/// <summary>
/// Wraps a symmetric key and then unwrapps the wrapped key
/// </summary>
/// <param name="key"> key bundle </param>
private static void WrapUnwrap(KeyBundle key)
{
KeyOperationResult wrappedKey;
var algorithm = inputValidator.GetEncryptionAlgorithm();
byte[] symmetricKey = inputValidator.GetSymmetricKey();
string keyVersion = inputValidator.GetKeyVersion();
if (keyVersion != string.Empty)
{
var vaultAddress = inputValidator.GetVaultAddress();
string keyName = inputValidator.GetKeyName(true);
wrappedKey = keyVaultClient.WrapKeyAsync(vaultAddress, keyName, keyVersion, algorithm, symmetricKey).GetAwaiter().GetResult();
}
else
{
// If the key ID is not initialized get the key id from args
var keyId = (key != null) ? key.Key.Kid : inputValidator.GetKeyId();
// Wrap the symmetric key
wrappedKey = keyVaultClient.WrapKeyAsync(keyId, algorithm, symmetricKey).GetAwaiter().GetResult();
}
Console.Out.WriteLine(string.Format("The symmetric key is wrapped using key id {0} and algorithm {1}", wrappedKey.Kid, algorithm));
// Unwrap the symmetric key
var unwrappedKey = keyVaultClient.UnwrapKeyAsync(wrappedKey.Kid, algorithm, wrappedKey.Result).GetAwaiter().GetResult();
Console.Out.WriteLine(string.Format("The unwrapped key is{0}the same as the original key!",
symmetricKey.SequenceEqual(unwrappedKey.Result) ? " " : " not "));
}
public async Task <string> WrapKeyAsync(string key)
{
var keyAsBytes = Encoding.Unicode.GetBytes(key);
var wrapResult = await client.WrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, keyAsBytes);
var encodedText = Convert.ToBase64String(wrapResult.Result);
return(encodedText);
}
/// <summary>
/// Wraps a symmetric key using the specified wrapping key and algorithm.
/// </summary>
/// <param name="wrappingKey">The wrapping key</param>
/// <param name="key">The key to wrap</param>
/// <param name="algorithm">The algorithm to use. For more information on possible algorithm types, see JsonWebKeyEncryptionAlgorithm.</param>
/// <returns>The wrapped key</returns>
public static async Task <KeyOperationResult> WrapKeyAsync(this KeyVaultClient client, KeyBundle wrappingKey, byte[] key, string algorithm)
{
if (wrappingKey == null)
{
throw new ArgumentNullException("keyBundle");
}
return(await client.WrapKeyAsync(wrappingKey.Key, key, algorithm).ConfigureAwait(false));
}
/// <summary>
/// Use symmetric encryption, then wrap the key using Key Vault
/// </summary>
/// <returns></returns>
private static async Task EncryptAndWrap()
{
// In real-world, these could be concatenated and stored.
byte[] iv;
byte[] wrappedKey;
Stream encryptedData = new MemoryStream();
string wrappingKeyIdentifier;
string keyWrappingEncryptionAlgorithm = JsonWebKeyEncryptionAlgorithm.RSA15;
// TODO: This (probably) doesn't use "AE" - update accordingly.
// This creates a random key and initialisation vector (IV) and encrypts the data
using (var encryptingAes = Aes.Create())
{
iv = encryptingAes.IV;
var encryptor = encryptingAes.CreateEncryptor();
using (var encryptingStream = new CryptoStream(encryptedData, encryptor, CryptoStreamMode.Write, true))
using (var writer = new StreamWriter(encryptingStream)) // NOTE: This is a text writer! Shouldn't do this if we're dealing with binary data!
{
writer.Write(inputText);
writer.Flush();
encryptingStream.Flush();
}
var wrappingResult = await keyVaultClient.WrapKeyAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key);
wrappedKey = wrappingResult.Result;
wrappingKeyIdentifier = wrappingResult.Kid;
// TODO: Test if "wrap" and "encrypt" produce the same resul;t
var encryptTest = await keyVaultClient.EncryptAsync($"{keyVaultUrl}keys/{keyName}", keyWrappingEncryptionAlgorithm, encryptingAes.Key);
}
encryptedData.Position = 0;
// Decrypt
var unwrapKeyResult = await keyVaultClient.UnwrapKeyAsync(wrappingKeyIdentifier, keyWrappingEncryptionAlgorithm, wrappedKey);
var symmetricKey = unwrapKeyResult.Result;
string decrypted;
using (var decryptingAes = Aes.Create())
{
decryptingAes.IV = iv;
decryptingAes.Key = symmetricKey;
var decryptor = decryptingAes.CreateDecryptor();
using (var decryptingStream = new CryptoStream(encryptedData, decryptor, CryptoStreamMode.Read))
using (var reader = new StreamReader(decryptingStream))
{
decrypted = reader.ReadToEnd();
}
}
if (inputText != decrypted)
{
throw new Exception("Decrypted does not match encrypted");
}
}
/// <summary>
/// Wraps and unwraps symmetric key
/// </summary>
/// <param name="algorithm"> the wrao and unwrap algorithm </param>
private void WrapAndUnwrap(KeyVaultClient client, KeyIdentifier keyIdentifier, string algorithm, byte[] symmetricKeyBytes)
{
var wrapResult = client.WrapKeyAsync(keyIdentifier.BaseIdentifier, algorithm, symmetricKeyBytes).GetAwaiter().GetResult();
Assert.NotNull(wrapResult);
Assert.NotNull(wrapResult.Kid);
Assert.NotNull(wrapResult.Result);
var unwrapResult = client.UnwrapKeyAsync(wrapResult.Kid, algorithm, wrapResult.Result).GetAwaiter().GetResult();
Assert.NotNull(unwrapResult);
Assert.NotNull(unwrapResult.Kid);
Assert.True(unwrapResult.Result.SequenceEqual(symmetricKeyBytes), "the symmetric key after unwrap should match the initial key");
}
public async Task <byte[]> WrapSymmetricKeyAsync(string keyId, byte[] symmetricKey)
{
if (string.IsNullOrEmpty(keyId))
{
throw new ArgumentNullException(keyId, "Key NickName is Null.");
}
if (symmetricKey == null)
{
throw new ArgumentNullException(nameof(symmetricKey), "Symetric key is Null.");
}
if (symmetricKey.Length == 0)
{
throw new ArgumentNullException(nameof(symmetricKey), "Symmetric key is Empty.");
}
var wrappedKey = await KeyVaultClient.WrapKeyAsync(keyId, JsonWebKeyEncryptionAlgorithm.RSAOAEP, symmetricKey);
return(wrappedKey.Result);
}
public Task <KeyOperationResult> WrapKeyAsync(string keyIdentifier, string algorithm, byte[] cipherText)
{
return(_client.WrapKeyAsync(keyIdentifier, algorithm, cipherText));
}
private async Task KeysMigrationGuide()
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
KeyVaultClient client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback));
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Create
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
using (HttpClient httpClient = new HttpClient())
{
//@@AzureServiceTokenProvider provider = new AzureServiceTokenProvider();
/*@@*/ provider = new AzureServiceTokenProvider();
//@@KeyVaultClient client = new KeyVaultClient(
/*@@*/ client = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(provider.KeyVaultTokenCallback),
httpClient);
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateWithOptions
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
// Create RSA key.
NewKeyParameters createRsaParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.Rsa,
KeySize = 4096
};
KeyBundle rsaKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "rsa-key-name", createRsaParameters);
// Create Elliptic-Curve key.
NewKeyParameters createEcParameters = new NewKeyParameters
{
Kty = JsonWebKeyType.EllipticCurve,
CurveName = "P-256"
};
KeyBundle ecKey = await client.CreateKeyAsync("https://myvault.vault.azure.net", "ec-key-name", createEcParameters);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_CreateKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
IPage <KeyItem> page = await client.GetKeysAsync("https://myvault.vault.azure.net");
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
while (page.NextPageLink != null)
{
page = await client.GetKeysNextAsync(page.NextPageLink);
foreach (KeyItem item in page)
{
KeyIdentifier keyId = item.Identifier;
KeyBundle key = await client.GetKeyAsync(keyId.Vault, keyId.Name);
}
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_ListKeys
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
// Delete the key.
DeletedKeyBundle deletedKey = await client.DeleteKeyAsync("https://myvault.vault.azure.net", "key-name");
// Purge or recover the deleted key if soft delete is enabled.
if (deletedKey.RecoveryId != null)
{
DeletedKeyIdentifier deletedKeyId = deletedKey.RecoveryIdentifier;
// Deleting a key does not happen immediately. Wait a while and check if the deleted key exists.
while (true)
{
try
{
await client.GetDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// Finally deleted.
break;
}
catch (KeyVaultErrorException ex) when(ex.Response.StatusCode == HttpStatusCode.NotFound)
{
// Not yet deleted...
}
}
// Purge the deleted key.
await client.PurgeDeletedKeyAsync(deletedKeyId.Vault, deletedKeyId.Name);
// You can also recover the deleted key using RecoverDeletedKeyAsync.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_DeleteKey
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
// Encrypt a message. The plaintext must be small enough for the chosen algorithm.
byte[] plaintext = Encoding.UTF8.GetBytes("Small message to encrypt");
KeyOperationResult encrypted = await client.EncryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, plaintext);
// Decrypt the message.
KeyOperationResult decrypted = await client.DecryptAsync("rsa-key-name", JsonWebKeyEncryptionAlgorithm.RSAOAEP256, encrypted.Result);
string message = Encoding.UTF8.GetString(decrypted.Result);
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Encrypt
}
{
#region Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
using (Aes aes = Aes.Create())
{
// Use a symmetric key to encrypt large amounts of data, possibly streamed...
// Now wrap the key and store the encrypted key and plaintext IV to later decrypt the key to decrypt the data.
KeyOperationResult wrapped = await client.WrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
aes.Key);
// Read the IV and the encrypted key from the payload, then unwrap the key.
KeyOperationResult unwrapped = await client.UnwrapKeyAsync(
"https://myvault.vault.azure.net",
"rsa-key-name",
null,
JsonWebKeyEncryptionAlgorithm.RSAOAEP256,
wrapped.Result);
aes.Key = unwrapped.Result;
// Decrypt the payload with the symmetric key.
}
#endregion Snippet:Microsoft_Azure_KeyVault_Keys_Snippets_MigrationGuide_Wrap
}
}
public async Task <byte[]> WrapKey(byte[] unwrappedKey)
{
var wrappedKey = await _keyVaultClient.WrapKeyAsync(_vaultURL, ALGORITHM, unwrappedKey);
return(wrappedKey.Result);
}
