Add OKP support to Key Vault (#32261)

* Add OKP support to Key Vault Resolves #26193 * Fix LocalSignVerifyRoundTrip(EdDSA) test
Azure · Nov 3, 2022 · 354aafd · 354aafd
1 parent 4986c20
commit 354aafd
Show file tree

Hide file tree

Showing 263 changed files with 12,831 additions and 15,175 deletions.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
@@ -4,6 +4,12 @@
 
 ### Features Added
 
+- Added `CreateOkpKeyOptions` to pass key options when creating an Octet Key Pair (OKP) on Managed HSM.
+- Added `KeyClient.CreateOkpKey` and `CreateOkpKeyAsync` to create an Octet Key Pair (OKP) on Managed HSM.
+- Added `KeyType.Okp` and `KeyType.OkpHsm` for `JsonWebKey`.
+- Added `KeyCurveName.Ed25519` to create an Octet Key Pair (OKP) using the Ed25519 curve.
+- Added `SignatureAlgorithm.EdDSA` to support signing and verifying with an Octet Key Pair (OKP) on Managed HSM.
+
 ### Breaking Changes
 
 ### Bugs Fixed

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs
@@ -27,6 +27,14 @@ public CreateOctKeyOptions(string name, bool hardwareProtected = false) { }
         public Azure.Security.KeyVault.Keys.KeyType KeyType { get { throw null; } }
         public string Name { get { throw null; } }
     }
+    public partial class CreateOkpKeyOptions : Azure.Security.KeyVault.Keys.CreateKeyOptions
+    {
+        public CreateOkpKeyOptions(string name, bool hardwareProtected = false) { }
+        public Azure.Security.KeyVault.Keys.KeyCurveName? CurveName { get { throw null; } set { } }
+        public bool HardwareProtected { get { throw null; } }
+        public Azure.Security.KeyVault.Keys.KeyType KeyType { get { throw null; } }
+        public string Name { get { throw null; } }
+    }
     public partial class CreateRsaKeyOptions : Azure.Security.KeyVault.Keys.CreateKeyOptions
     {
         public CreateRsaKeyOptions(string name, bool hardwareProtected = false) { }
@@ -117,6 +125,8 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateKeyAsync(string name, Azure.Security.KeyVault.Keys.KeyType keyType, Azure.Security.KeyVault.Keys.CreateKeyOptions keyOptions = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> CreateOctKey(Azure.Security.KeyVault.Keys.CreateOctKeyOptions octKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateOctKeyAsync(Azure.Security.KeyVault.Keys.CreateOctKeyOptions octKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> CreateOkpKey(Azure.Security.KeyVault.Keys.CreateOkpKeyOptions okpKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateOkpKeyAsync(Azure.Security.KeyVault.Keys.CreateOkpKeyOptions okpKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> CreateRsaKey(Azure.Security.KeyVault.Keys.CreateRsaKeyOptions rsaKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateRsaKeyAsync(Azure.Security.KeyVault.Keys.CreateRsaKeyOptions rsaKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Security.KeyVault.Keys.Cryptography.CryptographyClient GetCryptographyClient(string keyName, string keyVersion = null) { throw null; }
@@ -177,6 +187,7 @@ public enum ServiceVersion
         private readonly object _dummy;
         private readonly int _dummyPrimitive;
         public KeyCurveName(string value) { throw null; }
+        public static Azure.Security.KeyVault.Keys.KeyCurveName Ed25519 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyCurveName P256 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyCurveName P256K { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyCurveName P384 { get { throw null; } }
@@ -315,6 +326,8 @@ public KeyRotationPolicy() { }
         public static Azure.Security.KeyVault.Keys.KeyType EcHsm { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyType Oct { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyType OctHsm { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.KeyType Okp { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.KeyType OkpHsm { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyType Rsa { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyType RsaHsm { get { throw null; } }
         public bool Equals(Azure.Security.KeyVault.Keys.KeyType other) { throw null; }
@@ -567,6 +580,7 @@ public LocalCryptographyClientOptions() { }
         private readonly object _dummy;
         private readonly int _dummyPrimitive;
         public SignatureAlgorithm(string value) { throw null; }
+        public static Azure.Security.KeyVault.Keys.Cryptography.SignatureAlgorithm EdDSA { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.SignatureAlgorithm ES256 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.SignatureAlgorithm ES256K { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.SignatureAlgorithm ES384 { get { throw null; } }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/CreateOkpKeyOptions.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/CreateOkpKeyOptions.cs
@@ -0,0 +1,58 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+using System;
+using Azure.Core;
+
+namespace Azure.Security.KeyVault.Keys
+{
+    /// <summary>
+    /// The properties needed to create an Octet Key Pair (OKP) using the <see cref="KeyClient"/>.
+    /// </summary>
+    public class CreateOkpKeyOptions : CreateKeyOptions
+    {
+        /// <summary>
+        /// Gets the name of the key to create.
+        /// </summary>
+        public string Name { get; }
+
+        /// <summary>
+        /// Gets the key type of the <see cref="JsonWebKey"/> to create, including <see cref="KeyType.Ec"/> and <see cref="KeyType.EcHsm"/>.
+        /// </summary>
+        public KeyType KeyType { get; }
+
+        /// <summary>
+        /// Gets or sets the elliptic curve name. See <see cref="KeyCurveName"/> for possible values. If null, the service default is used.
+        /// </summary>
+        public KeyCurveName? CurveName { get; set; }
+
+        /// <summary>
+        /// Gets a value indicating whether to create a hardware-protected key in a hardware security module (HSM).
+        /// </summary>
+        /// <value><c>true</c> to create a hardware-protected key; otherwise, <c>false</c> to create a software key.</value>
+        public bool HardwareProtected { get; }
+
+        /// <summary>
+        /// Initializes a new instance of the <see cref="CreateOkpKeyOptions"/> class.
+        /// </summary>
+        /// <param name="name">The name of the key to create.</param>
+        /// <param name="hardwareProtected">True to create a hardware-protected key in a hardware security module (HSM). The default is false to create a software key.</param>
+        /// <exception cref="ArgumentException"><paramref name="name"/> is empty.</exception>
+        /// <exception cref="ArgumentNullException"><paramref name="name"/> is null.</exception>
+        public CreateOkpKeyOptions(string name, bool hardwareProtected = false)
+        {
+            Argument.AssertNotNullOrEmpty(name, nameof(name));
+
+            Name = name;
+            HardwareProtected = hardwareProtected;
+            if (hardwareProtected)
+            {
+                KeyType = KeyType.OkpHsm;
+            }
+            else
+            {
+                KeyType = KeyType.Okp;
+            }
+        }
+    }
+}