public void SignDataStreamAlgorithmNotSupported([EnumValues(Exclude = new[] { nameof(KeyType.Rsa), nameof(KeyType.RsaHsm), nameof(KeyType.Ec), nameof(KeyType.EcHsm) })] KeyType keyType)
{
JsonWebKey jwk = CreateKey(keyType);
CryptographyClient client = CreateClient <CryptographyClient>(jwk);
Assert.ThrowsAsync <NotSupportedException>(async() => await client.SignDataAsync(new SignatureAlgorithm("ignored"), TestStream));
}
public void SignDataStreamOperationNotSupported()
{
JsonWebKey jwk = new JsonWebKey(RSA.Create(), keyOps: Array.Empty <KeyOperation>());
CryptographyClient client = CreateClient <CryptographyClient>(jwk);
Assert.ThrowsAsync <NotSupportedException>(async() => await client.SignDataAsync(new SignatureAlgorithm("ignored"), TestStream));
}
public async Task DownloadECDsaCertificateSignRemoteVerifyLocal([EnumValues] CertificateContentType contentType, [EnumValues] CertificateKeyCurveName keyCurveName)
{
#if NET461
Assert.Ignore("ECC is not supported before .NET Framework 4.7");
#endif
if (keyCurveName == CertificateKeyCurveName.P256K && RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
Assert.Ignore("https://github.com/Azure/azure-sdk-for-net/issues/25472");
}
string name = Recording.GenerateId();
CertificatePolicy policy = new CertificatePolicy
{
IssuerName = WellKnownIssuerNames.Self,
Subject = "CN=default",
KeyType = CertificateKeyType.Ec,
KeyCurveName = keyCurveName,
Exportable = true,
KeyUsage =
{
CertificateKeyUsage.DigitalSignature,
},
ContentType = contentType,
};
CertificateOperation operation = await Client.StartCreateCertificateAsync(name, policy);
RegisterForCleanup(name);
await operation.WaitForCompletionAsync(DefaultCertificateOperationPollingInterval, default);
// Sign data remotely.
byte[] plaintext = Encoding.UTF8.GetBytes(nameof(DownloadECDsaCertificateSignRemoteVerifyLocal));
CryptographyClient cryptoClient = GetCryptographyClient(operation.Value.KeyId);
SignResult result = await cryptoClient.SignDataAsync(keyCurveName.GetSignatureAlgorithm(), plaintext);
// Download the certificate and verify data locally.
X509Certificate2 certificate = null;
try
{
certificate = await Client.DownloadCertificateAsync(name, operation.Value.Properties.Version);
using ECDsa publicKey = certificate.GetECDsaPublicKey();
Assert.IsTrue(publicKey.VerifyData(plaintext, result.Signature, keyCurveName.GetHashAlgorithmName()));
}
catch (Exception ex) when(IsExpectedP256KException(ex, keyCurveName))
{
Assert.Ignore("The curve is not supported by the current platform");
}
finally
{
certificate?.Dispose();
}
}
public async Task SignDataStreamVerifyDataStreamRoundtrip([EnumValues(Exclude = new[] { nameof(SignatureAlgorithm.PS256), nameof(SignatureAlgorithm.PS384), nameof(SignatureAlgorithm.PS512) })] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, includePrivateParameters: true);
CryptographyClient client = CreateClient <CryptographyClient>(jwk);
SignResult signed = await client.SignDataAsync(algorithm, TestStream);
VerifyResult verified = await client.VerifyDataAsync(algorithm, TestStream, signed.Signature);
Assert.IsTrue(verified.IsValid);
}
public async Task <IActionResult> Sign()
{
IFormFile file = Request.Form.Files[0];
byte[] fileBytes = ReadFully(file.OpenReadStream());
KeyVaultKey key = await _keyClient.GetKeyAsync("test");
CryptographyClient crypto = new CryptographyClient(key.Id, new DefaultAzureCredential());
SignResult result = await crypto.SignDataAsync(SignatureAlgorithm.RS512, fileBytes);
return(Ok(result.Signature));
}
public async Task SignVerifyDataStreamRoundTrip([Fields] SignatureAlgorithm algorithm)
{
Key key = await CreateTestKey(algorithm);
CryptographyClient cryptoClient = GetCryptoClient(key.Id);
var data = new byte[8000];
Recording.Random.NextBytes(data);
using MemoryStream dataStream = new MemoryStream(data);
using HashAlgorithm hashAlgo = algorithm.GetHashAlgorithm();
byte[] digest = hashAlgo.ComputeHash(dataStream);
dataStream.Seek(0, SeekOrigin.Begin);
SignResult signResult = await cryptoClient.SignAsync(algorithm, digest);
SignResult signDataResult = await cryptoClient.SignDataAsync(algorithm, dataStream);
Assert.AreEqual(algorithm, signResult.Algorithm);
Assert.AreEqual(algorithm, signDataResult.Algorithm);
Assert.AreEqual(key.Id, signResult.KeyId);
Assert.AreEqual(key.Id, signDataResult.KeyId);
Assert.NotNull(signResult.Signature);
Assert.NotNull(signDataResult.Signature);
dataStream.Seek(0, SeekOrigin.Begin);
VerifyResult verifyResult = await cryptoClient.VerifyAsync(algorithm, digest, signDataResult.Signature);
VerifyResult verifyDataResult = await cryptoClient.VerifyDataAsync(algorithm, dataStream, signResult.Signature);
Assert.AreEqual(algorithm, verifyResult.Algorithm);
Assert.AreEqual(algorithm, verifyDataResult.Algorithm);
Assert.AreEqual(key.Id, verifyResult.KeyId);
Assert.AreEqual(key.Id, verifyDataResult.KeyId);
Assert.True(verifyResult.IsValid);
Assert.True(verifyResult.IsValid);
RegisterForCleanup(key);
}
public async Task SignVerifyDataRoundTrip([Fields] SignatureAlgorithm algorithm)
{
Key key = await CreateTestKey(algorithm);
RegisterForCleanup(key.Name);
CryptographyClient cryptoClient = GetCryptoClient(key.Id, forceRemote: true);
byte[] data = new byte[32];
Recording.Random.NextBytes(data);
using HashAlgorithm hashAlgo = algorithm.GetHashAlgorithm();
byte[] digest = hashAlgo.ComputeHash(data);
SignResult signResult = await cryptoClient.SignAsync(algorithm, digest);
SignResult signDataResult = await cryptoClient.SignDataAsync(algorithm, data);
Assert.AreEqual(algorithm, signResult.Algorithm);
Assert.AreEqual(algorithm, signDataResult.Algorithm);
Assert.AreEqual(key.Id, signResult.KeyId);
Assert.AreEqual(key.Id, signDataResult.KeyId);
Assert.NotNull(signResult.Signature);
Assert.NotNull(signDataResult.Signature);
VerifyResult verifyResult = await cryptoClient.VerifyAsync(algorithm, digest, signDataResult.Signature);
VerifyResult verifyDataResult = await cryptoClient.VerifyDataAsync(algorithm, data, signResult.Signature);
Assert.AreEqual(algorithm, verifyResult.Algorithm);
Assert.AreEqual(algorithm, verifyDataResult.Algorithm);
Assert.AreEqual(key.Id, verifyResult.KeyId);
Assert.AreEqual(key.Id, verifyDataResult.KeyId);
Assert.True(verifyResult.IsValid);
Assert.True(verifyResult.IsValid);
}
public async Task SignVerifyAsync()
{
// Environment variable with the Key Vault endpoint.
string keyVaultUrl = Environment.GetEnvironmentVariable("AZURE_KEYVAULT_URL");
// Instantiate a key client that will be used to create a key. Notice that the client is using default Azure
// credentials. To make default credentials work, ensure that environment variables 'AZURE_CLIENT_ID',
// 'AZURE_CLIENT_KEY' and 'AZURE_TENANT_ID' are set with the service principal credentials.
var keyClient = new KeyClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
// First we'll create both a RSA key and an EC which will be used to sign and verify
string rsaKeyName = $"CloudRsaKey-{Guid.NewGuid()}";
var rsaKey = new CreateRsaKeyOptions(rsaKeyName, hardwareProtected: false)
{
KeySize = 2048,
};
string ecKeyName = $"CloudEcKey-{Guid.NewGuid()}";
var ecKey = new CreateEcKeyOptions(ecKeyName, hardwareProtected: false)
{
CurveName = KeyCurveName.P256K,
};
KeyVaultKey cloudRsaKey = await keyClient.CreateRsaKeyAsync(rsaKey);
Debug.WriteLine($"Key is returned with name {cloudRsaKey.Name} and type {cloudRsaKey.KeyType}");
KeyVaultKey cloudEcKey = await keyClient.CreateEcKeyAsync(ecKey);
Debug.WriteLine($"Key is returned with name {cloudEcKey.Name} and type {cloudEcKey.KeyType}");
// Let's create the CryptographyClient which can perform cryptographic operations with the keys we just created.
// Again we are using the default Azure credential as above.
var rsaCryptoClient = new CryptographyClient(cloudRsaKey.Id, new DefaultAzureCredential());
var ecCryptoClient = new CryptographyClient(cloudEcKey.Id, new DefaultAzureCredential());
// Next we'll sign some arbitrary data and verify the signatures using the CryptographyClient with both the EC and RSA keys we created.
byte[] data = Encoding.UTF8.GetBytes("This is some sample data which we will use to demonstrate sign and verify");
byte[] digest = null;
//
// Signing with the SignAsync and VerifyAsync methods
//
// The SignAsync and VerifyAsync methods expect a precalculated digest, and the digest needs to be calculated using the hash algorithm which matches the
// singature algorithm being used. SHA256 is the hash algorithm used for both RS256 and ES256K which are the algorithms we'll be using in this sample
using (HashAlgorithm hashAlgo = SHA256.Create())
{
digest = hashAlgo.ComputeHash(data);
}
// Get the signature for the computed digest with both keys. Note that the signature algorithm specified must be a valid algorithm for the key type,
// and for EC keys the algorithm must also match the curve of the key
SignResult rsaSignResult = await rsaCryptoClient.SignAsync(SignatureAlgorithm.RS256, digest);
Debug.WriteLine($"Signed digest using the algorithm {rsaSignResult.Algorithm}, with key {rsaSignResult.KeyId}. The resulting signature is {Convert.ToBase64String(rsaSignResult.Signature)}");
SignResult ecSignResult = await ecCryptoClient.SignAsync(SignatureAlgorithm.ES256K, digest);
Debug.WriteLine($"Signed digest using the algorithm {ecSignResult.Algorithm}, with key {ecSignResult.KeyId}. The resulting signature is {Convert.ToBase64String(ecSignResult.Signature)}");
// Verify the signatures
VerifyResult rsaVerifyResult = await rsaCryptoClient.VerifyAsync(SignatureAlgorithm.RS256, digest, rsaSignResult.Signature);
Debug.WriteLine($"Verified the signature using the algorithm {rsaVerifyResult.Algorithm}, with key {rsaVerifyResult.KeyId}. Signature is valid: {rsaVerifyResult.IsValid}");
VerifyResult ecVerifyResult = await ecCryptoClient.VerifyAsync(SignatureAlgorithm.ES256K, digest, ecSignResult.Signature);
Debug.WriteLine($"Verified the signature using the algorithm {ecVerifyResult.Algorithm}, with key {ecVerifyResult.KeyId}. Signature is valid: {ecVerifyResult.IsValid}");
//
// Signing with the SignDataAsync and VerifyDataAsync methods
//
// The SignDataAsync and VerifyDataAsync methods take the raw data which is to be signed. The calculate the digest for the user so there is no need to compute the digest
// Get the signature for the data with both keys. Note that the signature algorithm specified must be a valid algorithm for the key type,
// and for EC keys the algorithm must also match the curve of the key
SignResult rsaSignDataResult = await rsaCryptoClient.SignDataAsync(SignatureAlgorithm.RS256, data);
Debug.WriteLine($"Signed data using the algorithm {rsaSignDataResult.Algorithm}, with key {rsaSignDataResult.KeyId}. The resulting signature is {Convert.ToBase64String(rsaSignDataResult.Signature)}");
SignResult ecSignDataResult = await ecCryptoClient.SignDataAsync(SignatureAlgorithm.ES256K, data);
Debug.WriteLine($"Signed data using the algorithm {ecSignDataResult.Algorithm}, with key {ecSignDataResult.KeyId}. The resulting signature is {Convert.ToBase64String(ecSignDataResult.Signature)}");
// Verify the signatures
VerifyResult rsaVerifyDataResult = await rsaCryptoClient.VerifyDataAsync(SignatureAlgorithm.RS256, data, rsaSignDataResult.Signature);
Debug.WriteLine($"Verified the signature using the algorithm {rsaVerifyDataResult.Algorithm}, with key {rsaVerifyDataResult.KeyId}. Signature is valid: {rsaVerifyDataResult.IsValid}");
VerifyResult ecVerifyDataResult = await ecCryptoClient.VerifyDataAsync(SignatureAlgorithm.ES256K, data, ecSignDataResult.Signature);
Debug.WriteLine($"Verified the signature using the algorithm {ecVerifyDataResult.Algorithm}, with key {ecVerifyDataResult.KeyId}. Signature is valid: {ecVerifyDataResult.IsValid}");
// The Cloud Keys are no longer needed, need to delete them from the Key Vault.
DeleteKeyOperation rsaKeyOperation = await keyClient.StartDeleteKeyAsync(rsaKeyName);
DeleteKeyOperation ecKeyOperation = await keyClient.StartDeleteKeyAsync(ecKeyName);
// To ensure the key is deleted on server before we try to purge it.
Task.WaitAll(
rsaKeyOperation.WaitForCompletionAsync().AsTask(),
ecKeyOperation.WaitForCompletionAsync().AsTask());
// If the keyvault is soft-delete enabled, then for permanent deletion, deleted keys needs to be purged.
Task.WaitAll(
keyClient.PurgeDeletedKeyAsync(rsaKeyName),
keyClient.PurgeDeletedKeyAsync(ecKeyName));
}
public void SignDataStreamRequiresPrivateKey([EnumValues] SignatureAlgorithm algorithm)
{
JsonWebKey jwk = KeyUtilities.CreateKey(algorithm, keyOps: new[] { KeyOperation.Sign, KeyOperation.Verify });
CryptographyClient client = CreateClient <CryptographyClient>(jwk);
Assert.ThrowsAsync(new InstanceOfTypeConstraint(typeof(CryptographicException)), async() => await client.SignDataAsync(algorithm, TestStream));
}
