Add oct-HSM key type

Resolves Azure#14887
heaths · Oct 15, 2020 · 943a601 · 943a601
1 parent a69a529
commit 943a601
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 10 deletions.
diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md b/sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 4.2.0-beta.3 (Unreleased)
 
+### Added
+
+- Added `KeyType.OctHsm` to support "oct-HSM" key operations.
 
 ## 4.2.0-beta.2 (2020-10-06)
 

diff --git a/...eyvault/Azure.Security.KeyVault.Keys/src/Cryptography/LocalCryptographyProviderFactory.cs b/...eyvault/Azure.Security.KeyVault.Keys/src/Cryptography/LocalCryptographyProviderFactory.cs
@@ -21,7 +21,7 @@ public static ICryptographyProvider Create(JsonWebKey keyMaterial, KeyProperties
                     return new EcCryptographyProvider(keyMaterial, keyProperties);
                 }
 
-                if (keyMaterial.KeyType == KeyType.Oct)
+                if (keyMaterial.KeyType == KeyType.Oct || keyMaterial.KeyType == KeyType.OctHsm)
                 {
                     return new AesCryptographyProvider(keyMaterial, keyProperties);
                 }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/JsonWebKey.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/JsonWebKey.cs
@@ -245,7 +245,7 @@ public JsonWebKey(RSA rsaProvider, bool includePrivateParameters = default, IEnu
         #endregion
 
         /// <summary>
-        /// Gets the HSM token used with "Bring Your Own Key".
+        /// Gets the protected key used with "Bring Your Own Key".
         /// </summary>
         public byte[] T { get; set; }
 
@@ -268,15 +268,15 @@ internal bool HasPrivateKey
         }
 
         /// <summary>
-        /// Converts this <see cref="JsonWebKey"/> of type <see cref="KeyType.Oct"/> to an <see cref="Aes"/> object.
+        /// Converts this <see cref="JsonWebKey"/> of type <see cref="KeyType.Oct"/> or <see cref="KeyType.OctHsm"/> to an <see cref="Aes"/> object.
         /// </summary>
         /// <returns>An <see cref="Aes"/> object.</returns>
         /// <exception cref="InvalidOperationException">This key is not of type <see cref="KeyType.Oct"/> or <see cref="K"/> is null.</exception>
         public Aes ToAes()
         {
-            if (KeyType != KeyType.Oct)
+            if (KeyType != KeyType.Oct && KeyType != KeyType.OctHsm)
             {
-                throw new InvalidOperationException($"key is not an {nameof(KeyType.Oct)} key");
+                throw new InvalidOperationException($"key is not an {nameof(KeyType.Oct)} or {nameof(KeyType.OctHsm)} type");
             }
 
             if (K is null)

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyType.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyType.cs
@@ -16,6 +16,7 @@ namespace Azure.Security.KeyVault.Keys
         internal const string RsaValue = "RSA";
         internal const string RsaHsmValue = "RSA-HSM";
         internal const string OctValue = "oct";
+        internal const string OctHsmValue = "oct-HSM";
 
         private readonly string _value;
 
@@ -53,6 +54,11 @@ public KeyType(string value)
         /// </summary>
         public static KeyType Oct { get; } = new KeyType(OctValue);
 
+        /// <summary>
+        /// An AES cryptographic algorithm backed by HSM.
+        /// </summary>
+        public static KeyType OctHsm { get; } = new KeyType(OctHsmValue);
+
         /// <summary>
         /// Determines if two <see cref="KeyType"/> values are the same.
         /// </summary>

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/JsonWebKeyTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/JsonWebKeyTests.cs
@@ -77,16 +77,20 @@ public void ToAesInvalidKeyType()
             Assert.Throws<InvalidOperationException>(() => jwk.ToAes());
         }
 
-        [Test]
-        public void ToAesInvalidKey()
+        [TestCase(KeyType.OctValue)]
+        [TestCase(KeyType.OctHsmValue)]
+        public void ToAesInvalidKey(string keyType)
         {
             JsonWebKey jwk = new JsonWebKey
             {
-                KeyType = KeyType.Oct,
+                KeyType = new KeyType(keyType),
                 K = null,
             };
 
-            Assert.Throws<InvalidOperationException>(() => jwk.ToAes());
+            InvalidOperationException ex = Assert.Throws<InvalidOperationException>(() => jwk.ToAes());
+
+            // This should always be expected for oct-HSM because the HSM won't release the key.
+            Assert.AreEqual("key does not contain a value", ex.Message);
         }
 
         [TestCase(false)]
@@ -431,7 +435,7 @@ private static IEnumerable<object> GetRSAInvalidKeyData()
 
         private static bool HasPrivateKey(JsonWebKey jwk)
         {
-            if (jwk.KeyType == KeyType.Oct)
+            if (jwk.KeyType == KeyType.Oct || jwk.KeyType == KeyType.OctHsm)
             {
                 return jwk.K != null;
             }

diff --git a/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/LocalCryptographyClientTests.cs b/sdk/keyvault/Azure.Security.KeyVault.Keys/tests/LocalCryptographyClientTests.cs
@@ -385,6 +385,7 @@ private static JsonWebKey CreateKey(KeyType type, bool includePrivateParameters
                     return new JsonWebKey(RSA.Create(), includePrivateParameters, keyOps);
 
                 case KeyType.OctValue:
+                case KeyType.OctHsmValue:
                     return new JsonWebKey(Aes.Create(), keyOps);
 
                 default: