration.SingleSignOnDestination = entityDescriptor.IdPSsoDescriptor.SingleSignOnServices.First().Location;
saml2Configuration.SingleLogoutDestination = entityDescriptor.IdPSsoDescriptor.SingleLogoutServices.First().Location;
saml2Configuration.SignatureValidationCertificates.AddRange(entityDescriptor.IdPSsoDescriptor.SigningCertificates);
}
else
{
throw new Exception("IdPSsoDescriptor not loaded from metadata.");
}
return(saml2Configuration);
}
private async Task RefreshCacheData()
{
try
{
DateTime now = DateTime.UtcNow;
DateTime cacheTime = DateTime.UtcNow.AddHours(-7);
var timeStamp = await _cacheTimeStamp.GetAsync(CacheValidationKeyTimeStamp);
if (timeStamp != null)
{
cacheTime = DateTime.ParseExact(timeStamp.UtcTime, "O", CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind);
}
if (now < cacheTime.AddHours(6))
{
return;
}
var keyBundles = await GetKeyBundleVersionsAsync();
var queryKbs = from item in keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled
select item;
keyBundles = queryKbs.ToList();
var keyVaultClient = new KeyVaultClient(_azureKeyVaultAuthentication.KeyVaultClientAuthenticationCallback);
var queryRsaSecurityKeys = from item in keyBundles
let c = new RsaSecurityKey(keyVaultClient.ToRSA(item))
select c;
// var currentKeyBundle = await _publicKeyProvider.GetKeyBundleAsync();
// var securityKey = new RsaSecurityKey(keyVaultClient.ToRSA(currentKeyBundle));
// var signingCredentials = new SigningCredentials(securityKey, securityKey.Rsa.SignatureAlgorithm);
var jwks = new List <JsonWebKey>();
var query = from item in keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled
select item;
_keyBundles = query.ToList();
foreach (var keyBundle in _keyBundles)
{
jwks.Add(new JsonWebKey(keyBundle.Key.ToString()));
}
var kid = await _publicKeyProvider.GetKeyIdentifierAsync();
var jwk = await _publicKeyProvider.GetAsync();
var parameters = new RSAParameters
{
Exponent = Base64UrlEncoder.DecodeBytes(jwk.E),
Modulus = Base64UrlEncoder.DecodeBytes(jwk.N)
};
var securityKey = new RsaSecurityKey(parameters)
{
KeyId = jwk.Kid,
};
var signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
var tokenCreateSigningCredentials = await GetTokenCreationSigningCredentialsAsync();
CacheData cacheData = new CacheData()
{
RsaSecurityKeys = queryRsaSecurityKeys.ToList(),
SigningCredentials = signingCredentials,
JsonWebKeys = jwks,
KeyIdentifier = kid
};
await _cachedData.SetAsync(CacheValidationKey, cacheData, TimeSpan.FromHours(6));
await _cacheTimeStamp.SetAsync(CacheValidationKeyTimeStamp, new TimeStamp()
{
UtcTime = DateTime.UtcNow.ToString("O")
}, TimeSpan.FromHours(6));
}
catch (Exception e)
{
_logger.LogCritical(e, "KeyVault RefreshCacheData fatal exception");
throw;
}
}
private RSA GetRSAKeyVault(TrackKey trackKey)
{
return(keyVaultClient.ToRSA(new KeyIdentifier(settings.KeyVault.EndpointUri, trackKey.ExternalName), new Microsoft.Azure.KeyVault.WebKey.JsonWebKey(trackKey.Key.ToRsaParameters())));
}
private async Task RefreshCacheData()
{
try
{
DateTime now = DateTime.UtcNow;
DateTime cacheTime = DateTime.UtcNow.AddHours(-7);
var timeStamp = await _cacheTimeStamp.GetAsync(CacheValidationKeyTimeStamp);
if (timeStamp != null)
{
cacheTime = DateTime.ParseExact(timeStamp.UtcTime, "O", CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind);
}
if (now < cacheTime.AddHours(6))
{
return;
}
_keyBundles = await GetKeyBundleVersionsAsync();
var queryKbs = from item in _keyBundles
where item.Attributes.Enabled != null && (bool)item.Attributes.Enabled &&
(item.Attributes.Expires == null || item.Attributes.Expires > DateTime.UtcNow)
select item;
_keyBundles = queryKbs.ToList();
var latestKB = GetLatestKeyBundleWithRolloverDelay(_keyBundles);
X509Certificate2 x509Certificate2 = null;
if (!_keyVaultOptions.UseKeyVaultSigning)
{
var x509Certificate2s = await GetAllCertificateVersions();
x509Certificate2 = GetLatestCertificateWithRolloverDelay(x509Certificate2s);
}
var keyVaultClient = new KeyVaultClient(_azureKeyVaultAuthentication.KeyVaultClientAuthenticationCallback);
var queryRsaSecurityKeys = from item in _keyBundles
let c = new RsaSecurityKey(keyVaultClient.ToRSA(item))
{
KeyId = StipPort(item.KeyIdentifier.Identifier)
}
select c;
var jwks = new List <JsonWebKey>();
foreach (var keyBundle in _keyBundles)
{
jwks.Add(new JsonWebKey(keyBundle.Key.ToString()));
}
var jwk = latestKB.Key;
var kid = latestKB.KeyIdentifier;
var parameters = new RSAParameters
{
Exponent = jwk.E,
Modulus = jwk.N
};
var securityKey = new RsaSecurityKey(parameters)
{
KeyId = jwk.Kid,
};
SigningCredentials signingCredentials;
if (_keyVaultOptions.UseKeyVaultSigning)
{
signingCredentials = new SigningCredentials(securityKey, SecurityAlgorithms.RsaSha256);
}
else
{
signingCredentials = new MySigningCredentials(x509Certificate2);
}
CacheData cacheData = new CacheData()
{
RsaSecurityKeys = queryRsaSecurityKeys.ToList(),
SigningCredentials = signingCredentials,
JsonWebKeys = jwks,
KeyIdentifier = kid,
X509Certificate2 = x509Certificate2
};
await _cachedData.SetAsync(CacheValidationKey, cacheData, TimeSpan.FromHours(6));
await _cacheTimeStamp.SetAsync(CacheValidationKeyTimeStamp, new TimeStamp()
{
UtcTime = DateTime.UtcNow.ToString("O")
}, TimeSpan.FromHours(6));
}
catch (Exception e)
{
_logger.LogCritical(e, "KeyVault RefreshCacheData fatal exception");
throw;
}
}
public async Task <int> SignAsync(string file,
string timestampUrl,
HashAlgorithmName signatureHashAlgorithm,
HashAlgorithmName timestampeHashAlgorithm,
string keyVaultCertificateName,
string keyVaultUrl,
string keyVaultClientId,
string keyVaultClientSecret,
string keyVaultAccessToken)
{
string validatedToken = null;
async Task <string> Authenticate(string authority, string resource, string scope)
{
if (!string.IsNullOrWhiteSpace(keyVaultAccessToken))
{
validatedToken = keyVaultAccessToken;
return(keyVaultAccessToken);
}
var context = new AuthenticationContext(authority);
var credential = new ClientCredential(keyVaultClientId, keyVaultClientSecret);
var result = await context.AcquireTokenAsync(resource, credential)
.ConfigureAwait(false);
if (result == null)
{
throw new InvalidOperationException("Authentication to Azure failed.");
}
validatedToken = result.AccessToken;
return(result.AccessToken);
}
var client = new KeyVaultClient(Authenticate, new HttpClient());
// We call this here to verify it's a valid cert
// It also implicitly validates the access token or credentials
var kvcert = await client.GetCertificateAsync(keyVaultUrl, keyVaultCertificateName)
.ConfigureAwait(false);
var cert = new X509Certificate2(kvcert.Cer);
var rsa = client.ToRSA(kvcert.KeyIdentifier, cert);
// TODO: Add Hash Alg choice
var request = new SignPackageRequest()
{
Certificate = cert,
SignatureHashAlgorithm = signatureHashAlgorithm,
TimestampHashAlgorithm = timestampeHashAlgorithm
};
string tempFilePath = null;
try
{
tempFilePath = CopyPackage(file);
var signatureProvider = new KeyVaultSignatureProvider(rsa, new Rfc3161TimestampProvider(new Uri(timestampUrl)));
// remove first to overwrite
// This command overwrites by default, like signtool
using (var packageWriteStream = File.Open(tempFilePath, FileMode.Open))
using (var package = new SignedPackageArchive(packageWriteStream))
{
var signer = new Signer(package, signatureProvider);
await signer.RemoveSignaturesAsync(new NullLogger(), CancellationToken.None);
}
// Now sign
using (var packageWriteStream = File.Open(tempFilePath, FileMode.Open))
using (var package = new SignedPackageArchive(packageWriteStream))
{
var signer = new Signer(package, signatureProvider);
await signer.SignAsync(request, new NullLogger(), CancellationToken.None);
}
OverwritePackage(tempFilePath, file);
}
catch (Exception e)
{
Console.Error.WriteLine(e.Message);
Console.Error.WriteLine(e.StackTrace);
return(-1);
}
finally
{
try
{
FileUtility.Delete(tempFilePath);
}
catch
{
}
}
return(0);
}
