vcsjones · vcsjones · May 12, 2024 · May 11, 2024 · May 11, 2024
diff --git a/src/AzureSignTool/AzureSignTool.csproj b/src/AzureSignTool/AzureSignTool.csproj
@@ -27,7 +27,6 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
-    <PackageReference Include="RSAKeyVaultProvider" Version="2.1.1" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/AzureSignTool/Program.cs b/src/AzureSignTool/Program.cs
@@ -7,12 +7,13 @@
 using System.Security.Cryptography.X509Certificates;
 using System.Threading;
 using System.Threading.Tasks;
+using Azure.Core;
+using Azure.Security.KeyVault.Keys.Cryptography;
 using AzureSign.Core;
 using Microsoft.Extensions.FileSystemGlobbing;
 using Microsoft.Extensions.FileSystemGlobbing.Abstractions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Console;
-using RSAKeyVaultProvider;
 using XenoAtom.CommandLine;
 
 using static AzureSignTool.HRESULT;
@@ -248,6 +249,7 @@ private async ValueTask<int> RunSign()
                 var configurationDiscoverer = new KeyVaultConfigurationDiscoverer(logger);
                 var materializedResult = await configurationDiscoverer.Materialize(configuration);
                 AzureKeyVaultMaterializedConfiguration materialized;
+
                 switch (materializedResult)
                 {
                     case ErrorOr<AzureKeyVaultMaterializedConfiguration>.Ok ok:
@@ -257,6 +259,14 @@ private async ValueTask<int> RunSign()
                         logger.LogError("Failed to get configuration from Azure Key Vault.");
                         return E_INVALIDARG;
                 }
+
+                const string RsaOid = "1.2.840.113549.1.1.1";
+                if (materialized.PublicCertificate.GetKeyAlgorithm() is string alg and not RsaOid)
+                {
+                    logger.LogError("Certificate algorithm is not RSA.");
+                    return E_INVALIDARG;
+                }
+
                 int failed = 0, succeeded = 0;
                 var cancellationSource = new CancellationTokenSource();
                 Console.CancelKeyPress += (_, e) =>
@@ -272,7 +282,19 @@ private async ValueTask<int> RunSign()
                 }
                 logger.LogTrace("Creating context");
 
-                using (var keyVault = RSAFactory.Create(materialized.TokenCredential, materialized.KeyId, materialized.PublicCertificate))
+                CryptographyClientOptions clientOptions = new() {
+                    Retry =
+                    {
+                        Delay = TimeSpan.FromSeconds(2),
+                        MaxDelay = TimeSpan.FromSeconds(16),
+                        MaxRetries = 5,
+                        Mode = RetryMode.Exponential
+                    }
+                };
+
+                var client = new CryptographyClient(materialized.KeyId, materialized.TokenCredential, clientOptions);
+
+                using (var keyVault = await client.CreateRSAAsync())
                 using (var signer = new AuthenticodeKeyVaultSigner(keyVault, materialized.PublicCertificate, ParseHashAlgorithm(FileDigestAlgorithm), timeStampConfiguration, certificates))
                 {
                     Parallel.ForEach(AllFiles, options, () => (succeeded: 0, failed: 0), (filePath, pls, state) =>