novotnyllc / rsakeyvaultprovider Goto Github PK
View Code? Open in Web Editor NEWEnables Azure Key Vault secrets and certificates to be used by .NET Crypto
License: MIT License
rsakeyvaultprovider's People
Contributors
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
rsakeyvaultprovider's Issues
Migration from 1.1.57 to 2.1.1
I'm using v1.1.57 of the package. Is there instruction or docs on how to upgrade to the latest one?
Before I could:
CertificateBundle certificateBundle = await _keyVaultClient.GetCertificateAsync(_options.KeyVaultUrl, _options.RootCertificateId);
using var issuerCertificate = new X509Certificate2(certificateBundle.Cer);
using var rsaKeyVault = _keyVaultClient.ToRSA(certificateBundle.KeyIdentifier, issuerCertificate);
with 2.1.1 it says
'KeyVaultClient' does not contain a definition for 'ToRSA' and no accessible extension method 'ToRSA' accepting a first argument of type 'KeyVaultClient' could be found (are you missing a using directive or an assembly reference?)
Could you please suggest how to do the same with the new version?
Is it safe to keep the KeyVaultClient for long?
Hi,
I have a question regarding to the disposability of KeyVaultClient:
The KeyVaultContext struct keeps a KeyVaultClient for its internally SignDigestAsync and DecryptDataAsync, then the RSAKeyVault keeps a KeyVaultContext inside.
All the "ToRSA" extension method constructs an RSAKeyVault with a KeyVaultContext, which means the KeyVaultClient should live along with the RSAKeyVault.
if the RSAKeyVault is used in a "singleton" manner, then it is impossible to dispose the KeyVaultClient?
Is it safe to keep the KeyVaultClient for long? a whole lifetime of the w3wp process for example.
Remove the RuntimeIdentifier workaround from RSAKeyVaultProvider.Tests.csproj
Question: use RSAKeyVault with SigningCredentials
Hi Novotny,
I have a piece of code that use SigningCredentials which in turn uses X509AsymmetricSecurityKey
new SigningCredentials(new X509AsymmetricSecurityKey(cert), securityAlgorithmSuite.DefaultAsymmetricSignatureAlgorithm, securityAlgorithmSuite.DefaultDigestAlgorithm, ski);.NET's implementation of X509AsymmetricSecurityKey needs a full certificate. However, I'd like to perform the signing and decrypt operations on the Azure Key Vault to avoid fetching private keys into application's memory. Do you happen to know if there is any sample code, or is there a good approach? One approach I think of atm is to write an AzureKeyVaultX509AsymmetricSecurityKey and use your RSAKeyVault internally, i.e. to return it from
public override AsymmetricAlgorithm GetAsymmetricAlgorithm(string algorithm, bool privateKey)Thanks for reading ๐
Dependencies not current
Most relevant to dotnet/sign is netstandard2.0 for RSAKeyVaultProvider and its dependency on Azure.Security.KeyVault.Keys.
E:\git\RSAKeyVaultProvider>dotnet list package --outdated
The following sources were used:
https://api.nuget.org/v3/index.json
C:\Program Files (x86)\Microsoft SDKs\NuGetPackages\
https://dnceng.pkgs.visualstudio.com/public/_packaging/dotnet7/nuget/v3/index.json
https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet-eng/nuget/v3/index.json
Project `RSAKeyVaultProvider` has the following updates to its packages
[netstandard2.0]:
Top-level Package Requested Resolved Latest
> Azure.Security.KeyVault.Keys 4.2.0 4.2.0 4.4.0
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.231 3.4.231 3.5.119
Project `RSAKeyVaultProvider.Tests` has the following updates to its packages
[netcoreapp2.1]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.4.0 1.4.0 1.8.0
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.IdentityModel.Clients.ActiveDirectory 5.2.9 5.2.9 5.3.0
> Microsoft.NET.Test.Sdk 16.10.0 16.10.0 17.4.1
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.231 3.4.231 3.5.119
> Newtonsoft.Json 13.0.1 13.0.1 13.0.2
> xunit 2.4.1 2.4.1 2.4.2
> xunit.runner.visualstudio 2.4.3 2.4.3 2.4.5
[net47]:
Top-level Package Requested Resolved Latest
> Azure.Identity 1.4.0 1.4.0 1.8.0
> Azure.Security.KeyVault.Certificates 4.2.0 4.2.0 4.4.0
> Microsoft.IdentityModel.Clients.ActiveDirectory 5.2.9 5.2.9 5.3.0
> Microsoft.NET.Test.Sdk 16.10.0 16.10.0 17.4.1
> Microsoft.SourceLink.GitHub 1.0.0 1.0.0 1.1.1
> Nerdbank.GitVersioning 3.4.231 3.4.231 3.5.119
> Newtonsoft.Json 13.0.1 13.0.1 13.0.2
> xunit 2.4.1 2.4.1 2.4.2
> xunit.runner.visualstudio 2.4.3 2.4.3 2.4.5
Issue when signing a digest with EC curve secP256k1
Since it is EC and Key length is 256 bit the SignatureAlgorithmToJwsAlgId returns the SignatureAlgorithm.ES256 algorithm to be used in KeyVault while the correct would be to return SignatureAlgorithm.ES256K.
Not sure how to do that identification in a neat way to be honest. Maybe you guys know how to do it?
Provide simple code example for signing cert (ECDSA)
Hi,
I'm trying to find a code example (ECDSA) that will help me create and sign a new certificate by an existing ca certificate (already uploaded to KV).
I don't fully get the flow, if I'm correct it should be:
- Create a private key directly in KV
- Locally create a CSR
- Send the digest of the CSR (how to extract it?) to the Sign() function of the private key
- Append the signature from the Sign() to the CSR
- Upload the certificate
Can anyone post a basic code sample for that scenario?
Also, I'm not sure if this library is supported by the new "Azure.Security.KeyVault.Certificates" libraries instead of the older "Microsoft.Azure.KeyVault".
Thanks a lot for your help
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.