my pfx file has been imported to Azure key vault, when I get it back as keybundle, it includes public key only.
How to use Azure key vault to sign PDF document by itextsharp
Key Vault does not export private keys, probably because this would break security requirements. You must compute a digest from a PDF region then call the Sign with a key REST API. You can also use the Key Vault .NET client for that. The signature algorithms supported by PDF version 1.6+ are also supported by Key Vault . Make sure you understand PDF signature details.
Related
Should the AES token signing key be unique for each content key policy per video?
Is it unsafe to use the same token signing key for all videos?
Media Services uses the specified key to dynamically encrypt your content
References:
https://learn.microsoft.com/en-us/azure/media-services/latest/protect-with-aes128
https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithAES/Program.cs
private static byte[] TokenSigningKey = new byte[40];
// Generate a new random token signing key to use
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(TokenSigningKey);
//Create the content key policy that configures how the content key is delivered to end clients
// via the Key Delivery component of Azure Media Services.
ContentKeyPolicy policy = await GetOrCreateContentKeyPolicyAsync(client, config.ResourceGroup, config.AccountName, ContentKeyPolicyName);
Carlos,
if you are talking about the symmetric or asymmetric key for encrypting the JWT token issued to client for requesting AES decryption key or DRM licenses, generally no (in reality the key is not unique.)
For example, at any given time, Azure AD uses the same asymmetric key for ALL token encryption across the globe for all users. However, they change the key on a periodic basis. For more information, see https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover .
If you are using your own custom STS, you can choose to change the key over time like AAD.
thank you,
Julia
Carlos,
please also check out https://learn.microsoft.com/en-us/azure/media-services/latest/design-multi-drm-system-with-access-control#faqs
-Julia
When you use Open ID connect with Azure AD, the JWT issued token (id token) is signed with an asymmetric key. I saw the public key to verify that signature is available in the metadata file, https://login.microsoftonline.com/common/discovery/keys. However, I couldn't find any documentation about how those keys are generated. How can you change the keys that are available there or how can I specify a different key to sign the JWTs for my tenant ?
All sources and information suggests that this certificate roll over is done by Azure AD them self. Consumers are not able to do a manual roll over or put a certificate of their preference. This claim is supported by this answer. Also, please check this press release which mention a roll over happened in 2016
From your end you must be be ready to accept a rollover any time. Best practice is to fetch key information through discovery document. This is explained in the openid connect documentation
According to this piece of documentation, only way how to have your own signing key for your application, is custom claims mapping. Although description is very vague and instructions how to do it are scarce.
I have a public key of customer that I need to use to encrypt credentials and send to the customer to obtain an auth token that I will be using for all further communication with the customer services.
For testing purpose, I saved the public key into a file and I am able to successfully obtain the auth token.
Now, the question is, where do I need to store this key safely. Options that I can think of are web.config as it is not browsable, or keep it in a file. Both seems to be unsafe.
If I keep it in a file, can I save it into windows trusted store? If yes, how can I save it and since in the trusted store, I will have multiple such keys, how I will retrieve this particular key to encrypt the credentials next time when I need to encrypt.
I am using windows machine for production server and .NET to encrypt, just in case it makes difference.
I think you can encrypt this certificate with another rsa key pair. Save key and encrypted data in different platform. For example save encrypted data in db and save rsa key in file system in protected folder. Protected folder can be user directory which has application user. Encrypt certificate out of the platform with separate tool. Don't save your rsa private key in application system.
I am new to JWT tokens. I am able to create and verify JWT in Java (using JJWT) and even online using following link http://kjur.github.io/jsjws/tool_jwt.html.
BUT when I try to create JWT using one source and try to validate using another, it always fail. I couldn't successfully generate and validate JWT using 2 different sources. I even tried using http://jwt.io
Can someone help me understand what might be wrong? I believe it should be possible to create JWT using one library and validate using another library considering you are using correct sign algo and secret key.
The key input at http://kjur.github.io/jsjws/tool_jwt.html accepts hex-encoded values. The default secret 616161 actually decodes to aaa. Verifying the generated token at http://jwt.io/ using aaa as the secret works.
One aspect of JWT that can confuse is that it does not encrypt the data.
It is possible to extract the contents of a JWT including all the fields. The signing of it however allows us to validate that the token was generated/signed with a particular secret and it is this that is used to validate or authenticate.
If that is not the issue then it could well be just the tool/library key encoding as suggested by #frasertweedale - care needs to be taken to encode all the source fields appropriately.
I have a security question regarding using the Pick Widget.
I had assumed that if I supplied the data-fp-signature and data-fp-policy
I would not need to supply the API key.
When I don't supply the API Key I get the following JavaScript Error "Uncaught FilepickerException: API Key not found"
I have verified that my generated policy and signed policy match the filepicker.io test harness.
The API key is necessary for letting Filepicker.io who you are - the policy and signature are ways of verifying that you are who you say you ware, but you have to indicate who you are in the first place with your API key (for instance, so that we can look up your security secret and verify that the signature hash is correct)