sign and verify data

Author: brockroadhouse

composer.json

@@ -1,7 +1,15 @@
 {
     "name": "pderas/azure-key-vault",
-    "version": "0.0.1",
+    "version": "0.0.2",
     "description": "A package to interact with Azure Key Vault",
+    "keywords": [
+        "azure",
+        "key-vault",
+        "vault",
+        "secrets",
+        "laravel"
+    ],
+    "homepage": "https://github.com/PDERAS/azure-key-vault",
     "type": "library",
     "license": "MIT",
     "autoload": {

composer.lock

@@ -11,6 +11,12 @@
      */
     'key_name'          => env('AZURE_KEY_VAULT_KEY_NAME'),
 
+    /**
+     * Azure Key Vault hashing algorithm to use for signing.
+     * Supported algorithms: RS256, RS384, RS512
+     */
+    'algorithm'         => env('AZURE_KEY_VAULT_ALGORITHM', 'RS256'),
+
     /**
      * Whether to use the Azure CLI to generate the access token
      */

config/azure_vault.php

@@ -2,179 +2,71 @@
 
 namespace Pderas\AzureKeyVault;
 
-use Carbon\Carbon;
-use GuzzleHttp\Client;
-use GuzzleHttp\Exception\ClientException;
 use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Log;
-use Illuminate\Support\Facades\Process;
-use Illuminate\Support\Facades\URL;
 use Pderas\AzureKeyVault\Enums\AzureEndpoint;
+use Pderas\AzureKeyVault\Services\AzureClient;
+use Pderas\AzureKeyVault\Services\AzureHasher;
 use Str;
 
 class AzureKeyVault
 {
-    /**
-     * Azure Key Vault API version
-     * 
-     * @var string
-     */
-    private const API_VERSION = '7.4';
-
-    /**
-     * Azure Key Vault Base URL. Example: https://my-key-vault.vault.azure.net/
-     */
-    protected string $vault_base_url;
-
-    /**
-     * Name of the key in Azure Key Vault
-     */
-    protected string $key_name;
-
-    /**
-     * The access token generated by Azure Key Vault
-     */
-    protected ?string $token = null;
-
-    /**
-     * The expiry date of the Access Token
-     */
-    protected Carbon $token_expiry;
-
-    /**
-     * Whether to use the Azure CLI to generate the access token
-     */
-    protected bool $use_azure_cli = false;
-
-    /**
-     * Guzzle HTTP Client
-     */
-    protected Client $client;
-
-    public function __construct()
-    {
-        $config = config('azure_vault');
-
-        $this->vault_base_url = $config['vault_base_url'];
-        $this->key_name = $config['key_name'];
-        $this->use_azure_cli = $config['use_azure_cli'];
-    
-        $this->client = new Client();
-    }
+    public function __construct(
+        protected AzureClient $client,
+        protected AzureHasher $hasher,
+    ) {}
 
     /**
      * Sign the data using the Azure Key Vault
      */
     public function sign(string $data)
     {
-        $this->getAccessToken();
-
         // Reference: https://learn.microsoft.com/en-us/rest/api/keyvault/keys/sign/sign?view=rest-keyvault-keys-7.4
         $payload = json_encode([
-            'alg'   => 'RS512',
-            'value' => $this->hash($data),
+            'alg'   => $this->hasher->getHashingAlgorithm(),
+            'value' => $this->hasher->hash($data),
         ]);
 
-        try {
-            $response = $this->request(
-                'POST',
-                $this->buildUrl(AzureEndpoint::SIGN),
-                ['body' => $payload]
-            );
-
-            return [
-                'signature'   => $response['value'],
-                'key_version' => $this->getCurrentKeyVersion(),
-            ];
-        } catch (ClientException $e) {
-            // Log a non-truncated error message
-            Log::error($e, [
-                'response' => (string) $e->getResponse()->getBody()
-            ]);
-        }
-    }
+        $response = $this->client->request(
+            AzureEndpoint::SIGN,
+            ['body' => $payload]
+        );
 
-    /**
-     * Retrieve an access token from Azure Key Vault
-     */
-    protected function getAccessToken(): void
-    {
-        if ($this->token && $this->token_expiry->isFuture()) {
-            return;
-        }
-
-        if ($this->use_azure_cli) {
-            $azure_cli_result = Process::run('az account get-access-token --resource https://vault.azure.net');
-            $token_output = json_decode($azure_cli_result->output(), true);
-
-            $this->token = Arr::get($token_output, 'accessToken');
-            $this->token_expiry = Carbon::parse(Arr::get($token_output, 'expiresOn'));
-        } else {
-            // TODO: Implement Managed Identity
-        }
+        return [
+            'signature'   => $response['value'],
+            'key_version' => Str::afterLast($response['kid'], '/'),
+        ];
     }
 
     /**
-     * Hash the data using SHA-512 and return the base64 encoded value
+     * Verify the signature of the data using the Azure Key Vault
      */
-    protected function hash(string $data): string
+    public function verify(string $value, string $signature, string $key_version)
     {
-        // Use binary encoded hash
-        $hashed_value = hash('sha512', $data, true);
+        $payload = json_encode([
+            'alg'     => $this->hasher->getHashingAlgorithm(),
+            'digest'  => $this->hasher->hash($value),
+            'value'   => $signature,
+        ]);
 
-        return base64_encode($hashed_value);
+        return $this->client->request(
+            AzureEndpoint::VERIFY,
+            ['body' => $payload],
+            $key_version
+        );
     }
 
     /**
      * Get the current key version
      */
-    protected function getCurrentKeyVersion(): ?string
+    public function currentKeyVersion(): ?string
     {
-        $url = $this->getKeyVersionUrl();
+        $response = $this->client->request(
+            AzureEndpoint::CURRENT,
+        );
 
-        // Return the last part of the URL which is the key version
-        return Str::afterLast($url, '/');
-    }
-
-    /**
-     * Get the full key version URL
-     */
-    protected function getKeyVersionUrl(): ?string
-    {
-        $url = $this->buildUrl(AzureEndpoint::VERSIONS, [
-            'maxresults' => 1
-        ]);
-
-        $response = $this->request('GET', $url);
-        
-        // Get the first key version (full URL)
-        return Arr::get($response, 'value.0.kid');
-    }
+        $response_key_url = Arr::get($response, 'key.kid');
 
-    /**
-     * Make a request to the Azure Key Vault
-     */
-    protected function request(string $method, string $url, array $options = []): ?array
-    {
-        $options['headers'] = [
-            'Authorization' => "Bearer {$this->token}",
-            'Content-Type'  => 'application/json',
-        ];
-
-        $response = $this->client->request($method, $url, $options);
-
-        return json_decode($response->getBody(), true);
-    }
-
-    /**
-     * Build the URL for the Azure Key Vault
-     */
-    protected function buildUrl(AzureEndpoint $endpoint, array $parameters = []): string
-    {
-        $url = "{$this->vault_base_url}/keys/{$this->key_name}/{$endpoint->value}";
-
-        $parameters['api-version'] = self::API_VERSION;
-
-        return URL::query($url, $parameters);
+        // Return the last part of the URL which is the key version
+        return Str::afterLast($response_key_url, '/');
     }
 }

src/AzureKeyVault.php

@@ -2,15 +2,9 @@
 
 namespace Pderas\AzureKeyVault;
 
-use AzureOss\FlysystemAzureBlobStorage\AzureBlobStorageAdapter;
-use AzureOss\Storage\Blob\BlobContainerClient;
-use AzureOss\Storage\Blob\BlobServiceClient;
-use Illuminate\Contracts\Container\Container;
-use Illuminate\Filesystem\FilesystemAdapter;
-use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\ServiceProvider;
-use League\Flysystem\Filesystem;
-// use MicrosoftAzure\Storage\Blob\BlobRestProxy;
+use Pderas\AzureKeyVault\Services\AzureClient;
+use Pderas\AzureKeyVault\Services\AzureHasher;
 
 class AzureKeyVaultServiceProvider extends ServiceProvider
 {
@@ -24,8 +18,11 @@ public function register(): void
             'azure_vault'
         );
 
-        $this->app->singleton('azure-key-vault', function () {
-            return new AzureKeyVault();
+        $this->app->singleton('azure-key-vault', function ($app) {
+            return new AzureKeyVault(
+                $app->make(AzureClient::class),
+                $app->make(AzureHasher::class)
+            );
         });
 
     }

src/AzureKeyVaultServiceProvider.php

@@ -5,7 +5,41 @@
 enum AzureEndpoint: string {
     case SIGN = 'sign';
     case VERIFY = 'verify';
-    case ENCRYPT = 'encrypt';
-    case DECRYPT = 'decrypt';
     case VERSIONS = 'versions';
+    case CURRENT = '';
+
+    /**
+     * Get the method name for the endpoint.
+     */
+    public function method(): string
+    {
+        return match ($this) {
+            self::SIGN, self::VERIFY => 'POST',
+            self::VERSIONS, self::CURRENT => 'GET',
+            default => 'GET',
+        };
+    }
+
+    /**
+     * Get the full path for the Azure Key Vault endpoint.
+     */
+    public function path(string $base_url, string $key_name, ?string $version = null): string
+    {
+        $url = "{$base_url}/keys/{$key_name}";
+
+        // Verify requires a version
+        if ($this->requiresVersion()) {
+            $url .= "/{$version}";
+        }
+        
+        return "{$url}/{$this->value}";
+    }
+
+    /**
+     * Check if the endpoint requires a key version.
+     */
+    private function requiresVersion(): bool
+    {
+        return $this === self::VERIFY;
+    }
 }

src/Enums/AzureEndpoint.php

@@ -0,0 +1,68 @@
+<?php
+
+namespace Pderas\AzureKeyVault\Services;
+
+use GuzzleHttp\Exception\ClientException;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Facades\Log;
+use Pderas\AzureKeyVault\Enums\AzureEndpoint;
+
+class AzureClient
+{
+    /**
+     * The base URL for the Azure Key Vault.
+     */
+    protected string $vault_base_url;
+
+    /**
+     * The name of the key in Azure Key Vault.
+     */
+    protected string $key_name;
+    /**
+     * The API version to use for Azure Key Vault requests.
+     */
+    protected static string $api_version = '7.4';
+
+    public function __construct(
+        protected AzureTokenProvider $token_provider,
+    )
+    {
+        $this->vault_base_url = config('azure_vault.vault_base_url');
+        $this->key_name = config('azure_vault.key_name');
+    }
+
+    /**
+     * Make a request to the Azure Key Vault
+     */
+    public function request(AzureEndpoint $endpoint, array $options = [], ?string $key_version = null): ?array
+    {
+        try {
+            $token = $this->token_provider->getAccessToken();
+
+            $options['headers'] = [
+                'Authorization' => "Bearer {$token}",
+                'Content-Type'  => 'application/json',
+            ];
+            $options['query'] = [
+                'api-version' => self::$api_version,
+            ];
+
+            $response = Http::send(
+                $endpoint->method(),
+                $endpoint->path(
+                    $this->vault_base_url,
+                    $this->key_name,
+                    $key_version
+                ),
+                $options,
+            );
+
+            return json_decode($response->getBody(), true);
+        } catch (ClientException $e) {
+            Log::error($e, [
+                'response' => (string) $e->getResponse()->getBody()
+            ]);
+            throw $e;
+        }
+    }
+}