CryptographyClient support

[sophiajt]

Based on Azure/azure-sdk-for-net#7004 we'd like to bring a new CryptographyClient to TypeScript/JavaScript.

The CryptographyClient will be similar to clients like SecretClient and KeysClient, in that it will be a standalone client that can independently connect to the KeyVault service. It will also be able to optionally offload cryptography related tasks to Node and browser-based crypto. It will use this as an optimization to both speed up cryptography tasks and ease service usage.

Outline

A rough outline of the new client would be something like this:

export class CryptographyClient {
  public static getDefaultPipeline(
    credential: ServiceClientCredentials | TokenCredential,
    pipelineOptions: NewPipelineOptions = {}
  ): Pipeline { ... }

  constructor(
    urlOrKey: string | Key,
    credential: ServiceClientCredentials | TokenCredential,
    pipelineOrOptions: Pipeline | NewPipelineOptions = {}
  ) { ... }

  public async getKey(options?: RequestOptions): Promise<Key> { ... }

  public async encrypt(plaintext: Uint8Array, iv: Uint8Array, algorithm: JsonWebKeyEncryptionAlgorithm, authenticationData?: Uint8Array, options?: RequestOptions): Promise<KeyOperationResult> { ... }
  
  public async decrypt(ciphertext: Uint8Array, iv: Uint8Array,  algorithm: JsonWebKeyEncryptionAlgorithm, authenticationData?: Uint8Array, authenticationTag?: Uint8Array,  options?: RequestOptions): Promise<KeyOperationResult>  { ... }

  public async wrapKey(key: Uint8Array, algorithm: JsonWebKeyEncryptionAlgorithm, options?: RequestOptions): Promise<KeyOperationResult> { ... }

  public async unwrapKey(encryptedKey: Uint8Array, algorithm: JsonWebKeyEncryptionAlgorithm, options?: RequestOptions): Promise<KeyOperationResult> { ... }

  public async sign(digest: Uint8Array, algorithm: JsonWebKeySignatureAlgorithm, options?: RequestOptions): Promise<KeyOperationResult> { ... }

  public async verify(digest: Uint8Array, signature: Uint8Array, algorithm: JsonWebKeySignatureAlgorithm, options?: RequestOptions): Promise<boolean> { ... }

  public async signData(data: Uint8Array, algorithm: JsonWebKeySignatureAlgorithm, options?: RequestOptions): Promise<KeyOperationResult> { ... }

  public async verifyData(data: Uint8Array, signature: Uint8Array, algorithm: JsonWebKeySignatureAlgorithm, options?: RequestOptions): Promise<bool> { ... }
}

Note: Cancellation is handled through abortSignal in the RequestOptions.

Local optimization

Browser

This table shows a possible point of reference for what is allowed, though we'd need to test each browser.

Node

Tested and available on Node 8:

Encrypt/Decrypt

• RSA1_5
  • 256
• RSA-OAEP
  • 256
• RSA_OAEP-256
  • 256

Sign/Verify

• RS256

Note: EC would require a later Node version. We could explore optionally supporting it if it's available.

Wrap/Unwrap

Todo

• Note: there may be better ways to set up the constructor and will need investigation.
• The API above does not have stream support. We will need to investigate what streams are available for node and the browser to see if it makes sense to add them
• Scott's original design has iv buffers as defaulted, but here I have them required. We'll want to work through which is better for people using the SDK.

[sadasant]

@jonathandturner Just to confirm, a Key will be in the shape of a JWK key, is that correct?