Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Key Vault] Add support for Secure Key Release #19588

Closed
maorleger opened this issue Jun 29, 2021 · 0 comments · Fixed by #20048
Closed

[Key Vault] Add support for Secure Key Release #19588

maorleger opened this issue Jun 29, 2021 · 0 comments · Fixed by #20048
Assignees
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault
Milestone

Comments

@maorleger
Copy link
Member

maorleger commented Jun 29, 2021

To support Secure Key Release, implement the following changes:

CreateKeyOptions & ImportKeyOptions:

  • Add exportable - an optional boolean value
  • Add releasePolicy an optional KeyReleasePolicy value (see below)

KeyReleasePolicy

an object / interface containing the following attributes:

  • contentType - an optional string. When omitted, defaults to application/json; charset=utf-8 by the service (not in client code)
  • data - a byte array encoding the policy rules under which the key can be released.

KeyClient.releaseKey

Used to actually release the key. In JS, we're currently implementing it as follows:

releaseKey(name: string, version: string, target: string, options?: ReleaseKeyOptions): Promise<ReleaseKeyResult>;

where target is the attestation assertion for the target of the key release.

See this PR for implementation: https://github.com/Azure/azure-sdk-for-js/pull/16150/files

Finally, we'll need a resource that can generate an attestation token and return the right keys to MHSM. I set up a test fixture under https://skrattestation.azurewebsites.net/ for now (tracking better implementation in #16314) that you can record against. See our test setup for what is needed there. The important parts are the claims that need to match because those are the claims the test fixture returns.

@maorleger maorleger added Client This issue points to a problem in the data-plane of the library. KeyVault labels Jun 29, 2021
@maorleger maorleger added this to the [2021] August milestone Jun 29, 2021
@github-actions github-actions bot locked and limited conversation to collaborators Apr 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Client This issue points to a problem in the data-plane of the library. KeyVault
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants