in Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs [202:240]
public async Task<X509Certificate2Collection> GetCertificateChainAsync()
{
var secret = await _secretClient.Value.GetSecretAsync(_name, _version);
var chain = new X509Certificate2Collection();
var contentType = secret.Value.Properties.ContentType;
var secretValue = secret.Value.Value;
switch (contentType)
{
case "application/x-pkcs12":
// If the secret is a PKCS12 file, decode the base64 encoding
// Import will reverse the order of the certificates
// in the chain
if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
{
// macOS doesn't support non-encrypted MAC
// https://github.com/dotnet/runtime/issues/23635
chain.Import(
rawData: Pkcs12.ReEncode(Convert.FromBase64String(secretValue)),
password: null,
keyStorageFlags: X509KeyStorageFlags.DefaultKeySet);
}
else
{
chain.Import(
rawData: Convert.FromBase64String(secretValue),
password: null,
keyStorageFlags: X509KeyStorageFlags.EphemeralKeySet);
}
break;
case "application/x-pem-file":
// If the secret is a PEM file, parse the PEM content directly
chain.ImportFromPem(secretValue.ToCharArray());
break;
default:
throw new ValidationException($"Unsupported secret content type: {contentType}");
}
return chain;
}