private void ValidateSecondaryTrackKey(RouteTrackKey trackKey) { var nowLocal = DateTime.Now; var certificate = trackKey.SecondaryKey.Key.ToX509Certificate(); if (certificate.NotBefore > nowLocal) { throw new KeyException($"Track secondary key certificate not valid yet. Not before {certificate.NotBefore.ToUniversalTime():u}."); } if (certificate.NotAfter < nowLocal) { throw new KeyException($"Track secondary key certificate has expired. Not after {certificate.NotAfter.ToUniversalTime():u}."); } }
public async Task <Saml2X509Certificate> GetPrimarySaml2X509CertificateAsync(RouteTrackKey trackKey) { await ValidatePrimaryTrackKeyAsync(trackKey); switch (trackKey.Type) { case TrackKeyType.Contained: return(trackKey.PrimaryKey.Key.ToSaml2X509Certificate(true)); case TrackKeyType.KeyVaultRenewSelfSigned: return(new Saml2X509Certificate(trackKey.PrimaryKey.Key.ToX509Certificate(), GetRSAKeyVault(trackKey))); case TrackKeyType.KeyVaultUpload: default: throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported."); } }
public async Task <SecurityKey> GetPrimarySecurityKeyAsync(RouteTrackKey trackKey) { await ValidatePrimaryTrackKeyAsync(trackKey); switch (trackKey.Type) { case TrackKeyType.Contained: return(trackKey.PrimaryKey.Key.ToSecurityKey()); case TrackKeyType.KeyVaultRenewSelfSigned: return(new RsaSecurityKey(GetRSAKeyVault(trackKey))); case TrackKeyType.KeyVaultUpload: default: throw new NotSupportedException($"Track primary key type '{trackKey.Type}' not supported."); } }
private async Task <RouteTrackKey> LoadTrackKeyAsync(TelemetryScopedLogger scopedLogger, Track.IdKey trackIdKey, Track track) { switch (track.Key.Type) { case TrackKeyType.Contained: return(new RouteTrackKey { Type = track.Key.Type, PrimaryKey = new RouteTrackKeyItem { Key = track.Key.Keys[0].Key }, SecondaryKey = track.Key.Keys.Count > 1 ? new RouteTrackKeyItem { Key = track.Key.Keys[1].Key } : null, }); case TrackKeyType.KeyVaultRenewSelfSigned: var trackKeyExternal = await GetTrackKeyItemsAsync(scopedLogger, trackIdKey.TenantName, trackIdKey.TrackName, track); var externalRouteTrackKey = new RouteTrackKey { Type = track.Key.Type, ExternalName = track.Key.ExternalName, }; if (trackKeyExternal == null) { externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { ExternalKeyIsNotReady = true }; } else { externalRouteTrackKey.PrimaryKey = new RouteTrackKeyItem { ExternalId = trackKeyExternal.Keys[0].ExternalId, Key = trackKeyExternal.Keys[0].Key }; externalRouteTrackKey.SecondaryKey = trackKeyExternal.Keys.Count > 1 ? new RouteTrackKeyItem { ExternalId = trackKeyExternal.Keys[1].ExternalId, Key = trackKeyExternal.Keys[1].Key } : null; } return(externalRouteTrackKey); case TrackKeyType.KeyVaultUpload: default: throw new Exception($"Track key type not supported '{track.Key.Type}'."); } }
public Saml2X509Certificate GetSecondarySaml2X509Certificate(RouteTrackKey trackKey) { if (trackKey.SecondaryKey == null || trackKey.SecondaryKey.Key == null) { return(null); } ValidateSecondaryTrackKey(trackKey); switch (trackKey.Type) { case TrackKeyType.Contained: return(trackKey.SecondaryKey.Key.ToSaml2X509Certificate(true)); case TrackKeyType.KeyVaultRenewSelfSigned: return(new Saml2X509Certificate(trackKey.SecondaryKey.Key.ToX509Certificate(), GetRSAKeyVault(trackKey))); case TrackKeyType.KeyVaultUpload: default: throw new NotSupportedException($"Track secondary key type '{trackKey.Type}' not supported."); } }
private async Task ValidatePrimaryTrackKeyAsync(RouteTrackKey trackKey) { var nowLocal = DateTime.Now; var certificate = trackKey.PrimaryKey.Key.ToX509Certificate(); try { if (certificate.NotBefore > nowLocal) { throw new KeyException($"Track primary key certificate not valid yet. Not before {certificate.NotBefore.ToUniversalTime():u}."); } if (certificate.NotAfter < nowLocal) { throw new KeyException($"Track primary key certificate has expired. Not after {certificate.NotAfter.ToUniversalTime():u}."); } } catch (Exception ex) { if (RouteBinding.TrackName == Constants.Routes.MasterTrackName && RouteBinding.Key.Type != TrackKeyType.KeyVaultRenewSelfSigned) { var mTrack = await tenantRepository.GetTrackByNameAsync(new Track.IdKey { TenantName = RouteBinding.TenantName, TrackName = RouteBinding.TrackName }); mTrack.Key.Type = TrackKeyType.KeyVaultRenewSelfSigned; mTrack.Key.Keys = null; mTrack.Key.ExternalName = await externalKeyLogic.CreateExternalKeyAsync(mTrack); await tenantRepository.UpdateAsync(mTrack); throw new ExternalKeyIsNotReadyException("The old primary master track key certificate is invalid. A new primary external track key certificate is under construction in Key Vault, it is ready in a little while.", ex); } throw; } }
private RSA GetRSAKeyVault(RouteTrackKey trackKey) { return(RSAFactory.Create(tokenCredential, new Uri(UrlCombine.Combine(settings.KeyVault.EndpointUri, "keys", trackKey.ExternalName, trackKey.PrimaryKey.ExternalId)), new Azure.Security.KeyVault.Keys.JsonWebKey(trackKey.PrimaryKey.Key.ToRsa()))); }