From 23a83bfbab7f956695e0e0082b24ae08c99bf80f Mon Sep 17 00:00:00 2001 From: vasanthrajams <60414148+vasanthrajams@users.noreply.github.com> Date: Tue, 1 Sep 2020 10:32:29 -0700 Subject: [PATCH] Mofnmodel (#10195) * Adding 7.2-preview version (#8397) * Adding 7.2-preview version Signed-off-by: vasanthrajams * Resolve PR feedback * Fix output-folder for go code generation Co-authored-by: Heath Stewart * Change the number of certificates user provides for security domain This change modifies the number of certificates(containing public keys) customer needs to provide for encrypting the security domain to a M of N model. In this model, customer specifies the M certificates out of N certificates needed to restore the security domain. Signed-off-by: vasanthrajams * prettier check * remove readyonly * Security domain object specification Signed-off-by: vasanthrajams * internal review * prettier fix * model validation fixes * model validation * security domain id * Removing Security Domain ID * Fixed a few more specs * model validation failures * pretty check * changed tag * tag change Co-authored-by: Heath Stewart Co-authored-by: vasanthrajams --- custom-words.txt | 1 + .../securitydomaindownloadpost-example.json | 40 +++- .../securitydomaintransferkey-example.json | 1 + ...securitydomainuploadoperation-example.json | 24 ++- .../preview/7.2-preview/securitydomain.json | 189 ++++++++++++++++-- 5 files changed, 230 insertions(+), 25 deletions(-) diff --git a/custom-words.txt b/custom-words.txt index 40e5db24c8a3..b416a75696fc 100644 --- a/custom-words.txt +++ b/custom-words.txt @@ -1876,3 +1876,4 @@ watchlist Watchlist Mibps ntfs +shamir_share \ No newline at end of file diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json index 1c733f9c7967..ddcabd6f7668 100644 --- a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json +++ b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json @@ -1,7 +1,7 @@ { "parameters": { "vaultBaseUrl": "https://myvault.vault.azure.net/", - "Certificates": { + "CertificateInfoObject": { "certificates": [ { "value": { @@ -60,14 +60,48 @@ "e": "AQAB" } } - ] + ], + "required": 2 }, "api-version": "7.2-preview" }, "responses": { "200": { "body": { - "value": "{\"EncData\":{\"data\":[{\"compact_jwe\":\"ey$Jhb%232GciOiJkaXIiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjoiZW5jbGF2ZS$J9..5eVwZFlsZQeYXQ11HPC_JJg.4d32grvkQBMxyGmncd82VHOggiFbtuaKX2wXvjU-vKukMAtS7oLl9QsSZZJ5s94xAz7Atye93e6gA_2tbHW0QEzLOXiuV-vZ342zP46dxV56bEEjENIOgzBWAfxUkuUdnYE2UDahGSJSbhNxo8URa44CaSAX682q_otmwqh0jgxk5ZcbHRdwpbSFZnfQ6SgHBqrvQUUpKlWJMJQNuWeEjmWaPkCOUnwkJ1ZLOnVj1AB8rlfj0qnEtBotc4V5066vztRDaTLEOV99lp08WRcRPAY2QVBSfhZdzslQ2baRukk6WOTI5KxIl0cf7o0db_zgoT6vluewXgzTSe6NTcrparwVJ-r6kxw12gkYJtrr3ytvOT_lgip5-7H3PLAgDDRDjHd_PEdNyPqsg56QjtVXBUwutQrfh46s_ATm0dFrhAF6Icf9H2rLDGCiFmKUn-CrtM3vErNzu9BMC8ekuSOe0t0XTnsKOjdiabE95MoRIqQYWQGfi02Rp2XO_lSEUnQJTNomd1IATKPiqqktE5YUu0OzDrVCdSGBGg5IDedmGSp0QIf8m7kSc8xYUsU1PTdJoSzgiOAue0ur_P1i2xr_BSSI6I4BJekw9e58qqBbWN-kc3swgLddsCfXqyW9RnNBvjQmnwdffv1O_4zF0wGVnohs6PYu-9RqIzLxgfHvnlBQbsauWlqpNfw5h_JpnoKW287vPc2iXRONHlGdd-4Mp3323JFbISM6NgGg8y6nUAdKASjyXuqR7bTnr3pNTpjF4523buuzKG3Q4nzr-jnWGPIpxeyBV6unEK0Aw3-QQpY7CG_s3-76P484gJm4vPum03I_V3tmnNt}]}}" + "data": { + "EncData": { + "data": [ + { + "compact_jwe": "", + "tag": "hsm_backup" + }, + { + "compact_jwe": "", + "tag": "base_enclave_backup" + }, + { + "compact_jwe": "", + "tag": "partition_enclave_backup" + } + ], + "kdf": "sp108_kdf" + }, + "SharedKeys": { + "key_algorithm": "shamir_share", + "required": 2, + "enc_shares": [ + { + "enc_key": "compact JWE wrapped share1", + "x5t_256": "bWFuZ2VkaHNtDQo" + }, + { + "enc_key": "compact JWE wrapped share2", + "x5t_256": "bWFuZ2VkaHNta2V5dmF1bHQNCg" + } + ] + }, + "version": 2 + } } } } diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json index 9c9edb0d91fa..17ba565151ca 100644 --- a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json +++ b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json @@ -6,6 +6,7 @@ "responses": { "200": { "body": { + "key_format": "jwk", "transfer_key": { "kid": "https://myvault.vault.azure.net/transfer_key", "kty": "RSA", diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json index e59cc01e4939..5e7318a81035 100644 --- a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json +++ b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json @@ -2,7 +2,29 @@ "parameters": { "vaultBaseUrl": "https://myvault.vault.azure.net/", "security_domain": { - "value": "" + "value": { + "EncData": { + "data": [ + { + "compact_jwe": "", + "tag": "hsm_backup" + }, + { + "compact_jwe": "", + "tag": "base_enclave_backup" + }, + { + "compact_jwe": "", + "tag": "partition_enclave_backup" + } + ], + "kdf": "sp108_kdf" + }, + "WrappedKey": { + "enc_key": "eyJhbGciOiJ", + "x5t_256": "h8ObF2NU85MhzEEE2JrSSGcF7aK2CiNrffef1r8mY" + } + } }, "api-version": "7.2-preview" }, diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json index 6f2bb9644780..6ff6f9e7856e 100644 --- a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json +++ b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json @@ -37,12 +37,12 @@ "parameters": [ { "in": "body", - "name": "Certificates", + "name": "CertificateInfoObject", "required": true, "schema": { - "$ref": "#/definitions/CertificateSet" + "$ref": "#/definitions/CertificateInfoObject" }, - "description": "Security domain download operation requires customer to provide three certificates containing public key in JWK format." + "description": "Security domain download operation requires customer to provide N certificates (minimum 3 and maximum 10) containing public key in JWK format." }, { "$ref": "#/parameters/ApiVersionParameter" @@ -50,7 +50,7 @@ ], "responses": { "200": { - "description": "Security domain download response", + "description": "This is the specification of the security domain as downloaded from the new pool", "schema": { "$ref": "#/definitions/SecurityDomainObject" } @@ -120,7 +120,7 @@ "description": "security domain", "required": true, "schema": { - "$ref": "#/definitions/SecurityDomainObject" + "$ref": "#/definitions/SecurityDomainUploadObject" } } ], @@ -185,7 +185,7 @@ } }, "definitions": { - "CertificateSet": { + "CertificateInfoObject": { "properties": { "certificates": { "type": "array", @@ -193,9 +193,16 @@ "$ref": "#/definitions/SecurityDomainCertificateItem" }, "minItems": 3, - "maxItems": 3, + "maxItems": 10, "uniqueItems": true, - "description": "Three certificates needed from customer" + "description": "Certificates needed from customer" + }, + "required": { + "description": "Customer to specify the number of certificates (minimum 2 and maximum 10) to restore security domain", + "type": "integer", + "default": 2, + "minimum": 2, + "maximum": 10 } }, "required": [ @@ -215,8 +222,14 @@ }, "TransferKey": { "properties": { + "key_format": { + "type": "string", + "default": "jwk", + "description": "Specifies the format of the transfer key" + }, "transfer_key": { - "$ref": "#/definitions/SecurityDomainJsonWebKey" + "$ref": "#/definitions/SecurityDomainJsonWebKey", + "description": "Specifies the transfer key in JWK format" } }, "required": [ @@ -225,10 +238,113 @@ }, "SecurityDomainObject": { "properties": { - "value": { - "type": "string" + "data": { + "type": "object", + "properties": { + "EncData": { + "$ref": "#/definitions/EncDataSet", + "description": "Array of encrypted data set" + }, + "SharedKeys": { + "properties": { + "key_algorithm": { + "type": "string", + "default": "shamir_share", + "description": "The Algorithm used for shared keys" + }, + "required": { + "type": "integer", + "minimum": 2, + "maximum": 10, + "description": "The number of keys (minimum 2 and maximum 10) required for security domain. " + }, + "enc_shares": { + "type": "array", + "items": { + "$ref": "#/definitions/Key", + "minItems": 3, + "maxItems": 10 + }, + "uniqueItems": true, + "description": "Compact JWE wrapped shares array" + } + }, + "required": [ + "key_algorithm", + "required", + "enc_shares" + ], + "description": "Array of shared keys" + }, + "version": { + "type": "integer" + } + }, + "required": [ + "EncData", + "SharedKeys", + "version" + ] } - } + }, + "description": "Security domain", + "required": [ + "data" + ] + }, + "EncDataSet": { + "properties": { + "data": { + "type": "array", + "items": { + "$ref": "#/definitions/EncDataSetItem", + "minItems": 2 + }, + "description": "Array of encrypted security domain", + "uniqueItems": true + }, + "kdf": { + "type": "string", + "default": "sp108_kdf", + "description": "The key derivation function used" + } + }, + "required": [ + "data", + "kdf" + ] + }, + "EncDataSetItem": { + "properties": { + "compact_jwe": { + "type": "string", + "description": "Encrypted data" + }, + "tag": { + "type": "string", + "description": "hsm backup tag" + } + }, + "required": [ + "compact_jwe", + "tag" + ] + }, + "Key": { + "properties": { + "enc_key": { + "type": "string", + "description": "Compact JWE wrapped share" + }, + "x5t_256": { + "type": "string", + "description": "SHA 256 hash of certificate" + } + }, + "required": [ + "enc_key", + "x5t_256" + ] }, "SecurityDomainOperationStatus": { "properties": { @@ -258,15 +374,7 @@ }, "kty": { "type": "string", - "description": "JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. For security domain this value must be RSA", - "enum": [ - "RSA", - "RSA-HSM" - ], - "x-ms-enum": { - "name": "JsonWebKeyType", - "modelAsString": true - } + "description": "JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. For security domain this value must be RSA" }, "key_ops": { "type": "array", @@ -310,12 +418,51 @@ "required": [ "kty", "key_ops", + "alg", "kid", "x5c", "x5t#S256", "n", "e" ] + }, + "SecurityDomainUploadObject": { + "properties": { + "value": { + "type": "object", + "properties": { + "EncData": { + "$ref": "#/definitions/EncDataSet", + "description": "Array of encrypted data set" + }, + "WrappedKey": { + "properties": { + "enc_key": { + "type": "string", + "description": "Encryption key used to encrypt the EncData" + }, + "x5t_256": { + "type": "string", + "description": "Thumbprint used to determine which certificate was used to encrypt the enc_key field" + } + }, + "required": [ + "enc_key", + "x5t_256" + ], + "description": "Key object containing the encryption key used to encrypt EncData object" + } + }, + "required": [ + "EncData", + "WrappedKey" + ] + } + }, + "description": "Security domain object uploaded to a new pool", + "required": [ + "value" + ] } }, "parameters": {