private static async Task SignAndVerify()
{
// TODO: Test what happens if I disable a key - can I still verify with it?
try
{
// Create a *digest* that we can then sign
var digest = GetSHA512Digest(inputText);
// This will use the latest key version
// Note that the type of digest (SHA512 here) determines which type of signature algo to use!
var signatureResult = await keyVaultClient.SignAsync($"{keyVaultUrl}keys/{keyName}", JsonWebKeySignatureAlgorithm.RS512, digest);
// In the real world, we'd combine these with the data and potentially store all of it together
var signingKey = signatureResult.Kid;
var signature = signatureResult.Result;
var signingAlgorithm = JsonWebKeySignatureAlgorithm.RS512;
// Now to verify the text
var newDigest = GetSHA512Digest(inputText + "a");
var verifyResult = await keyVaultClient.VerifyAsync(signingKey, signingAlgorithm, newDigest, signature);
if (!verifyResult)
{
throw new Exception("Failed to verify the data");
}
}
catch (Exception e)
{
throw;
}
}
private async Task <bool> CheckSignedInfo()
{
SignatureDescription signatureDescription = CryptoConfig.CreateFromName(SignedInfo.SignatureMethod) as SignatureDescription;
if (signatureDescription == null)
{
throw new CryptographicException("Cryptography_Xml_SignatureDescriptionNotCreated");
}
HashAlgorithm hashAlgorithm = signatureDescription.CreateDigest();
if (hashAlgorithm == null)
{
throw new CryptographicException("Cryptography_Xml_CreateHashAlgorithmFailed");
}
//byte[] hashval = GetC14NDigest(hashAlgorithm);
var methodInfo2 = typeof(SignedXml).GetMethod("GetC14NDigest", BindingFlags.Instance | BindingFlags.NonPublic);
var hashvalue = (byte[])methodInfo2.Invoke(this, new object[] { hashAlgorithm });
var result = await keyClient.VerifyAsync(keyvaultUri, keyIdentifier, keyVersion,
Microsoft.Azure.KeyVault.WebKey.JsonWebKeySignatureAlgorithm.RS256, hashvalue, m_signature.SignatureValue);
return((bool)result.Value);
}
/// <summary>
/// Signs a hash and then verifies the signature
/// </summary>
/// <param name="keyId"> a global key identifier of the key to get </param>
private static void SignVerify(KeyBundle key)
{
KeyOperationResult signature;
var algorithm = inputValidator.GetSignAlgorithm();
var digest = inputValidator.GetDigestHash();
string keyVersion = inputValidator.GetKeyVersion();
if (keyVersion != string.Empty)
{
var vaultAddress = inputValidator.GetVaultAddress();
string keyName = inputValidator.GetKeyName(true);
signature = keyVaultClient.SignAsync(vaultAddress, keyName, keyVersion, algorithm, digest).GetAwaiter().GetResult();
}
else
{
// If the key is not initialized get the key id from args
var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId();
// Create a signature
signature = keyVaultClient.SignAsync(keyId, algorithm, digest).GetAwaiter().GetResult();
}
Console.Out.WriteLine(string.Format("The signature is created using key id {0} and algorithm {1} ", signature.Kid, algorithm));
// Verify the signature
bool isVerified = keyVaultClient.VerifyAsync(signature.Kid, algorithm, digest, signature.Result).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format("The signature is {0} verified!", isVerified ? "" : "not "));
}
/// <summary>
/// Creates a signature and verifies it
/// </summary>
/// <param name="keyIdentifier"> key identifier </param>
/// <param name="algorithm"> sign algorithm </param>
/// <param name="digest"> digest hash </param>
private void SignVerify(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] digest)
{
var signResult = client.SignAsync(keyIdentifier.BaseIdentifier, algorithm, digest).GetAwaiter().GetResult();
var verifyResult = client.VerifyAsync(signResult.Kid, algorithm, digest, signResult.Result).GetAwaiter().GetResult();
Assert.True(verifyResult, "Signature was not verified");
}
public async Task <bool> Verify(string keyName, string keyVersion, string algorithm, byte[] digest, byte[] signature,
CancellationToken cancellationToken)
{
var sign = await _keyVaultClient.VerifyAsync(_baseUrl, keyName, keyVersion, algorithm, digest, signature, cancellationToken);
return(sign.Value != null && sign.Value.Value);
}
public override bool Verify(byte[] input, byte[] signature)
{
// TODO: If the public key is available offline (cached in memory?) verify this offline to save money and perform this operation faster
var digest = _hashAlgorithm.ComputeHash(input);
return(_keyVaultClient.VerifyAsync(_keyIdentifier, _algorithm, digest, signature).Result);
}
private static async Task <string> GetKeys(KeyVaultClient keyVaultClient)
{
var keyIdentifier = "keyIdentifier";
var textToEncrypt = "This is a test message";
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signedResult = await keyVaultClient.SignAsync(
keyIdentifier, JsonWebKeySignatureAlgorithm.RS256, digest);
var isVerified = await keyVaultClient.VerifyAsync(keyIdentifier, "RS256", digest, signedResult.Result);
var keyResult = await keyVaultClient.GetKeyAsync(keyIdentifier);
var jsonWebKey = keyResult.Key.ToString();
var key = JsonConvert.DeserializeObject <JsonWebKey>(jsonWebKey);
var rsa = new RSACryptoServiceProvider();
var p = new RSAParameters()
{
Modulus = key.N, Exponent = key.E
};
rsa.ImportParameters(p);
isVerified = rsa.VerifyHash(digest, "Sha256", signedResult.Result);
return(null);
}
private static async Task MainAsync(string[] args)
{
Console.WriteLine("Application started...");
const string clientId = "{appId}";
const string clientSecret = "{appSecret}";
const string keyIdentifier = "{keyIdentifier}";
Console.WriteLine("Configuration built...");
var kv = new KeyVaultClient(async(authority, resource, scope) =>
{
var authContext = new AuthenticationContext(authority);
var clientCred = new ClientCredential(clientId, clientSecret);
var result = await authContext.AcquireTokenAsync(resource, clientCred);
return(result.AccessToken);
});
Console.WriteLine("KeyVaultClient created...");
const string data = "digest";
var byteData = Encoding.UTF8.GetBytes(data);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signResult = await kv.SignAsync(
keyIdentifier : keyIdentifier,
algorithm : JsonWebKeySignatureAlgorithm.RS256,
digest : digest
);
Console.WriteLine("Data signed...");
var signature = Convert.ToBase64String(signResult.Result);
var verifyResult = await kv.VerifyAsync(
keyIdentifier : keyIdentifier,
algorithm : JsonWebKeySignatureAlgorithm.RS256,
digest : digest,
signature : Convert.FromBase64String(signature)
);
Console.WriteLine("Data verified...");
Console.ReadKey();
}
public static async Task <bool> VerifyAsync(string keyId, Byte[] plainText, byte[] signature)
{
bool result = false;
KeyVaultClient keyVaultClient = GetClient();
var appId = $"{_keyVaultURL}{keyId}";
//Hash the data and send the digest to SignAsync
byte[] digestBytes = SHA256.Create().ComputeHash(plainText);
try
{
result = await keyVaultClient.VerifyAsync(appId, JsonWebKeySignatureAlgorithm.RS256, digestBytes, signature);
}
catch (Exception ex)
{
Console.WriteLine("Errors: {0}", ex.Message);
}
return(result);
}
/// <summary>
/// Verifies a signature using the specified key.
/// </summary>
/// <param name="verifyKey">The verification key</param>
/// <param name="algorithm">The signing algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="digest">The digest hash value</param>
/// <param name="signature">The signature to verify</param>
/// <returns>true if verification succeeds, false if verification fails</returns>
public static async Task <bool> VerifyAsync(this KeyVaultClient client, JsonWebKey verifyKey, string algorithm, byte[] digest, byte[] signature)
{
if (verifyKey == null)
{
throw new ArgumentNullException("verifyKey");
}
if (digest == null)
{
throw new ArgumentNullException("digest");
}
if (signature == null)
{
throw new ArgumentNullException("signature");
}
return(await client.VerifyAsync(verifyKey.Kid, algorithm, digest, signature).ConfigureAwait(false));
}
private static void SignVerify(KeyBundle key, string algorithm, string textToSign, string keyVersion, string keyName, string keyVaultAddress)
{
KeyOperationResult signature;
var bytes = Encoding.ASCII.GetBytes(textToSign);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(bytes);
signature = Task.Run(() => keyVaultClient.SignAsync(keyVaultAddress, keyName, keyVersion, algorithm, digest)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format(
"The signature is created using key id {0} and algorithm {1} \n\t\n\t SIGNATURE: {2} ",
signature.Kid, algorithm, Convert.ToBase64String(signature.Result)));
// Verify the signature
bool isVerified = Task.Run(() => keyVaultClient.VerifyAsync(signature.Kid, algorithm, digest, signature.Result)).ConfigureAwait(false).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format("The signature is {0} verified!", isVerified ? "" : "not "));
}
private static async Task<string> GetKeys(KeyVaultClient keyVaultClient)
{
var keyIdentifier = "keyIdentifier";
var textToEncrypt = "This is a test message";
var byteData = Encoding.Unicode.GetBytes(textToEncrypt);
var hasher = new SHA256CryptoServiceProvider();
var digest = hasher.ComputeHash(byteData);
var signedResult = await keyVaultClient.SignAsync(
keyIdentifier, JsonWebKeySignatureAlgorithm.RS256, digest);
var isVerified = await keyVaultClient.VerifyAsync(keyIdentifier, "RS256", digest, signedResult.Result);
var keyResult = await keyVaultClient.GetKeyAsync(keyIdentifier);
var jsonWebKey = keyResult.Key.ToString();
var key = JsonConvert.DeserializeObject<JsonWebKey>(jsonWebKey);
var rsa = new RSACryptoServiceProvider();
var p = new RSAParameters() { Modulus = key.N, Exponent = key.E };
rsa.ImportParameters(p);
isVerified = rsa.VerifyHash(digest, "Sha256", signedResult.Result);
return null;
}
public async Task <bool> Verify(string keyId, byte[] hash, byte[] signature)
{
var result = await KeyVaultClient.VerifyAsync(keyId, "RS256", hash, signature);
return(result);
}
public async Task <bool> VerifyAsync(string algorithm, byte[] digest, byte[] signature)
{
return(await _keyVaultClient.VerifyAsync(_keyVaultOptions.KeyIdentifier, algorithm, digest, signature));
}
/// <summary>
/// Verifies a signature using the specified key.
/// </summary>
/// <param name="verifyKey">The verification key</param>
/// <param name="algorithm">The signing algorithm. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <param name="digest">The digest hash value</param>
/// <param name="signature">The signature to verify</param>
/// <returns>True if verification succeeds, false if verification fails</returns>
public static async Task <bool> VerifyAsync(this KeyVaultClient client, KeyBundle verifyKey, string algorithm, byte[] digest, byte[] signature)
{
return(await client.VerifyAsync(verifyKey.Key, algorithm, digest, signature).ConfigureAwait(false));
}
