dotnet · dtivel · Feb 13, 2025 · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024
@@ -13,6 +13,7 @@
     <PackageVersion Include="coverlet.collector" Version="6.0.2" />
     <PackageVersion Include="Microsoft.AspNetCore.Server.Kestrel" Version="2.3.0" />
     <PackageVersion Include="Microsoft.Dynamics.BusinessCentral.Sip.Main" Version="24.0.15760" />
+    <PackageVersion Include="Microsoft.Extensions.Azure" Version="1.10.0" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="9.0.1" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Json" Version="9.0.1" />
     <PackageVersion Include="Microsoft.Extensions.FileSystemGlobbing" Version="9.0.1" />

@@ -6,6 +6,12 @@
 using System.CommandLine.Invocation;
 using System.CommandLine.IO;
 using Azure.Core;
+using Azure.Security.KeyVault.Certificates;
+using Azure.Security.KeyVault.Keys;
+using Azure.Security.KeyVault.Keys.Cryptography;
+using Microsoft.Extensions.Azure;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Sign.Core;
 using Sign.SignatureProviders.KeyVault;
 
@@ -65,7 +71,48 @@ internal AzureKeyVaultCommand(CodeCommand codeCommand, IServiceProviderFactory s
                 Uri url = context.ParseResult.GetValueForOption(UrlOption)!;
                 string certificateId = context.ParseResult.GetValueForOption(CertificateOption)!;
 
-                KeyVaultServiceProvider keyVaultServiceProvider = new(credential, url, certificateId);
+                // Construct the URI for the certificate and the key from user parameters. We'll validate those with the SDK
+                var certUri = new Uri($"{url.Scheme}://{url.Authority}/certificates/{certificateId}");
+
+                if (!KeyVaultCertificateIdentifier.TryCreate(certUri, out var certId))
+                {
+                    context.Console.Error.WriteLine(AzureKeyVaultResources.InvalidKeyVaultUrl);
+                    context.ExitCode = ExitCode.InvalidOptions;
+                    return;
+                }
+
+                // The key uri is similar and the key name matches the certificate name
+                var keyUri = new Uri($"{url.Scheme}://{url.Authority}/keys/{certificateId}");
+
+                if (!KeyVaultKeyIdentifier.TryCreate(certUri, out var keyId))
+                {
+                    context.Console.Error.WriteLine(AzureKeyVaultResources.InvalidKeyVaultUrl);
+                    context.ExitCode = ExitCode.InvalidOptions;
+                    return;
+                }
+
+                serviceProviderFactory.AddServices(services =>
+                {
+                    services.AddAzureClients(builder =>
+                    {
+                        builder.AddCertificateClient(certId.VaultUri);
+                        builder.AddKeyClient(keyId.VaultUri);
+                        builder.UseCredential(credential);
+                        builder.ConfigureDefaults(options => options.Retry.Mode = RetryMode.Exponential);
+                    });
+
+                    services.AddSingleton<KeyVaultService>(serviceProvider =>
+                    {
+                        return new KeyVaultService(
+                            serviceProvider.GetRequiredService<CertificateClient>(),
+                            serviceProvider.GetRequiredService<CryptographyClient>(),
+                            certId.Name,
+                            serviceProvider.GetRequiredService<ILogger<KeyVaultService>>());
+                    });
+                });
+
+                KeyVaultServiceProvider keyVaultServiceProvider = new();
+
                 await codeCommand.HandleAsync(context, serviceProviderFactory, keyVaultServiceProvider, fileArgument);
             });
         }

@@ -126,6 +126,9 @@
   <data name="CommandDescription" xml:space="preserve">
     <value>Use Azure Key Vault.</value>
   </data>
+  <data name="InvalidKeyVaultUrl" xml:space="preserve">
+    <value>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</value>
+  </data>
   <data name="UrlOptionDescription" xml:space="preserve">
     <value>URL to an Azure Key Vault.</value>
   </data>

@@ -5,7 +5,12 @@
 using System.CommandLine;
 using System.CommandLine.Invocation;
 using System.CommandLine.IO;
+using Azure.CodeSigning;
+using Azure.CodeSigning.Extensions;
 using Azure.Core;
+using Microsoft.Extensions.Azure;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
 using Sign.Core;
 using Sign.SignatureProviders.TrustedSigning;
 
@@ -49,6 +54,7 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
                 }
 
                 TokenCredential? credential = AzureCredentialOptions.CreateTokenCredential(context);
+
                 if (credential is null)
                 {
                     return;
@@ -60,7 +66,26 @@ internal TrustedSigningCommand(CodeCommand codeCommand, IServiceProviderFactory
                 string accountName = context.ParseResult.GetValueForOption(AccountOption)!;
                 string certificateProfileName = context.ParseResult.GetValueForOption(CertificateProfileOption)!;
 
-                TrustedSigningServiceProvider trustedSigningServiceProvider = new(credential, endpointUrl, accountName, certificateProfileName);
+                serviceProviderFactory.AddServices(services =>
+                {
+                    services.AddAzureClients(builder =>
+                    {
+                        builder.AddCertificateProfileClient(endpointUrl);
+                        builder.UseCredential(credential);
+                        builder.ConfigureDefaults(options => options.Retry.Mode = RetryMode.Exponential);
+                    });
+
+                    services.AddSingleton<TrustedSigningService>(serviceProvider =>
+                    {
+                        return new TrustedSigningService(
+                            serviceProvider.GetRequiredService<CertificateProfileClient>(),
+                            accountName,
+                            certificateProfileName,
+                            serviceProvider.GetRequiredService<ILogger<TrustedSigningService>>());
+                    });
+                });
+
+                TrustedSigningServiceProvider trustedSigningServiceProvider = new();
 
                 await codeCommand.HandleAsync(context, serviceProviderFactory, trustedSigningServiceProvider, fileArgument);
             });

@@ -17,6 +17,11 @@
         <target state="translated">Použijte Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Adresa URL Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Verwenden Sie Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL zu einem Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Use Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Dirección URL a un Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Utilisez Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL d’un Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Usare Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL a un Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Azure Key Vault を使用してください。</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault への URL。</target>

@@ -17,6 +17,11 @@
         <target state="translated">Azure Key Vault를 사용합니다.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault에 대한 URL입니다.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Użyj usługi Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Adres URL do usługi Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Use o Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL para um Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Использование Azure Key Vault.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">URL-адрес для Azure Key Vault.</target>

@@ -17,6 +17,11 @@
         <target state="translated">Azure Key Vault’u kullanın.</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault URL’si.</target>

@@ -17,6 +17,11 @@
         <target state="translated">使用 Azure Key Vault。</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">指向 Azure Key Vault 的 URL。</target>

@@ -17,6 +17,11 @@
         <target state="translated">使用 Azure Key Vault。</target>
         <note />
       </trans-unit>
+      <trans-unit id="InvalidKeyVaultUrl">
+        <source>URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</source>
+        <target state="new">URL must only contain the protocol and host. (e.g.: https://&lt;vault-name&gt;.vault.azure.net/)</target>
+        <note />
+      </trans-unit>
       <trans-unit id="UrlOptionDescription">
         <source>URL to an Azure Key Vault.</source>
         <target state="translated">Azure Key Vault 的 URL。</target>

@@ -111,7 +111,7 @@ await Parallel.ForEachAsync(files, async (file, state) =>
                     {
                         string message = string.Format(CultureInfo.CurrentCulture, Resources.SigningFailed, file.FullName);
 
-                        throw new Exception(message);
+                        throw new SigningException(message);
                     }
                 });
             }

@@ -13,5 +13,7 @@ IServiceProvider Create(
             LogLevel logLevel = LogLevel.Information,
             ILoggerProvider? loggerProvider = null,
             Action<IServiceCollection>? addServices = null);
+
+        void AddServices(Action<IServiceCollection> addServices);
     }
-}
+}
@@ -9,12 +9,27 @@ namespace Sign.Core
 {
     internal sealed class ServiceProviderFactory : IServiceProviderFactory
     {
+        private Action<IServiceCollection>? _addServices;
+
         public IServiceProvider Create(
             LogLevel logLevel = LogLevel.Information,
             ILoggerProvider? loggerProvider = null,
             Action<IServiceCollection>? addServices = null)
         {
+
+            if (_addServices is not null)
+            {
+                addServices += _addServices;
+            }
+
             return ServiceProvider.CreateDefault(logLevel, loggerProvider, addServices);
         }
+
+        public void AddServices(Action<IServiceCollection> addServices)
+        {
+            ArgumentNullException.ThrowIfNull(addServices, nameof(addServices));
+
+            _addServices += addServices;
+        }
     }
-}
+}
@@ -8,6 +8,7 @@
   <ItemGroup>
     <PackageReference Include="AzureSign.Core" PrivateAssets="analyzers;build;compile;contentfiles" />
     <PackageReference Include="Microsoft.Dynamics.BusinessCentral.Sip.Main" />
+    <PackageReference Include="Microsoft.Extensions.Azure" />
     <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" />
     <PackageReference Include="Microsoft.Extensions.Configuration.Json" />
     <PackageReference Include="Microsoft.Extensions.FileSystemGlobbing" />

@@ -167,6 +167,11 @@ await Parallel.ForEachAsync(inputFiles, parallelOptions, async (input, token) =>
                 _logger.LogError(e, e.Message);
                 return ExitCode.Failed;
             }
+            catch (SigningException)
+            {
+                _logger.LogError(Resources.SigningFailedAfterAllAttempts);
+                return ExitCode.Failed;
+            }
             catch (Exception e)
             {
                 _logger.LogError(e, e.Message);
@@ -186,4 +191,4 @@ private static string ExpandFilePath(DirectoryInfo baseDirectory, string file)
             return file;
         }
     }
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -111,7 +111,7 @@ await Parallel.ForEachAsync(files, async (file, state) => @@
                         {
                             string message = string.Format(CultureInfo.CurrentCulture, Resources.SigningFailed, file.FullName);
-                            throw new Exception(message);
+                            throw new SigningException(message);
                         }
                     });
                 }
@@ Expand Down @@