From aa5e266bddead667fd26aa24ca3453fdcddf72e9 Mon Sep 17 00:00:00 2001 From: Yash Date: Tue, 25 Nov 2025 17:46:09 +1100 Subject: [PATCH] Added Encryption Changes --- src/KeyVault/KeyVault/Az.KeyVault.psd1 | 2 +- src/KeyVault/KeyVault/ChangeLog.md | 2 + src/KeyVault/KeyVault/KeyVault.csproj | 1 - .../KeyVault/SecurityDomain/Models/CertKey.cs | 64 ++++--------------- .../Track2KeyVaultDataServiceClient.cs | 1 - 5 files changed, 16 insertions(+), 54 deletions(-) diff --git a/src/KeyVault/KeyVault/Az.KeyVault.psd1 b/src/KeyVault/KeyVault/Az.KeyVault.psd1 index 1ac9b1154be6..cdca556c0765 100644 --- a/src/KeyVault/KeyVault/Az.KeyVault.psd1 +++ b/src/KeyVault/KeyVault/Az.KeyVault.psd1 @@ -58,7 +58,7 @@ RequiredModules = @(@{ModuleName = 'Az.Accounts'; ModuleVersion = '5.3.1'; }) # Assemblies that must be loaded prior to importing this module RequiredAssemblies = 'Azure.Security.KeyVault.Administration.dll', 'Azure.Security.KeyVault.Certificates.dll', - 'Azure.Security.KeyVault.Keys.dll', 'BouncyCastle.Crypto.dll', + 'Azure.Security.KeyVault.Keys.dll', 'KeyVault.Autorest/bin/Az.KeyVault.private.dll', 'Microsoft.Azure.KeyVault.dll', 'Microsoft.Azure.KeyVault.WebKey.dll', diff --git a/src/KeyVault/KeyVault/ChangeLog.md b/src/KeyVault/KeyVault/ChangeLog.md index 4abf88077b51..224f7bc6d940 100644 --- a/src/KeyVault/KeyVault/ChangeLog.md +++ b/src/KeyVault/KeyVault/ChangeLog.md @@ -18,6 +18,8 @@ - Additional information about change #1 --> ## Upcoming Release +* Updated security domain PEM key handling to use built-in .NET cryptography instead of Portable.BouncyCastle + - Maintains support for standard PKCS#1 and PKCS#8 keys while resolving the CodeQL cs/use-approved-crypto-library finding ## Version 6.4.1 * Updated Azure.Core from 1.45.0 to 1.47.3 diff --git a/src/KeyVault/KeyVault/KeyVault.csproj b/src/KeyVault/KeyVault/KeyVault.csproj index dd2fa52e82f1..3335ec3f91f7 100644 --- a/src/KeyVault/KeyVault/KeyVault.csproj +++ b/src/KeyVault/KeyVault/KeyVault.csproj @@ -15,7 +15,6 @@ - diff --git a/src/KeyVault/KeyVault/SecurityDomain/Models/CertKey.cs b/src/KeyVault/KeyVault/SecurityDomain/Models/CertKey.cs index 6fff1d5ab6bc..8a178f7e5431 100644 --- a/src/KeyVault/KeyVault/SecurityDomain/Models/CertKey.cs +++ b/src/KeyVault/KeyVault/SecurityDomain/Models/CertKey.cs @@ -1,6 +1,4 @@ using Microsoft.Azure.Commands.KeyVault.SecurityDomain.Common; -using Org.BouncyCastle.Crypto.Parameters; -using Org.BouncyCastle.OpenSsl; using System; using System.IO; using System.Runtime.InteropServices; @@ -51,61 +49,25 @@ public void Load(KeyPath path) static RSAParameters RsaParamsFromPem(string path, string password) { - using (var stream = File.OpenText(path)) - { - var reader = string.IsNullOrEmpty(password) ? new PemReader(stream) : new PemReader(stream, new PasswordFinder(password)); - var keyParameters = reader.ReadObject() as RsaPrivateCrtKeyParameters; + string pem = File.ReadAllText(path); - return ToRSAParameters(keyParameters); - } - } - - static RSAParameters ToRSAParameters(RsaPrivateCrtKeyParameters privKey) - { - RSAParameters rp = new RSAParameters + using (RSA rsa = RSA.Create()) { - Modulus = privKey.Modulus.ToByteArrayUnsigned(), - Exponent = privKey.PublicExponent.ToByteArrayUnsigned(), - P = privKey.P.ToByteArrayUnsigned(), - Q = privKey.Q.ToByteArrayUnsigned() - }; - rp.D = ConvertRSAParametersField(privKey.Exponent, rp.Modulus.Length); - rp.DP = ConvertRSAParametersField(privKey.DP, rp.P.Length); - rp.DQ = ConvertRSAParametersField(privKey.DQ, rp.Q.Length); - rp.InverseQ = ConvertRSAParametersField(privKey.QInv, rp.Q.Length); - return rp; - } - - - static byte[] ConvertRSAParametersField(Org.BouncyCastle.Math.BigInteger n, int size) - { - byte[] bs = n.ToByteArrayUnsigned(); - if (bs.Length == size) - return bs; - if (bs.Length > size) - throw new ArgumentException("Specified size too small", "size"); - byte[] padded = new byte[size]; - Array.Copy(bs, 0, padded, size - bs.Length, bs.Length); - return padded; + if (string.IsNullOrEmpty(password)) + { + rsa.ImportFromPem(pem); + } + else + { + rsa.ImportFromEncryptedPem(pem, password); + } + + return rsa.ExportParameters(true); + } } X509Certificate2 _cert; RSA _key; byte[] _thumbprint; - - private class PasswordFinder : IPasswordFinder - { - private readonly string _password; - - public PasswordFinder(string password) - { - _password = password; - } - - public char[] GetPassword() - { - return _password.ToCharArray(); - } - } } } \ No newline at end of file diff --git a/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs b/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs index e81f51db9a9d..ffdacc3da148 100644 --- a/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs +++ b/src/KeyVault/KeyVault/Track2Models/Track2KeyVaultDataServiceClient.cs @@ -2,7 +2,6 @@ using Microsoft.Azure.Commands.Common.Authentication.Abstractions; using Microsoft.Azure.Commands.KeyVault.Models; using Microsoft.Azure.KeyVault.Models; -using Org.BouncyCastle.X509; using System; using System.Collections;