Azure · christothes · Aug 17, 2021 · Aug 16, 2021 · Aug 16, 2021 · Aug 16, 2021
@@ -54,15 +54,7 @@ var identityClient = new ConfidentialLedgerIdentityServiceClient(identityService
 // Get the ledger's  TLS certificate for our ledger.
 string ledgerId = "<the ledger id>"; // ex. "my-ledger" from "https://my-ledger.eastus.cloudapp.azure.com"
 Response response = identityClient.GetLedgerIdentity(ledgerId);
-
-// extract the ECC PEM value from the response.
-var eccPem = JsonDocument.Parse(response.Content)
-    .RootElement
-    .GetProperty("ledgerTlsCertificate")
-    .GetString();
-
-// construct an X509Certificate2 with the ECC PEM value.
-X509Certificate2 ledgerTlsCert = new X509Certificate2(Encoding.UTF8.GetBytes(eccPem));
+X509Certificate2 ledgerTlsCert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
 ```
 
 Now we can construct the `ConfidentialLedgerClient` with a transport configuration that trusts the `ledgerTlsCert`.
@@ -77,6 +69,7 @@ certificateChain.ChainPolicy.VerificationTime = DateTime.Now;
 certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
 certificateChain.ChainPolicy.ExtraStore.Add(ledgerTlsCert);
 
+var f = certificateChain.Build(ledgerTlsCert);
 // Define a validation function to ensure that the ledger certificate is trusted by the ledger identity TLS certificate.
 bool CertValidationCheck(HttpRequestMessage httpRequestMessage, X509Certificate2 cert, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
 {
@@ -353,6 +346,7 @@ Console.WriteLine($"The latest ledger entry from the sub-ledger is {latestSubLed
 ##### Ranged queries
 
 Ledger entries in a sub-ledger may be retrieved over a range of transaction ids.
+Note: Both ranges are optional; they can be provided individually or not at all.
 
 ```C# Snippet:RangedQuery
 ledgerClient.GetLedgerEntries(fromTransactionId: "2.1", toTransactionId: subLedgerTransactionId);

@@ -49,5 +49,6 @@ public ConfidentialLedgerIdentityServiceClient(System.Uri identityServiceUri, Az
         public virtual Azure.Core.Pipeline.HttpPipeline Pipeline { get { throw null; } }
         public virtual Azure.Response GetLedgerIdentity(string ledgerId, Azure.RequestOptions options = null) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response> GetLedgerIdentityAsync(string ledgerId, Azure.RequestOptions options = null) { throw null; }
+        public static System.Security.Cryptography.X509Certificates.X509Certificate2 ParseCertificate(Azure.Response getIdentityResponse) { throw null; }
     }
 }
@@ -30,6 +30,8 @@
     <Compile Include="$(AzureCoreSharedSources)HttpMessageSanitizer.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)TaskExtensions.cs" LinkBase="Shared" />
     <Compile Include="$(AzureCoreSharedSources)AzureResourceProviderNamespaceAttribute.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)PemReader.cs" LinkBase="Shared" />
+    <Compile Include="$(AzureCoreSharedSources)LightweightPkcs8Decoder.cs" LinkBase="Shared" />
   </ItemGroup>
 
 </Project>
@@ -2,6 +2,8 @@
 // Licensed under the MIT License.
 
 using System;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.Json;
 using System.Threading.Tasks;
 using Azure;
 using Azure.Core;
@@ -34,5 +36,22 @@ public ConfidentialLedgerIdentityServiceClient(Uri identityServiceUri, Confident
             this.identityServiceUri = identityServiceUri;
             apiVersion = options.Version;
         }
+
+        /// <summary>
+        /// Parses the response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.
+        /// </summary>
+        /// <param name="getIdentityResponse">The response from <see cref="GetLedgerIdentity"/> or <see cref="GetLedgerIdentityAsync"/>.</param>
+        /// <returns>The <see cref="X509Certificate2"/>.</returns>
+        public static X509Certificate2 ParseCertificate(Response getIdentityResponse)
+        {
+            var eccPem = JsonDocument.Parse(getIdentityResponse.Content)
+                .RootElement
+                .GetProperty("ledgerTlsCertificate")
+                .GetString();
+
+            // construct an X509Certificate2 with the ECC PEM value.
+            var span = new ReadOnlySpan<char>(eccPem.ToCharArray());
+            return PemReader.LoadCertificate(span, null, PemReader.KeyType.Auto, true);
+        }
     }
 }
@@ -21,4 +21,5 @@
     <Folder Include="SessionRecords" />
     <Folder Include="SessionRecords\ConfidentialLedgerClientLiveTests" />
   </ItemGroup>
+
 </Project>
@@ -0,0 +1,35 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using Azure.Core.TestFramework;
+using NUnit.Framework;
+
+namespace Azure.Security.ConfidentialLedger.Tests
+{
+    public class ConfidentialLedgerIdentityServiceTests
+    {
+        [Test]
+        public void ParseCertificate()
+        {
+            var ledgerCert =
+                new LedgerIdentityResponse
+                {
+                    ledgerTlsCertificate =
+                        "-----BEGIN CERTIFICATE-----\nMIIBezCCASGgAwIBAgIRAJm8lmSE26KV0eDDXrRD6LQwCgYIKoZIzj0EAwIwFjEU\nMBIGA1UEAwwLQ0NGIE5ldHdvcmswHhcNMjEwMzExMDAwMDAwWhcNMjMwNjExMjM1\nOTU5WjAWMRQwEgYDVQQDDAtDQ0YgTmV0d29yazBZMBMGByqGSM49AgEGCCqGSM49\nAwEHA0IABJDsxegT33aucCNaiHPK2YNPqwRg1Y2xxVVkII9yUCs6QyNJoCWI4Zfv\nj7iCOpaaBFxDBOuXcqyzXix\u002Be0r3rZyjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0O\nBBYEFLmINpd7X6PFiqD3z0FsjUgDyHtDMB8GA1UdIwQYMBaAFLmINpd7X6PFiqD3\nz0FsjUgDyHtDMAoGCCqGSM49BAMCA0gAMEUCIQD13yI1tEd9m0CtyfSqUnN80wYr\n6QRh9JO3tuSMA10b2gIgGZTs\u002BkowdDjP//U5fgCBovlcGIhdiBBF2wuHnLfqAkI=\n-----END CERTIFICATE-----\n\u0000"
+                };
+
+            var response = new MockResponse(200);
+            response.SetContent(System.Text.Json.JsonSerializer.Serialize(ledgerCert));
+
+            var cert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
+
+            Assert.AreEqual("5D2E98B216B73220C960EE2978E56EEFEEACA30D", cert.Thumbprint);
+        }
+
+        public class LedgerIdentityResponse
+        {
+            public string ledgerTlsCertificate { get; set; }
+            public string ledgerId { get; set; }
+        }
+    }
+}
@@ -38,16 +38,7 @@ public void HelloWorld()
             ledgerId = ledgerId.Substring(0, ledgerId.IndexOf('.'));
 #endif
             Response response = identityClient.GetLedgerIdentity(ledgerId);
-
-            // extract the ECC PEM value from the response.
-            var eccPem = JsonDocument.Parse(response.Content)
-                .RootElement
-                .GetProperty("ledgerTlsCertificate")
-                .GetString();
-
-            // construct an X509Certificate2 with the ECC PEM value.
-            X509Certificate2 ledgerTlsCert = new X509Certificate2(Encoding.UTF8.GetBytes(eccPem));
-
+            X509Certificate2 ledgerTlsCert = ConfidentialLedgerIdentityServiceClient.ParseCertificate(response);
             #endregion
 
             #region Snippet:CreateClient
@@ -61,6 +52,7 @@ public void HelloWorld()
             certificateChain.ChainPolicy.UrlRetrievalTimeout = new TimeSpan(0, 0, 0);
             certificateChain.ChainPolicy.ExtraStore.Add(ledgerTlsCert);
 
+            var f = certificateChain.Build(ledgerTlsCert);
             // Define a validation function to ensure that the ledger certificate is trusted by the ledger identity TLS certificate.
             bool CertValidationCheck(HttpRequestMessage httpRequestMessage, X509Certificate2 cert, X509Chain x509Chain, SslPolicyErrors sslPolicyErrors)
             {