Security domain

src/KeyVault/KeyVault.Test/KeyVault.Test.csproj

@@ -14,6 +14,7 @@
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.KeyVault.WebKey" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="3.1.0-preview.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="5.1.2" />
     <PackageReference Include="Microsoft.Azure.Management.Network" Version="20.1.1" />
   </ItemGroup>
 

src/KeyVault/KeyVault.Test/UnitTests/SecurityDomainTests.cs

@@ -0,0 +1,24 @@
+using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using Microsoft.Azure.Commands.KeyVault.SecurityDomain;
+using Microsoft.Azure.Commands.KeyVault.SecurityDomain.Models;
+using System;
+using System.Security.Cryptography.X509Certificates;
+using Xunit;
+
+namespace SecurityDomain.Test
+{
+    public class SecurityDomainTests
+    {
+        [Fact]
+        public void X509Tests()
+        {
+            X509Certificate2 cert = new X509Certificate2(@"C:\yeming.liu.cer");
+            Assert.NotNull(cert);
+
+            JWK jwk = new JWK(cert);
+            Assert.NotNull(jwk);
+
+            Assert.Equal(JwkKeyType.RSA.ToString(), jwk.kty);
+        }
+    }
+}

src/KeyVault/KeyVault.sln

@@ -1,6 +1,6 @@
 Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio 15
-VisualStudioVersion = 15.0.27703.2042
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30413.136
 MinimumVisualStudioVersion = 10.0.40219.1
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "KeyVault", "KeyVault\KeyVault.csproj", "{9FFC40CC-A341-4D0C-A25D-DC6B78EF6C94}"
 EndProject
@@ -52,12 +52,17 @@ Global
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{BC80A1D0-FFA4-43D9-AA74-799F5CB54B58}.Release|Any CPU.Build.0 = Release|Any CPU
+		{FDEE9611-2887-4933-AF88-B4EC782B2096}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{FDEE9611-2887-4933-AF88-B4EC782B2096}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{FDEE9611-2887-4933-AF88-B4EC782B2096}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{FDEE9611-2887-4933-AF88-B4EC782B2096}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
 	EndGlobalSection
 	GlobalSection(NestedProjects) = preSolution
 		{080B0477-7E52-4455-90AB-23BD13D1B1CE} = {95C16AED-FD57-42A0-86C3-2CF4300A4817}
+		{FDEE9611-2887-4933-AF88-B4EC782B2096} = {95C16AED-FD57-42A0-86C3-2CF4300A4817}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {5E85B4CC-D1A9-466B-98AC-E0AD0C5AE585}

src/KeyVault/KeyVault/Az.KeyVault.psd1

@@ -122,7 +122,8 @@ CmdletsToExport = 'Add-AzManagedHsmKey', 'Get-AzManagedHsmKey', 'Remove-AzManage
                'Undo-AzKeyVaultManagedStorageSasDefinitionRemoval', 
                'Undo-AzKeyVaultManagedStorageAccountRemoval', 
                'Add-AzKeyVaultNetworkRule', 'Update-AzKeyVaultNetworkRuleSet', 
-               'Remove-AzKeyVaultNetworkRule'
+               'Remove-AzKeyVaultNetworkRule', 'Backup-AzManagedHsmSecurityDomain',
+               'Restore-AzManagedHsmSecurityDomain'
 
 # Variables to export from this module
 # VariablesToExport = @()

src/KeyVault/KeyVault/Helpers/UtilityExtensions.cs

@@ -0,0 +1,23 @@
+using System;
+using System.Runtime.InteropServices;
+using System.Security;
+
+namespace Microsoft.Azure.Commands.KeyVault
+{
+    internal static class UtilityExtensions
+    {
+        public static string ToPlainText(this SecureString secureString)
+        {
+            IntPtr bstr = Marshal.SecureStringToBSTR(secureString);
+
+            try
+            {
+                return Marshal.PtrToStringBSTR(bstr);
+            }
+            finally
+            {
+                Marshal.FreeBSTR(bstr);
+            }
+        }
+    }
+}

src/KeyVault/KeyVault/KeyVault.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <PsModuleName>KeyVault</PsModuleName>
@@ -12,10 +12,12 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.1.0" />
+    <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.2.0-beta.1" />
+    <PackageReference Include="BouncyCastle.NetCore" Version="1.8.6" />
     <PackageReference Include="Microsoft.Azure.KeyVault" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.KeyVault.WebKey" Version="3.0.1" />
     <PackageReference Include="Microsoft.Azure.Management.KeyVault" Version="3.1.0-preview.1" />
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="5.1.2" />
   </ItemGroup>
 
   <ItemGroup>

src/KeyVault/KeyVault/Models/DataServiceCredential.cs

@@ -70,12 +70,12 @@ public Task<string> OnAuthentication(string authority, string resource, string s
 
         public string GetToken()
         {
-            return GetTokenInternal(this.TenantId, this._authenticationFactory, this._context, this._endpointName).Item1.AccessToken;
+            return GetAccessToken().AccessToken;
         }
 
-        public IAccessToken GetTokenTemp() // todo rename / refactor
+        public IAccessToken GetAccessToken()
         {
-            return GetTokenInternal(this.TenantId, this._authenticationFactory, this._context, this._endpointName).Item1;
+            return GetTokenInternal(TenantId, _authenticationFactory, _context, _endpointName).Item1;
         }
 
         private static string GetTenantId(IAzureContext context)

src/KeyVault/KeyVault/Properties/AssemblyInfo.cs

@@ -33,4 +33,5 @@
 [assembly: AssemblyFileVersion("2.2.1")]
 #if !SIGN
 [assembly: InternalsVisibleTo("Microsoft.Azure.PowerShell.Cmdlets.KeyVault.Test")]
+[assembly: InternalsVisibleTo("SecurityDomain.Test")]
 #endif

src/KeyVault/KeyVault/Properties/Resources.resx

@@ -501,6 +501,33 @@ You can find the object ID using Azure Active Directory Module for Windows Power
   <data name="KeyOpsImportIsExclusive" xml:space="preserve">
     <value>The "import" operation is exclusive, it cannot be combined with any other value(s).</value>
   </data>
+  <data name="HsmCertRangeWarning" xml:space="preserve">
+    <value>To encrypt the security domain data, please provide at least {0} and at most {1} certificates.</value>
+  </data>
+  <data name="LoadSecurityDomainFileFailed" xml:space="preserve">
+    <value>Failed to load security domain data from {0}. Please make sure the file exists and is not modified.</value>
+  </data>
+  <data name="RestoreSecurityDomainBadKey" xml:space="preserve">
+    <value>"PublicKey" and "PrivateKey" are mandatory properties in each object in "Keys".</value>
+  </data>
+  <data name="RestoreSecurityDomainNotEnoughKey" xml:space="preserve">
+    <value>There need to be at least {0} keys to decrypt security domain backup data.</value>
+  </data>
+  <data name="DecryptSecurityDomainFailure" xml:space="preserve">
+    <value>Failed to decrypt security domain data. Please make sure the file is not modified and the keys / passwords are correct.</value>
+  </data>
+  <data name="DecryptSecurityDomainKeyNotEnough" xml:space="preserve">
+    <value>Not enough keys to decrypt security domain backup. {0} required, {0} provided.</value>
+  </data>
+  <data name="DownloadSecurityDomainFail" xml:space="preserve">
+    <value>Failed to download security domain backup data.</value>
+  </data>
+  <data name="DownloadSecurityDomainKeyFail" xml:space="preserve">
+    <value>Failed to download security domain exchange key.</value>
+  </data>
+  <data name="RestoreSecurityDomainFailure" xml:space="preserve">
+    <value>Failed to restore security domain from backup.</value>
+  </data>
   <data name="InvalidKeyProperties" xml:space="preserve">
     <value>Invalid key properties</value>
   </data>

src/KeyVault/KeyVault/SecurityDomain/Cmdlets/BackupSecurityDomain.cs

@@ -0,0 +1,62 @@
+using Microsoft.Azure.Commands.Common.Authentication;
+using Microsoft.Azure.Commands.KeyVault.Properties;
+using System;
+using System.Linq;
+using System.Management.Automation;
+using System.Security.Cryptography.X509Certificates;
+
+namespace Microsoft.Azure.Commands.KeyVault.SecurityDomain.Cmdlets
+{
+    [Cmdlet(VerbsData.Backup, ResourceManager.Common.AzureRMConstants.AzurePrefix + "ManagedHsmSecurityDomain", SupportsShouldProcess = true, DefaultParameterSetName = ByName)]
+    [OutputType(typeof(bool))]
+    public class BackupSecurityDomain: SecurityDomainCmdlet
+    {
+        [Parameter(HelpMessage = "Paths to the certificates that are used to encrypt the security domain data.", Mandatory = true)]
+        [ValidateNotNullOrEmpty()]
+        public string[] Certificates { get; set; }
+
+        [Parameter(HelpMessage = "Specify the path where security domain data will be downloaded to.", Mandatory = true)]
+        [ValidateNotNullOrEmpty]
+        public string OutputPath { get; set; }
+
+        [Parameter(HelpMessage = "Specify whether to overwrite existing file.")]
+        public SwitchParameter Force { get; set; }
+
+        [Parameter(HelpMessage = "When specified, a boolean will be returned when cmdlet succeeds.")]
+        public SwitchParameter PassThru { get; set; }
+
+        [Parameter(HelpMessage = "The minimum number of shares required to decrypt the security domain for recovery.", Mandatory = true)]
+        [ValidateRange(Common.Constants.MinQuorum, Common.Constants.MaxQuorum)]
+        public int Quorum { get; set; }
+
+        public override void DoExecuteCmdlet()
+        {
+            ValidateParameters();
+
+            var certificates = Certificates.Select(path => new X509Certificate2(ResolveUserPath(path)));
+
+            if (ShouldProcess($"managed HSM {Name}", $"download encrypted security domain data to '{OutputPath}'"))
+            {
+                OutputPath = ResolveUserPath(OutputPath);
+                var securityDomain = Client.DownloadSecurityDomain(Name, certificates, Quorum);
+                if (!AzureSession.Instance.DataStore.FileExists(OutputPath) || Force || ShouldContinue(string.Format(Resources.FileOverwriteMessage, OutputPath), Resources.FileOverwriteCaption))
+                {
+                    AzureSession.Instance.DataStore.WriteFile(OutputPath, securityDomain);
+                    WriteDebug($"Security domain data of managed HSM '{Name}' downloaded to '{OutputPath}'.");
+                    if (PassThru)
+                    {
+                        WriteObject(true);
+                    }
+                }
+            }
+        }
+
+        private void ValidateParameters()
+        {
+            if (Certificates.Length < Common.Constants.MinCert || Certificates.Length > Common.Constants.MaxCert)
+            {
+                throw new ArgumentException(string.Format(Resources.HsmCertRangeWarning, Common.Constants.MinCert, Common.Constants.MaxCert));
+            }
+        }
+    }
+}