public async Task ReleaseImportedKey()
{
string keyName = Recording.GenerateId();
JsonWebKey jwk = KeyUtilities.CreateRsaKey(includePrivateParameters: true);
ImportKeyOptions options = new(keyName, jwk)
{
Properties =
{
Exportable = true,
ReleasePolicy = GetReleasePolicy(),
},
};
KeyVaultKey key = await Client.ImportKeyAsync(options);
RegisterForCleanup(key.Name);
JwtSecurityToken jws = await ReleaseKeyAsync(keyName);
Assert.IsTrue(jws.Payload.TryGetValue("response", out object response));
JsonDocument doc = JsonDocument.Parse(response.ToString());
JsonElement keyElement = doc.RootElement.GetProperty("key").GetProperty("key");
Assert.AreEqual(key.Id, keyElement.GetProperty("kid").GetString());
Assert.AreEqual(JsonValueKind.String, keyElement.GetProperty("key_hsm").ValueKind);
}
public void SignDataStreamRequiresPrivateKey([EnumValues] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, keyOps: new[] { KeyOperation.Sign, KeyOperation.Verify });
LocalCryptographyClient client = CreateClient <LocalCryptographyClient>(jwk);
Assert.ThrowsAsync(new InstanceOfTypeConstraint(typeof(CryptographicException)), async() => await client.SignDataAsync(algorithm, TestStream));
}
public async Task ReleaseImportedKey()
{
string keyName = Recording.GenerateId();
JsonWebKey jwk = KeyUtilities.CreateRsaKey(includePrivateParameters: true);
ImportKeyOptions options = new(keyName, jwk)
{
Properties =
{
Exportable = true,
ReleasePolicy = GetReleasePolicy(),
},
};
// BUGBUG: Remove assert when https://github.com/Azure/azure-sdk-for-net/issues/22750 is resolved.
KeyVaultKey key = await AssertRequestSupported(async() => await Client.ImportKeyAsync(options));
RegisterForCleanup(key.Name);
// BUGBUG: Remove assert when https://github.com/Azure/azure-sdk-for-net/issues/22750 is resolved.
JwtSecurityToken jws = await AssertRequestSupported(async() => await ReleaseKeyAsync(keyName));
Assert.IsTrue(jws.Payload.TryGetValue("response", out object response));
JsonDocument doc = JsonDocument.Parse(response.ToString());
JsonElement keyElement = doc.RootElement.GetProperty("key").GetProperty("key");
Assert.AreEqual(key.Id, keyElement.GetProperty("kid").GetString());
Assert.AreEqual(JsonValueKind.String, keyElement.GetProperty("key_hsm").ValueKind);
}
public void SignRequiresPrivateKey([EnumValues] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, keyOps: new[] { KeyOperation.Sign, KeyOperation.Verify });
LocalCryptographyClient client = CreateClient <LocalCryptographyClient>(jwk);
byte[] digest = algorithm.GetHashAlgorithm().ComputeHash(TestData);
Assert.ThrowsAsync(new InstanceOfTypeConstraint(typeof(CryptographicException)), async() => await client.SignAsync(algorithm, digest));
}
public async Task WrapKeyUnwrapKeyRoundtrip([EnumValues(Exclude = new[] { nameof(KeyWrapAlgorithm.RsaOaep256) })] KeyWrapAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, includePrivateParameters: true);
LocalCryptographyClient client = CreateClient <LocalCryptographyClient>(jwk);
WrapResult wrapped = await client.WrapKeyAsync(algorithm, TestKey);
UnwrapResult unwrapped = await client.UnwrapKeyAsync(algorithm, wrapped.EncryptedKey);
CollectionAssert.AreEqual(TestKey, unwrapped.Key);
}
public async Task SignDataStreamVerifyDataStreamRoundtrip([EnumValues(Exclude = new[] { nameof(SignatureAlgorithm.PS256), nameof(SignatureAlgorithm.PS384), nameof(SignatureAlgorithm.PS512) })] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, includePrivateParameters: true);
LocalCryptographyClient client = CreateClient <LocalCryptographyClient>(jwk);
SignResult signed = await client.SignDataAsync(algorithm, TestStream);
VerifyResult verified = await client.VerifyDataAsync(algorithm, TestStream, signed.Signature);
Assert.IsTrue(verified.IsValid);
}
private async Task <KeyVaultKey> CreateTestKeyWithKeyMaterial(SignatureAlgorithm algorithm)
{
string keyName = Recording.GenerateId();
JsonWebKey keyMaterial = null;
switch (algorithm.ToString())
{
case SignatureAlgorithm.PS256Value:
case SignatureAlgorithm.PS384Value:
case SignatureAlgorithm.PS512Value:
case SignatureAlgorithm.RS256Value:
case SignatureAlgorithm.RS384Value:
case SignatureAlgorithm.RS512Value:
keyMaterial = KeyUtilities.CreateRsaKey(includePrivateParameters: true);
break;
case SignatureAlgorithm.ES256Value:
case SignatureAlgorithm.ES256KValue:
case SignatureAlgorithm.ES384Value:
case SignatureAlgorithm.ES512Value:
#if NET461
Assert.Ignore("Creating JsonWebKey with ECDsa is not supported on net461.");
#else
KeyCurveName curveName = algorithm.GetEcKeyCurveName();
ECCurve curve = ECCurve.CreateFromOid(curveName.Oid);
using (ECDsa ecdsa = ECDsa.Create())
{
try
{
ecdsa.GenerateKey(curve);
keyMaterial = new JsonWebKey(ecdsa, includePrivateParameters: true);
}
catch (NotSupportedException)
{
Assert.Inconclusive("This platform does not support OID {0}", curveName.Oid);
}
}
#endif
break;
default:
throw new ArgumentException("Invalid Algorithm", nameof(algorithm));
}
KeyVaultKey key = await Client.ImportKeyAsync(keyName, keyMaterial);
keyMaterial.Id = key.Key.Id;
key.Key = keyMaterial;
return(key);
}
private async Task <KeyVaultKey> CreateTestKeyWithKeyMaterial(SignatureAlgorithm algorithm)
{
string keyName = Recording.GenerateId();
JsonWebKey keyMaterial = KeyUtilities.CreateKey(algorithm, includePrivateParameters: true);
KeyVaultKey key = await Client.ImportKeyAsync(keyName, keyMaterial);
keyMaterial.Id = key.Key.Id;
key.Key = keyMaterial;
return(key);
}
public async Task SignVerifyRoundtrip([EnumValues(Exclude = new[] { nameof(SignatureAlgorithm.PS256), nameof(SignatureAlgorithm.PS384), nameof(SignatureAlgorithm.PS512) })] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, includePrivateParameters: true);
LocalCryptographyClient client = CreateClient <LocalCryptographyClient>(jwk);
byte[] digest = algorithm.GetHashAlgorithm().ComputeHash(TestData);
SignResult signed = await client.SignAsync(algorithm, digest);
VerifyResult verified = await client.VerifyAsync(algorithm, digest, signed.Signature);
Assert.IsTrue(verified.IsValid);
}
public async Task EncryptLocalDecryptOnManagedHsm([EnumValues(
nameof(EncryptionAlgorithm.A128Cbc),
nameof(EncryptionAlgorithm.A192Cbc),
nameof(EncryptionAlgorithm.A256Cbc),
nameof(EncryptionAlgorithm.A128CbcPad),
nameof(EncryptionAlgorithm.A192CbcPad),
nameof(EncryptionAlgorithm.A256CbcPad))] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.GetAesCbcEncryptionAlgorithm().KeySizeInBytes;
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
CryptographyClient localClient = GetLocalCryptoClient(jwk);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => EncryptParameters.A128CbcParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcValue => EncryptParameters.A192CbcParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcValue => EncryptParameters.A256CbcParameters(plaintext, iv),
EncryptionAlgorithm.A128CbcPadValue => EncryptParameters.A128CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A192CbcPadValue => EncryptParameters.A192CbcPadParameters(plaintext, iv),
EncryptionAlgorithm.A256CbcPadValue => EncryptParameters.A256CbcPadParameters(plaintext, iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await localClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
EncryptionAlgorithm.A128CbcValue => DecryptParameters.A128CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcValue => DecryptParameters.A192CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcValue => DecryptParameters.A256CbcParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A128CbcPadValue => DecryptParameters.A128CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A192CbcPadValue => DecryptParameters.A192CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
EncryptionAlgorithm.A256CbcPadValue => DecryptParameters.A256CbcPadParameters(encrypted.Ciphertext, encrypted.Iv),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}
public async Task AesGcmEncryptDecrypt([EnumValues(
nameof(EncryptionAlgorithm.A128Gcm),
nameof(EncryptionAlgorithm.A192Gcm),
nameof(EncryptionAlgorithm.A256Gcm)
)] EncryptionAlgorithm algorithm)
{
int keySizeInBytes = algorithm.ToString() switch
{
EncryptionAlgorithm.A128GcmValue => 128 >> 3,
EncryptionAlgorithm.A192GcmValue => 192 >> 3,
EncryptionAlgorithm.A256GcmValue => 256 >> 3,
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
JsonWebKey jwk = KeyUtilities.CreateAesKey(keySizeInBytes, s_aesKeyOps);
string keyName = Recording.GenerateId();
KeyVaultKey key = await Client.ImportKeyAsync(
new ImportKeyOptions(keyName, jwk));
RegisterForCleanup(key.Name);
CryptographyClient remoteClient = GetCryptoClient(key.Id, forceRemote: true);
byte[] plaintext = new byte[32];
Recording.Random.NextBytes(plaintext);
byte[] iv = new byte[16];
if (algorithm.GetAesCbcEncryptionAlgorithm() is AesCbc)
{
Recording.Random.NextBytes(iv);
}
EncryptParameters encryptParams = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => EncryptParameters.A128GcmParameters(plaintext),
EncryptionAlgorithm.A192GcmValue => EncryptParameters.A192GcmParameters(plaintext),
EncryptionAlgorithm.A256GcmValue => EncryptParameters.A256GcmParameters(plaintext),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
EncryptResult encrypted = await remoteClient.EncryptAsync(encryptParams);
Assert.IsNotNull(encrypted.Ciphertext);
DecryptParameters decryptParameters = algorithm.ToString() switch
{
// TODO: Re-record with random additionalAuthenticatedData once the "aad" issue is fixed with Managed HSM.
EncryptionAlgorithm.A128GcmValue => DecryptParameters.A128GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A192GcmValue => DecryptParameters.A192GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
EncryptionAlgorithm.A256GcmValue => DecryptParameters.A256GcmParameters(encrypted.Ciphertext, encrypted.Iv, encrypted.AuthenticationTag),
_ => throw new NotSupportedException($"{algorithm} is not supported"),
};
DecryptResult decrypted = await remoteClient.DecryptAsync(decryptParameters);
Assert.IsNotNull(decrypted.Plaintext);
CollectionAssert.AreEqual(plaintext, decrypted.Plaintext);
}