示例#1
0
        /// <summary>
        /// Validate the Purge Protection AndSoft Delete Settings.
        /// </summary>
        /// <param name="keyVaultUriProperties">Parsed key Vault Uri Properties. </param>
        /// <param name="cancellationToken">Cancellation token.</param>
        /// <returns>Whether The Customer has the correct Deletion Level. </returns>
        public async Task <bool> ValidatePurgeProtectionAndSoftDeleteSettingsAsync(
            KeyVaultKeyUriProperties keyVaultUriProperties,
            CancellationToken cancellationToken = default(CancellationToken))
        {
            KeyClient akvClient = await this.GetAkvClientAsync(keyVaultUriProperties, cancellationToken);

            try
            {
                KeyVaultKey getKeyResponse = await akvClient.GetKeyAsync(keyVaultUriProperties.KeyName, cancellationToken : cancellationToken);

                string keyDeletionRecoveryLevel = getKeyResponse?.Properties?.RecoveryLevel;

                if (!string.IsNullOrEmpty(keyDeletionRecoveryLevel))
                {
                    return(keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.Recoverable) ||
                           keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.RecoverableProtectedSubscription) ||
                           keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.CustomizedRecoverable) ||
                           keyDeletionRecoveryLevel.Contains(KeyVaultConstants.DeletionRecoveryLevel.CustomizedRecoverableProtectedSubscription));
                }
                else
                {
                    return(false);
                }
            }
            catch (RequestFailedException ex)
            {
                throw new KeyVaultAccessException(
                          ex.Status,
                          ex.ErrorCode,
                          "ValidatePurgeProtectionAndSoftDeleteSettingsAsync: Failed to fetch Key from Key Vault.",
                          ex);
            }
        }
示例#2
0
        /// <summary>
        /// Wrap the Key with latest Key version.
        /// Only supports bytes in base64 format.
        /// </summary>
        /// <param name="key">plain text key.</param>
        /// <param name="keyVaultUriProperties">Parsed key Vault Uri Properties.Properties as in sample Format: https://{keyvault-name}.vault.azure.net/keys/{key-name}/{key-version}.</param>
        /// <param name="cancellationToken">Cancellation token.</param>
        /// <returns>Result including KeyIdentifier and encrypted bytes in base64 string format.</returns>
        public async Task <byte[]> WrapKeyAsync(
            byte[] key,
            KeyVaultKeyUriProperties keyVaultUriProperties,
            CancellationToken cancellationToken = default(CancellationToken))
        {
            WrapResult keyOpResult;

            // Get a Crypto Client for Wrap and UnWrap,this gets init per Key ID
            CryptographyClient cryptoClient = await this.GetCryptoClientAsync(keyVaultUriProperties, cancellationToken);

            try
            {
                keyOpResult = await cryptoClient.WrapKeyAsync(KeyVaultConstants.RsaOaep256, key, cancellationToken);
            }
            catch (RequestFailedException ex)
            {
                throw new KeyVaultAccessException(
                          ex.Status,
                          ex.ErrorCode,
                          "WrapKeyAsync: Failed to Wrap the data encryption key.",
                          ex);
            }

            return(keyOpResult.EncryptedKey);
        }
示例#3
0
        /// <inheritdoc />
        public override async Task <EncryptionKeyWrapResult> WrapKeyAsync(
            byte[] key,
            EncryptionKeyWrapMetadata metadata,
            CancellationToken cancellationToken)
        {
            if (metadata.Type != AzureKeyVaultKeyWrapMetadata.TypeConstant)
            {
                throw new ArgumentException("Invalid metadata", nameof(metadata));
            }

            if (!KeyVaultKeyUriProperties.TryParse(new Uri(metadata.Value), out KeyVaultKeyUriProperties keyVaultUriProperties))
            {
                throw new ArgumentException("KeyVault Key Uri {0} is invalid.", metadata.Value);
            }

            if (!await this.keyVaultAccessClient.ValidatePurgeProtectionAndSoftDeleteSettingsAsync(keyVaultUriProperties, cancellationToken))
            {
                throw new ArgumentException(string.Format("Key Vault {0} provided must have soft delete and purge protection enabled.", keyVaultUriProperties.KeyUri));
            }

            byte[] result = await this.keyVaultAccessClient.WrapKeyAsync(key, keyVaultUriProperties, cancellationToken);

            EncryptionKeyWrapMetadata responseMetadata = new EncryptionKeyWrapMetadata(
                type: metadata.Type,
                value: metadata.Value,
                algorithm: KeyVaultConstants.RsaOaep256);

            return(new EncryptionKeyWrapResult(result, responseMetadata));
        }
示例#4
0
        /// <inheritdoc />
        public override async Task <EncryptionKeyUnwrapResult> UnwrapKeyAsync(
            byte[] wrappedKey,
            EncryptionKeyWrapMetadata metadata,
            CancellationToken cancellationToken)
        {
            if (metadata.Type != AzureKeyVaultKeyWrapMetadata.TypeConstant)
            {
                throw new ArgumentException("Invalid metadata", nameof(metadata));
            }

            if (metadata.Algorithm != KeyVaultConstants.RsaOaep256)
            {
                throw new ArgumentException(
                          string.Format("Unknown encryption key wrap algorithm {0}", metadata.Algorithm),
                          nameof(metadata));
            }

            if (!KeyVaultKeyUriProperties.TryParse(new Uri(metadata.Value), out KeyVaultKeyUriProperties keyVaultUriProperties))
            {
                throw new ArgumentException("KeyVault Key Uri {0} is invalid.", metadata.Value);
            }

            byte[] result = await this.keyVaultAccessClient.UnwrapKeyAsync(wrappedKey, keyVaultUriProperties, cancellationToken);

            return(new EncryptionKeyUnwrapResult(result, this.rawDekCacheTimeToLive));
        }
示例#5
0
        public static bool TryParse(Uri keyUri, out KeyVaultKeyUriProperties keyVaultUriProperties)
        {
            keyVaultUriProperties = null;

            if (!((keyUri.Segments.Length == 4) && string.Equals(keyUri.Segments[1], KeyVaultConstants.KeysSegment, StringComparison.InvariantCultureIgnoreCase)))
            {
                return(false);
            }

            keyVaultUriProperties             = new KeyVaultKeyUriProperties(keyUri);
            keyVaultUriProperties.KeyName     = keyVaultUriProperties.KeyUri.Segments[2].TrimEnd('/');
            keyVaultUriProperties.KeyVersion  = keyVaultUriProperties.KeyUri.Segments[3];
            keyVaultUriProperties.KeyVaultUri = new Uri(keyVaultUriProperties.KeyUri.GetLeftPart(UriPartial.Scheme | UriPartial.Authority));

            return(true);
        }
示例#6
0
        /// <summary>
        /// Obtains the KeyClient to retrieve keys from Keyvault.
        /// </summary>
        /// <param name="keyVaultUriProperties"> Parsed key Vault Uri Properties. </param>
        /// <param name="cancellationToken"> cancellation token </param>
        /// <returns> Key Client </returns>
        private async Task <KeyClient> GetAkvClientAsync(
            KeyVaultKeyUriProperties keyVaultUriProperties,
            CancellationToken cancellationToken)
        {
            cancellationToken.ThrowIfCancellationRequested();

            // Called once per KEYVALTNAME
            // Eg:https://KEYVALTNAME.vault.azure.net/
            KeyClient akvClient = await this.akvClientCache.GetAsync(
                key : keyVaultUriProperties.KeyVaultUri,
                obsoleteValue : null,
                singleValueInitFunc : async() =>
            {
                TokenCredential tokenCred = await this.keyVaultTokenCredentialFactory.GetTokenCredentialAsync(keyVaultUriProperties.KeyUri, cancellationToken);
                return(this.keyClientFactory.GetKeyClient(keyVaultUriProperties, tokenCred));
            },
                cancellationToken : cancellationToken);

            return(akvClient);
        }
示例#7
0
        /// <summary>
        /// Obtains the Crypto Client for Wrap/UnWrap.
        /// </summary>
        /// <param name="keyVaultUriProperties"> Parsed key Vault Uri Properties. </param>
        /// <param name="cancellationToken"> cancellation token </param>
        /// <returns> CryptographyClient </returns>
        private async Task <CryptographyClient> GetCryptoClientAsync(
            KeyVaultKeyUriProperties keyVaultUriProperties,
            CancellationToken cancellationToken)
        {
            cancellationToken.ThrowIfCancellationRequested();

            // Get a Crypto Client for Wrap and UnWrap,this gets init per Key Version
            // Cache it against the KeyVersion/KeyId
            // Eg: :https://KEYVAULTNAME.vault.azure.net/keys/keyname/KEYID
            CryptographyClient cryptoClient = await this.akvCryptoClientCache.GetAsync(
                key : keyVaultUriProperties.KeyUri,
                obsoleteValue : null,
                singleValueInitFunc : async() =>
            {
                // we need to acquire the Client Cert Creds for cases where we directly access Crypto Services.
                TokenCredential tokenCred = await this.keyVaultTokenCredentialFactory.GetTokenCredentialAsync(keyVaultUriProperties.KeyUri, cancellationToken);
                return(this.cryptographyClientFactory.GetCryptographyClient(keyVaultUriProperties, tokenCred));
            },
                cancellationToken : cancellationToken);

            return(cryptoClient);
        }
示例#8
0
 public virtual KeyClient GetKeyClient(KeyVaultKeyUriProperties keyVaultKeyUriProperties, TokenCredential tokenCredential)
 {
     return(new KeyClient(keyVaultKeyUriProperties.KeyVaultUri, tokenCredential));
 }
示例#9
0
 public virtual CryptographyClient GetCryptographyClient(KeyVaultKeyUriProperties keyVaultKeyUriProperties, TokenCredential tokenCredential)
 {
     return(new CryptographyClient(keyVaultKeyUriProperties.KeyUri, tokenCredential));
 }