From 076ba9dec31c0ce99819248d417e7e8b695d4d75 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 16 Aug 2021 08:56:25 -0500
Subject: [PATCH 1/4] use shared core cert loader

---
 .../Azure.Security.ConfidentialLedger/README.md             | 1 +
 .../tests/Azure.Security.ConfidentialLedger.Tests.csproj    | 6 ++++++
 .../tests/samples/HelloWorldSamples.cs                      | 3 ++-
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
index 390c9d54a049..a0d957896661 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
@@ -353,6 +353,7 @@ Console.WriteLine($"The latest ledger entry from the sub-ledger is {latestSubLed
 ##### Ranged queries
 
 Ledger entries in a sub-ledger may be retrieved over a range of transaction ids.
+Note: Both ranges are optional; they can be provided individually or not all all.
 
 ```C# Snippet:RangedQuery
 ledgerClient.GetLedgerEntries(fromTransactionId: "2.1", toTransactionId: subLedgerTransactionId);
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
index b305396697fe..3d36c865aac3 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
@@ -21,4 +21,10 @@
     <Folder Include="SessionRecords" />
     <Folder Include="SessionRecords\ConfidentialLedgerClientLiveTests" />
   </ItemGroup>
+
+  <!-- Shared source from Azure.Core -->
+  <ItemGroup>
+    <Compile Include="$(AzureCoreSharedSources)PemReader.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)LightweightPkcs8Decoder.cs" LinkBase="Shared" />
+  </ItemGroup>
 </Project>
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
index 84e36b758cc2..6ebb2232fb20 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
@@ -46,7 +46,8 @@ public void HelloWorld()
                 .GetString();
 
             // construct an X509Certificate2 with the ECC PEM value.
-            X509Certificate2 ledgerTlsCert = new X509Certificate2(Encoding.UTF8.GetBytes(eccPem));
+            var span = new ReadOnlySpan<char>(eccPem.ToCharArray());
+            X509Certificate2 ledgerTlsCert = PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true);
 
             #endregion
 

From 9667be883f9b71517d53a0f97dc89d9bd6f9183c Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 16 Aug 2021 12:30:07 -0500
Subject: [PATCH 2/4] doc change to GetLedgerEntries and addition of
 ParseCertificate

---
 .../Azure.Security.ConfidentialLedger.csproj  |  2 ++
 ...ConfidentialLedgerIdentityServiceClient.cs | 19 +++++++++++++++++++
 ...e.Security.ConfidentialLedger.Tests.csproj |  5 -----
 .../tests/samples/HelloWorldSamples.cs        | 13 ++-----------
 4 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/Azure.Security.ConfidentialLedger.csproj b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/Azure.Security.ConfidentialLedger.csproj
index 210f75fc1ecf..506e8a203611 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/Azure.Security.ConfidentialLedger.csproj
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/Azure.Security.ConfidentialLedger.csproj
@@ -30,6 +30,8 @@
     <Compile Include="$(AzureCoreSharedSources)HttpMessageSanitizer.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)TaskExtensions.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)PemReader.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)LightweightPkcs8Decoder.cs" LinkBase="Shared" />
   </ItemGroup>
 
 </Project>
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerIdentityServiceClient.cs b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerIdentityServiceClient.cs
index c96933a8b950..f4173a19c513 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerIdentityServiceClient.cs
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/src/ConfidentialLedgerIdentityServiceClient.cs
@@ -2,6 +2,8 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Azure;
 using Azure.Core;
@@ -34,5 +36,22 @@ public ConfidentialLedgerIdentityServiceClient(Uri identityServiceUri, Confident
             this.identityServiceUri = identityServiceUri;
             apiVersion = options.Version;
         }
+
+        /// <summary>
+        /// Parses the response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.
+        /// </summary>
+        /// <param name="getIdentityResponse">The response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.</param>
+        /// <returns>The <see cref="X509Certificate2"/>.</returns>
+        public static X509Certificate2 ParseCertificate(Response getIdentityResponse)
+        {
+            var eccPem = JsonDocument.Parse(getIdentityResponse.Content)
+                .RootElement
+                .GetProperty("ledgerTlsCertificate")
+                .GetString();
+
+            // construct an X509Certificate2 with the ECC PEM value.
+            var span = new ReadOnlySpan<char>(eccPem.ToCharArray());
+            return PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true);
+        }
     }
 }
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
index 3d36c865aac3..f9bd0edc1aac 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/Azure.Security.ConfidentialLedger.Tests.csproj
@@ -22,9 +22,4 @@
     <Folder Include="SessionRecords\ConfidentialLedgerClientLiveTests" />
   </ItemGroup>
 
-  <!-- Shared source from Azure.Core -->
-  <ItemGroup>
-    <Compile Include="$(AzureCoreSharedSources)PemReader.cs" LinkBase="Shared" />
-    <Compile Include="$(AzureCoreSharedSources)LightweightPkcs8Decoder.cs" LinkBase="Shared" />
-  </ItemGroup>
 </Project>
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
index 6ebb2232fb20..8fd43786753a 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/samples/HelloWorldSamples.cs
@@ -38,17 +38,7 @@ public void HelloWorld()
             ledgerId = ledgerId.Substring(0, ledgerId.IndexOf('.'));
 #endif
             Response response = identityClient.GetLedgerIdentity(ledgerId);
-
-            // extract the ECC PEM value from the response.
-            var eccPem = JsonDocument.Parse(response.Content)
-                .RootElement
-                .GetProperty("ledgerTlsCertificate")
-                .GetString();
-
-            // construct an X509Certificate2 with the ECC PEM value.
-            var span = new ReadOnlySpan<char>(eccPem.ToCharArray());
-            X509Certificate2 ledgerTlsCert = PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true);
-
+            X509Certificate2 ledgerTlsCert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
             #endregion
 
             #region Snippet:CreateClient
@@ -62,6 +52,7 @@ public void HelloWorld()
             certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
             certificateChain.ChainPolicy.ExtraStore.Add(ledgerTlsCert);
 
+            var f = certificateChain.Build(ledgerTlsCert);
             // Define a validation function to ensure that the ledger certificate is trusted by the ledger identity TLS certificate.
             bool CertValidationCheck(HttpRequestMessage httpRequestMessage, X509Certificate2 cert, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
             {

From de3467a346c15a1001c90d7ef1717eeb0bb1133d Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriscott@hotmail.com>
Date: Mon, 16 Aug 2021 13:24:55 -0500
Subject: [PATCH 3/4] Update
 sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md

Co-authored-by: Jesse Squire <jesse.squire@gmail.com>
---
 .../Azure.Security.ConfidentialLedger/README.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
index a0d957896661..7199861b9697 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
@@ -353,7 +353,7 @@ Console.WriteLine($"The latest ledger entry from the sub-ledger is {latestSubLed
 ##### Ranged queries
 
 Ledger entries in a sub-ledger may be retrieved over a range of transaction ids.
-Note: Both ranges are optional; they can be provided individually or not all all.
+Note: Both ranges are optional; they can be provided individually or not at all.
 
 ```C# Snippet:RangedQuery
 ledgerClient.GetLedgerEntries(fromTransactionId: "2.1", toTransactionId: subLedgerTransactionId);

From e401d73b713adfd5af77dc3c2c4f4ce4efbf9859 Mon Sep 17 00:00:00 2001
From: Christopher Scott <chriss@microsoft.com>
Date: Mon, 16 Aug 2021 18:33:57 -0500
Subject: [PATCH 4/4] export and test

---
 .../README.md                                 | 11 ++----
 ...urity.ConfidentialLedger.netstandard2.0.cs |  1 +
 .../ConfidentialLedgerIdentityServiceTests.cs | 35 +++++++++++++++++++
 3 files changed, 38 insertions(+), 9 deletions(-)
 create mode 100644 sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/ConfidentialLedgerIdentityServiceTests.cs

diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
index a0d957896661..6ca1681a2929 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/README.md
@@ -54,15 +54,7 @@ var identityClient = new ConfidentialLedgerIdentityServiceClient(identityService
 // Get the ledger's  TLS certificate for our ledger.
 string ledgerId = "<the ledger id>"; // ex. "my-ledger" from "https://my-ledger.eastus.cloudapp.azure.com"
 Response response = identityClient.GetLedgerIdentity(ledgerId);
-
-// extract the ECC PEM value from the response.
-var eccPem = JsonDocument.Parse(response.Content)
-    .RootElement
-    .GetProperty("ledgerTlsCertificate")
-    .GetString();
-
-// construct an X509Certificate2 with the ECC PEM value.
-X509Certificate2 ledgerTlsCert = new X509Certificate2(Encoding.UTF8.GetBytes(eccPem));
+X509Certificate2 ledgerTlsCert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
 ```
 
 Now we can construct the `ConfidentialLedgerClient` with a transport configuration that trusts the `ledgerTlsCert`.
@@ -77,6 +69,7 @@ certificateChain.ChainPolicy.VerificationTime = DateTime.Now;
 certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
 certificateChain.ChainPolicy.ExtraStore.Add(ledgerTlsCert);
 
+var f = certificateChain.Build(ledgerTlsCert);
 // Define a validation function to ensure that the ledger certificate is trusted by the ledger identity TLS certificate.
 bool CertValidationCheck(HttpRequestMessage httpRequestMessage, X509Certificate2 cert, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
 {
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/api/Azure.Security.ConfidentialLedger.netstandard2.0.cs b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/api/Azure.Security.ConfidentialLedger.netstandard2.0.cs
index 3fd690026f24..f05d1fda9b4a 100644
--- a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/api/Azure.Security.ConfidentialLedger.netstandard2.0.cs
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/api/Azure.Security.ConfidentialLedger.netstandard2.0.cs
@@ -49,5 +49,6 @@ public ConfidentialLedgerIdentityServiceClient(System.Uri identityServiceUri, Az
         public virtual Azure.Core.Pipeline.HttpPipeline Pipeline { get { throw null; } }
         public virtual Azure.Response GetLedgerIdentity(string ledgerId, Azure.RequestOptions options = null) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response> GetLedgerIdentityAsync(string ledgerId, Azure.RequestOptions options = null) { throw null; }
+        public static System.Security.Cryptography.X509Certificates.X509Certificate2 ParseCertificate(Azure.Response getIdentityResponse) { throw null; }
     }
 }
diff --git a/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/ConfidentialLedgerIdentityServiceTests.cs b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/ConfidentialLedgerIdentityServiceTests.cs
new file mode 100644
index 000000000000..8df0db93aded
--- /dev/null
+++ b/sdk/confidentialledger/Azure.Security.ConfidentialLedger/tests/ConfidentialLedgerIdentityServiceTests.cs
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Azure.Core.TestFramework;
+using NUnit.Framework;
+
+namespace Azure.Security.ConfidentialLedger.Tests
+{
+    public class ConfidentialLedgerIdentityServiceTests
+    {
+        [Test]
+        public void ParseCertificate()
+        {
+            var ledgerCert =
+                new LedgerIdentityResponse
+                {
+                    ledgerTlsCertificate =
+                        "-----BEGIN CERTIFICATE-----\nMIIBezCCASGgAwIBAgIRAJm8lmSE26KV0eDDXrRD6LQwCgYIKoZIzj0EAwIwFjEU\nMBIGA1UEAwwLQ0NGIE5ldHdvcmswHhcNMjEwMzExMDAwMDAwWhcNMjMwNjExMjM1\nOTU5WjAWMRQwEgYDVQQDDAtDQ0YgTmV0d29yazBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABJDsxegT33aucCNaiHPK2YNPqwRg1Y2xxVVkII9yUCs6QyNJoCWI4Zfv\nj7iCOpaaBFxDBOuXcqyzXix\u002Be0r3rZyjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0O\nBBYEFLmINpd7X6PFiqD3z0FsjUgDyHtDMB8GA1UdIwQYMBaAFLmINpd7X6PFiqD3\nz0FsjUgDyHtDMAoGCCqGSM49BAMCA0gAMEUCIQD13yI1tEd9m0CtyfSqUnN80wYr\n6QRh9JO3tuSMA10b2gIgGZTs\u002BkowdDjP//U5fgCBovlcGIhdiBBF2wuHnLfqAkI=\n-----END CERTIFICATE-----\n\u0000"
+                };
+
+            var response = new MockResponse(200);
+            response.SetContent(System.Text.Json.JsonSerializer.Serialize(ledgerCert));
+
+            var cert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
+
+            Assert.AreEqual("5D2E98B216B73220C960EE2978E56EEFEEACA30D", cert.Thumbprint);
+        }
+
+        public class LedgerIdentityResponse
+        {
+            public string ledgerTlsCertificate { get; set; }
+            public string ledgerId { get; set; }
+        }
+    }
+}