/// <summary> /// Validate the Purge Protection AndSoft Delete Settings. /// </summary> /// <param name="keyVaultUriProperties">Parsed key Vault Uri Properties. </param> /// <param name="cancellationToken">Cancellation token.</param> /// <returns>Whether The Customer has the correct Deletion Level. </returns> public async Task <bool> ValidatePurgeProtectionAndSoftDeleteSettingsAsync( KeyVaultKeyUriProperties keyVaultUriProperties, CancellationToken cancellationToken = default(CancellationToken)) { KeyClient akvClient = await this.GetAkvClientAsync(keyVaultUriProperties, cancellationToken); try { KeyVaultKey getKeyResponse = await akvClient.GetKeyAsync(keyVaultUriProperties.KeyName, cancellationToken : cancellationToken); string keyDeletionRecoveryLevel = getKeyResponse?.Properties?.RecoveryLevel; if (!string.IsNullOrEmpty(keyDeletionRecoveryLevel)) { return(keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.Recoverable) || keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.RecoverableProtectedSubscription) || keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.CustomizedRecoverable) || keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.CustomizedRecoverableProtectedSubscription)); } else { return(false); } } catch (RequestFailedException ex) { throw new KeyVaultAccessException( ex.Status, ex.ErrorCode, "ValidatePurgeProtectionAndSoftDeleteSettingsAsync: Failed to fetch Key from Key Vault.", ex); } }
/// <summary> /// Wrap the Key with latest Key version. /// Only supports bytes in base64 format. /// </summary> /// <param name="key">plain text key.</param> /// <param name="keyVaultUriProperties">Parsed key Vault Uri Properties.Properties as in sample Format: https://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}.</param> /// <param name="cancellationToken">Cancellation token.</param> /// <returns>Result including KeyIdentifier and encrypted bytes in base64 string format.</returns> public async Task <byte[]> WrapKeyAsync( byte[] key, KeyVaultKeyUriProperties keyVaultUriProperties, CancellationToken cancellationToken = default(CancellationToken)) { WrapResult keyOpResult; // Get a Crypto Client for Wrap and UnWrap,this gets init per Key ID CryptographyClient cryptoClient = await this.GetCryptoClientAsync(keyVaultUriProperties, cancellationToken); try { keyOpResult = await cryptoClient.WrapKeyAsync(KeyVaultConstants.RsaOaep256, key, cancellationToken); } catch (RequestFailedException ex) { throw new KeyVaultAccessException( ex.Status, ex.ErrorCode, "WrapKeyAsync: Failed to Wrap the data encryption key.", ex); } return(keyOpResult.EncryptedKey); }
/// <inheritdoc /> public override async Task <EncryptionKeyWrapResult> WrapKeyAsync( byte[] key, EncryptionKeyWrapMetadata metadata, CancellationToken cancellationToken) { if (metadata.Type != AzureKeyVaultKeyWrapMetadata.TypeConstant) { throw new ArgumentException("Invalid metadata", nameof(metadata)); } if (!KeyVaultKeyUriProperties.TryParse(new Uri(metadata.Value), out KeyVaultKeyUriProperties keyVaultUriProperties)) { throw new ArgumentException("KeyVault Key Uri {0} is invalid.", metadata.Value); } if (!await this.keyVaultAccessClient.ValidatePurgeProtectionAndSoftDeleteSettingsAsync(keyVaultUriProperties, cancellationToken)) { throw new ArgumentException(string.Format("Key Vault {0} provided must have soft delete and purge protection enabled.", keyVaultUriProperties.KeyUri)); } byte[] result = await this.keyVaultAccessClient.WrapKeyAsync(key, keyVaultUriProperties, cancellationToken); EncryptionKeyWrapMetadata responseMetadata = new EncryptionKeyWrapMetadata( type: metadata.Type, value: metadata.Value, algorithm: KeyVaultConstants.RsaOaep256); return(new EncryptionKeyWrapResult(result, responseMetadata)); }
/// <inheritdoc /> public override async Task <EncryptionKeyUnwrapResult> UnwrapKeyAsync( byte[] wrappedKey, EncryptionKeyWrapMetadata metadata, CancellationToken cancellationToken) { if (metadata.Type != AzureKeyVaultKeyWrapMetadata.TypeConstant) { throw new ArgumentException("Invalid metadata", nameof(metadata)); } if (metadata.Algorithm != KeyVaultConstants.RsaOaep256) { throw new ArgumentException( string.Format("Unknown encryption key wrap algorithm {0}", metadata.Algorithm), nameof(metadata)); } if (!KeyVaultKeyUriProperties.TryParse(new Uri(metadata.Value), out KeyVaultKeyUriProperties keyVaultUriProperties)) { throw new ArgumentException("KeyVault Key Uri {0} is invalid.", metadata.Value); } byte[] result = await this.keyVaultAccessClient.UnwrapKeyAsync(wrappedKey, keyVaultUriProperties, cancellationToken); return(new EncryptionKeyUnwrapResult(result, this.rawDekCacheTimeToLive)); }
public static bool TryParse(Uri keyUri, out KeyVaultKeyUriProperties keyVaultUriProperties) { keyVaultUriProperties = null; if (!((keyUri.Segments.Length == 4) && string.Equals(keyUri.Segments[1], KeyVaultConstants.KeysSegment, StringComparison.InvariantCultureIgnoreCase))) { return(false); } keyVaultUriProperties = new KeyVaultKeyUriProperties(keyUri); keyVaultUriProperties.KeyName = keyVaultUriProperties.KeyUri.Segments[2].TrimEnd('/'); keyVaultUriProperties.KeyVersion = keyVaultUriProperties.KeyUri.Segments[3]; keyVaultUriProperties.KeyVaultUri = new Uri(keyVaultUriProperties.KeyUri.GetLeftPart(UriPartial.Scheme | UriPartial.Authority)); return(true); }
/// <summary> /// Obtains the KeyClient to retrieve keys from Keyvault. /// </summary> /// <param name="keyVaultUriProperties"> Parsed key Vault Uri Properties. </param> /// <param name="cancellationToken"> cancellation token </param> /// <returns> Key Client </returns> private async Task <KeyClient> GetAkvClientAsync( KeyVaultKeyUriProperties keyVaultUriProperties, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); // Called once per KEYVALTNAME // Eg:https://KEYVALTNAME.vault.azure.net/ KeyClient akvClient = await this.akvClientCache.GetAsync( key : keyVaultUriProperties.KeyVaultUri, obsoleteValue : null, singleValueInitFunc : async() => { TokenCredential tokenCred = await this.keyVaultTokenCredentialFactory.GetTokenCredentialAsync(keyVaultUriProperties.KeyUri, cancellationToken); return(this.keyClientFactory.GetKeyClient(keyVaultUriProperties, tokenCred)); }, cancellationToken : cancellationToken); return(akvClient); }
/// <summary> /// Obtains the Crypto Client for Wrap/UnWrap. /// </summary> /// <param name="keyVaultUriProperties"> Parsed key Vault Uri Properties. </param> /// <param name="cancellationToken"> cancellation token </param> /// <returns> CryptographyClient </returns> private async Task <CryptographyClient> GetCryptoClientAsync( KeyVaultKeyUriProperties keyVaultUriProperties, CancellationToken cancellationToken) { cancellationToken.ThrowIfCancellationRequested(); // Get a Crypto Client for Wrap and UnWrap,this gets init per Key Version // Cache it against the KeyVersion/KeyId // Eg: :https://KEYVAULTNAME.vault.azure.net/keys/keyname/KEYID CryptographyClient cryptoClient = await this.akvCryptoClientCache.GetAsync( key : keyVaultUriProperties.KeyUri, obsoleteValue : null, singleValueInitFunc : async() => { // we need to acquire the Client Cert Creds for cases where we directly access Crypto Services. TokenCredential tokenCred = await this.keyVaultTokenCredentialFactory.GetTokenCredentialAsync(keyVaultUriProperties.KeyUri, cancellationToken); return(this.cryptographyClientFactory.GetCryptographyClient(keyVaultUriProperties, tokenCred)); }, cancellationToken : cancellationToken); return(cryptoClient); }
public virtual KeyClient GetKeyClient(KeyVaultKeyUriProperties keyVaultKeyUriProperties, TokenCredential tokenCredential) { return(new KeyClient(keyVaultKeyUriProperties.KeyVaultUri, tokenCredential)); }
public virtual CryptographyClient GetCryptographyClient(KeyVaultKeyUriProperties keyVaultKeyUriProperties, TokenCredential tokenCredential) { return(new CryptographyClient(keyVaultKeyUriProperties.KeyUri, tokenCredential)); }