hashicorp vault cert provider

src/CryptoAgent/CryptoAgent.csproj

@@ -15,6 +15,7 @@
     <PackageReference Include="Azure.Storage.Blobs" Version="12.9.1" />
     <PackageReference Include="Google.Cloud.Kms.V1" Version="2.4.0" />
     <PackageReference Include="JsonFlatFileDataStore" Version="2.2.3" />
+    <PackageReference Include="VaultSharp" Version="1.6.5.1" />
   </ItemGroup>
 
 </Project>

src/CryptoAgent/CryptoAgentSettings.cs

@@ -25,6 +25,13 @@
             public string AzureKeyvaultAdTenantId { get; set; }
             public string AzureKeyvaultAdAppId { get; set; }
             public string AzureKeyvaultAdSecret { get; set; }
+            // vault
+            public string VaultServerUri { get; set; }
+            public string VaultToken { get; set; }
+            public string VaultSecretMountPoint { get; set; }
+            public string VaultSecretPath { get; set; }
+            public string VaultSecretDataKey { get; set; }
+            public string VaultSecretFilePassword { get; set; }
         }
 
         public class RsaKeySettings
@@ -47,7 +54,6 @@
             public string AwsAccessKeySecret { get; set; }
             public string AwsRegion { get; set; }
             public string AwsKeyId { get; set; }
-            // vault...
             // Other HSMs...
         }
 

src/CryptoAgent/Services/HashicorpVaultCertificateProviderService.cs

@@ -0,0 +1,40 @@
+using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Threading.Tasks;
+using VaultSharp;
+using VaultSharp.V1.AuthMethods.Token;
+
+namespace Bit.CryptoAgent.Services
+{
+    public class HashicorpVaultCertificateProviderService : ICertificateProviderService
+    {
+        private readonly CryptoAgentSettings _settings;
+
+        public HashicorpVaultCertificateProviderService(CryptoAgentSettings settings)
+        {
+            _settings = settings;
+        }
+
+        public async Task<X509Certificate2> GetCertificateAsync()
+        {
+            var authMethod = new TokenAuthMethodInfo(_settings.Certificate.VaultToken);
+            var vaultClientSettings = new VaultClientSettings(_settings.Certificate.VaultServerUri, authMethod);
+            var vaultClient = new VaultClient(vaultClientSettings);
+
+            var mountPoint = string.IsNullOrWhiteSpace(_settings.Certificate.VaultSecretMountPoint) ?
+                null : _settings.Certificate.VaultSecretMountPoint;
+            var secret = await vaultClient.V1.Secrets.KeyValue.V2.ReadSecretAsync(
+                path: _settings.Certificate.VaultSecretPath,
+                mountPoint: mountPoint);
+
+            if (secret?.Data?.Data?.ContainsKey(_settings.Certificate.VaultSecretDataKey) ?? false)
+            {
+                var certData = secret.Data.Data[_settings.Certificate.VaultSecretDataKey] as string;
+                return new X509Certificate2(Convert.FromBase64String(certData),
+                    _settings.Certificate.VaultSecretFilePassword);
+            }
+
+            return null;
+        }
+    }
+}

src/CryptoAgent/Startup.cs

@@ -51,6 +51,10 @@ namespace Bit.CryptoAgent
                 {
                     services.AddSingleton<ICertificateProviderService, AzureKeyVaultCertificateProviderService>();
                 }
+                else if (certificateProvider == "vault")
+                {
+                    services.AddSingleton<ICertificateProviderService, HashicorpVaultCertificateProviderService>();
+                }
                 else
                 {
                     throw new Exception("Unknown certificate provider configured.");