DataFlex
DataFlex
Azure Key Vault Sign with a Certificate's Private Key
See more Azure Key Vault Examples
Signs a hash using the private key of a certificate previously imported to an Azure Key Vault.Chilkat DataFlex Downloads
Use ChilkatAx-win32.pkg
Procedure Test
Boolean iSuccess
Handle hoJson
Handle hoSb
String sSignedString
String sHash_base64url
Variant vJsonBody
Handle hoJsonBody
Handle hoHttp
String sUrl
Variant vResp
Handle hoResp
Integer iStatusCode
Variant vJsonResp
Handle hoJsonResp
Variant vCert
Handle hoCert
Handle hoRsa
Boolean iValid
String sTemp1
Move False To iSuccess
// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.
// See Azure Key Vault Get Certificates for a more detailed explanation
// for how Chilkat is automatically getting the OAuth2 access token for your application.
// Provide information needed for Chilkat to automatically get an OAuth2 access token as needed.
Get Create (RefClass(cComChilkatJsonObject)) To hoJson
If (Not(IsComObjectCreated(hoJson))) Begin
Send CreateComObject of hoJson
End
Get ComUpdateString Of hoJson "client_id" "APP_ID" To iSuccess
Get ComUpdateString Of hoJson "client_secret" "APP_PASSWORD" To iSuccess
Get ComUpdateString Of hoJson "resource" "https://vault.azure.net" To iSuccess
Get ComUpdateString Of hoJson "token_endpoint" "https://login.microsoftonline.com/TENANT_ID/oauth2/token" To iSuccess
// In this example, we'll sign the SHA256 hash of the string "This is a test"
Get Create (RefClass(cComChilkatStringBuilder)) To hoSb
If (Not(IsComObjectCreated(hoSb))) Begin
Send CreateComObject of hoSb
End
Move "This is a test" To sSignedString
Get ComAppend Of hoSb sSignedString To iSuccess
Get ComGetHash Of hoSb "sha256" "base64url" "utf-8" To sHash_base64url
// We're going to send a POST to the following URL:
// POST {vaultBaseUrl}/keys/{key-or-cert-name}/{key-or-cert-version}/sign?api-version=7.4
// For example:
// POST https://VAULT_NAME.vault.azure.net/keys/CERT_NAME/CERT_VERSION/sign?api-version=7.4
//
// {
// "alg": "RS512",
// "value": "RUE3Nzg4NTQ4QjQ5RjFFN0U2NzAyQzhDNEMwMkJDOTA1MTYyOTUzNjI5NDhBNzZDQTlFOTM1NDA2M0ZGMjk2Mg"
// }
// The alg can be one of the following
// ES256 ECDSA using P-256 and SHA-256
// ES256K ECDSA using P-256K and SHA-256
// ES384 ECDSA using P-384 and SHA-384
// ES512 ECDSA using P-521 and SHA-512
// PS256 RSASSA-PSS using SHA-256 and MGF1 with SHA-256
// PS384 RSASSA-PSS using SHA-384 and MGF1 with SHA-384
// PS512 RSASSA-PSS using SHA-512 and MGF1 with SHA-512
// RS256 RSASSA-PKCS1-v1_5 using SHA-256
// RS384 RSASSA-PKCS1-v1_5 using SHA-384
// RS512 RSASSA-PKCS1-v1_5 using SHA-512
// The sample POST above uses SHA512. We'll instead sign a SHA256 hash..
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonBody
If (Not(IsComObjectCreated(hoJsonBody))) Begin
Send CreateComObject of hoJsonBody
End
Get ComUpdateString Of hoJsonBody "alg" "RS256" To iSuccess
Get ComUpdateString Of hoJsonBody "value" sHash_base64url To iSuccess
Get Create (RefClass(cComChilkatHttp)) To hoHttp
If (Not(IsComObjectCreated(hoHttp))) Begin
Send CreateComObject of hoHttp
End
// Instead of providing an actual access token, we give Chilkat the information that allows it to
// automatically fetch the access token using the OAuth2 client credentials flow.
Get ComEmit Of hoJson To sTemp1
Set ComAuthToken Of hoHttp To sTemp1
Get ComSetUrlVar Of hoHttp "certName" "importCert01" To iSuccess
Get ComSetUrlVar Of hoHttp "certVersion" "7140c8755ed14839b5d86a9f7e7f0497" To iSuccess
// Note: Replace "VAULT_NAME" with the name of your Azure key vault.
Move "https://VAULT_NAME.vault.azure.net/keys/{$certName}/{$certVersion}/sign?api-version=7.4" To sUrl
Get Create (RefClass(cComChilkatHttpResponse)) To hoResp
If (Not(IsComObjectCreated(hoResp))) Begin
Send CreateComObject of hoResp
End
Get pvComObject of hoJsonBody to vJsonBody
Get pvComObject of hoResp to vResp
Get ComHttpJson Of hoHttp "POST" sUrl vJsonBody "application/json" vResp To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoHttp To sTemp1
Showln sTemp1
Procedure_Return
End
Get ComStatusCode Of hoResp To iStatusCode
Get Create (RefClass(cComChilkatJsonObject)) To hoJsonResp
If (Not(IsComObjectCreated(hoJsonResp))) Begin
Send CreateComObject of hoJsonResp
End
Get pvComObject of hoJsonResp to vJsonResp
Get ComGetBodyJson Of hoResp vJsonResp To iSuccess
Set ComEmitCompact Of hoJsonResp To False
Get ComEmit Of hoJsonResp To sTemp1
Showln sTemp1
If (iStatusCode <> 200) Begin
Showln "Failed."
Procedure_Return
End
// A successful response body contains JSON like this:
// Note: Azure's documentation is not very clear, but base64url is the encoding, not "base64".
// {
// "kid": "https://kvchilkat.vault.azure.net/keys/importCert01/7140c8755ed14839b5d86a9f7e7f0497",
// "value": "JzWd2YF21gjtW ... Em37hKOQ"
// }
// Let's validate the signature using the cert's public key.
// This example will load the corresponding certificate from a local file and will verify the signature against the original data.
//
Get Create (RefClass(cComChilkatCert)) To hoCert
If (Not(IsComObjectCreated(hoCert))) Begin
Send CreateComObject of hoCert
End
Get ComLoadFromFile Of hoCert "qa_data/certs/chilkat_code_signing_2024.cer" To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoCert To sTemp1
Showln sTemp1
Procedure_Return
End
Get Create (RefClass(cComChilkatRsa)) To hoRsa
If (Not(IsComObjectCreated(hoRsa))) Begin
Send CreateComObject of hoRsa
End
// Tell the RSA object to use the cert's public key.
Get pvComObject of hoCert to vCert
Get ComSetX509Cert Of hoRsa vCert False To iSuccess
If (iSuccess = False) Begin
Get ComLastErrorText Of hoRsa To sTemp1
Showln sTemp1
Procedure_Return
End
// Verify the signature using the cert's public key against the original string.
Set ComEncodingMode Of hoRsa To "base64url"
Get ComStringOf Of hoJsonResp "value" To sTemp1
Get ComVerifyStringENC Of hoRsa sSignedString "sha-256" sTemp1 To iValid
Showln "signature valid = " iValid
End_Procedure