Skip to content

Commit

Permalink
[Key Vault] Remove OKP support (#28954)
Browse files Browse the repository at this point in the history
  • Loading branch information
mccoyp authored Feb 23, 2023
1 parent ce9edaa commit 4d14d78
Show file tree
Hide file tree
Showing 9 changed files with 2 additions and 166 deletions.
2 changes: 2 additions & 0 deletions sdk/keyvault/azure-keyvault-keys/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@
client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172))

### Breaking Changes
> These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected.
- Removed support for octet key pair (OKP) keys and operations

### Bugs Fixed

Expand Down
44 changes: 0 additions & 44 deletions sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -298,50 +298,6 @@ def create_oct_key(self, name: str, **kwargs) -> KeyVaultKey:
hsm = kwargs.pop("hardware_protected", False)
return self.create_key(name, key_type="oct-HSM" if hsm else "oct", **kwargs)

@distributed_trace
def create_okp_key(self, name: str, **kwargs) -> KeyVaultKey:
"""Create a new octet key pair or, if ``name`` is in use, create a new version of the key.
Requires the keys/create permission.
:param str name: The name for the new key.
:keyword curve: Elliptic curve name.
:paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None
:keyword key_operations: Allowed key operations.
:paramtype key_operations: list[~azure.keyvault.keys.KeyOperation or str] or None
:keyword hardware_protected: Whether the key should be created in a hardware security module.
Defaults to ``False``.
:paramtype hardware_protected: bool or None
:keyword enabled: Whether the key is enabled for use.
:paramtype enabled: bool or None
:keyword tags: Application specific metadata in the form of key-value pairs.
:paramtype tags: dict[str, str] or None
:keyword not_before: Not before date of the key in UTC
:paramtype not_before: ~datetime.datetime or None
:keyword expires_on: Expiry date of the key in UTC
:paramtype expires_on: ~datetime.datetime or None
:keyword exportable: Whether the key can be exported.
:paramtype exportable: bool or None
:keyword release_policy: The policy rules under which the key can be exported.
:paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None
:returns: The created key
:rtype: ~azure.keyvault.keys.KeyVaultKey
:raises: :class:`~azure.core.exceptions.HttpResponseError`
Example:
.. literalinclude:: ../tests/test_samples_keys.py
:start-after: [START create_okp_key]
:end-before: [END create_okp_key]
:language: python
:caption: Create an octet key pair (OKP)
:dedent: 8
"""
hsm = kwargs.pop("hardware_protected", False)
return self.create_key(name, key_type="OKP-HSM" if hsm else "OKP", **kwargs)

@distributed_trace
def begin_delete_key(self, name: str, **kwargs) -> "LROPoller[DeletedKey]":
"""Delete all versions of a key and its cryptographic material.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,6 @@ class KeyType(str, Enum, metaclass=CaseInsensitiveEnumMeta):
rsa_hsm = "RSA-HSM" #: RSA with a private key which is not exportable from the HSM
oct = "oct" #: Octet sequence (used to represent symmetric keys)
oct_hsm = "oct-HSM" #: Octet sequence with a private key which is not exportable from the HSM
okp = "OKP" #: Octet key pair (https://tools.ietf.org/html/rfc8037)
okp_hsm = "OKP-HSM" #: Octet key pair with a private key which is not exportable from the HSM

@classmethod
def _missing_(cls, value):
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -302,50 +302,6 @@ async def create_oct_key(self, name: str, **kwargs) -> KeyVaultKey:
hsm = kwargs.pop("hardware_protected", False)
return await self.create_key(name, key_type="oct-HSM" if hsm else "oct", **kwargs)

@distributed_trace_async
async def create_okp_key(self, name: str, **kwargs) -> KeyVaultKey:
"""Create a new octet key pair or, if ``name`` is in use, create a new version of the key.
Requires the keys/create permission.
:param str name: The name for the new key.
:keyword curve: Elliptic curve name.
:paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None
:keyword key_operations: Allowed key operations.
:paramtype key_operations: list[~azure.keyvault.keys.KeyOperation or str] or None
:keyword hardware_protected: Whether the key should be created in a hardware security module.
Defaults to ``False``.
:paramtype hardware_protected: bool or None
:keyword enabled: Whether the key is enabled for use.
:paramtype enabled: bool or None
:keyword tags: Application specific metadata in the form of key-value pairs.
:paramtype tags: dict[str, str] or None
:keyword not_before: Not before date of the key in UTC
:paramtype not_before: ~datetime.datetime or None
:keyword expires_on: Expiry date of the key in UTC
:paramtype expires_on: ~datetime.datetime or None
:keyword exportable: Whether the key can be exported.
:paramtype exportable: bool or None
:keyword release_policy: The policy rules under which the key can be exported.
:paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None
:returns: The created key
:rtype: ~azure.keyvault.keys.KeyVaultKey
:raises: :class:`~azure.core.exceptions.HttpResponseError`
Example:
.. literalinclude:: ../tests/test_samples_keys_async.py
:start-after: [START create_okp_key]
:end-before: [END create_okp_key]
:language: python
:caption: Create an octet key pair (OKP)
:dedent: 8
"""
hsm = kwargs.pop("hardware_protected", False)
return await self.create_key(name, key_type="OKP-HSM" if hsm else "OKP", **kwargs)

@distributed_trace_async
async def delete_key(self, name: str, **kwargs) -> DeletedKey:
"""Delete all versions of a key and its cryptographic material.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ def get_local_cryptography_provider(key: "JsonWebKey") -> LocalCryptographyProvi
return RsaCryptographyProvider(key)
if key.kty in (KeyType.oct, KeyType.oct_hsm): # type: ignore[attr-defined]
return SymmetricCryptographyProvider(key)
if key.kty in (KeyType.okp, KeyType.okp_hsm): # type: ignore[attr-defined]
return NoLocalCryptography()

raise ValueError(f'Unsupported key type "{key.kty}"') # type: ignore[attr-defined]

Expand Down
22 changes: 0 additions & 22 deletions sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -222,28 +222,6 @@ def test_sign_and_verify(self, key_client, is_hsm, **kwargs):
assert result.algorithm == SignatureAlgorithm.rs256
assert verified.is_valid

@pytest.mark.parametrize("api_version,is_hsm", only_7_4_hsm)
@KeysClientPreparer()
@recorded_by_proxy
def test_sign_and_verify_okp(self, key_client, is_hsm, **kwargs):
key_name = self.get_resource_name("keysign")

md = hashlib.sha256()
md.update(self.plaintext)
digest = md.digest()

# Local crypto isn't supported for OKP, so operations will be remote even without explicit NO_GET permissions
key = key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519)
crypto_client = self.create_crypto_client(key.id, api_version=key_client.api_version)

result = crypto_client.sign(SignatureAlgorithm.eddsa, digest)
assert result.key_id == key.id

verified = crypto_client.verify(result.algorithm, digest, result.signature)
assert result.key_id == key.id
assert result.algorithm == SignatureAlgorithm.eddsa
assert verified.is_valid

@pytest.mark.parametrize("api_version,is_hsm", no_get)
@KeysClientPreparer(permissions=NO_GET)
@recorded_by_proxy
Expand Down
23 changes: 0 additions & 23 deletions sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py
Original file line number Diff line number Diff line change
Expand Up @@ -221,29 +221,6 @@ async def test_sign_and_verify(self, key_client, is_hsm, **kwargs):
assert result.algorithm == SignatureAlgorithm.rs256
assert verified.is_valid

@pytest.mark.asyncio
@pytest.mark.parametrize("api_version,is_hsm", only_7_4_hsm)
@AsyncKeysClientPreparer()
@recorded_by_proxy_async
async def test_sign_and_verify_okp(self, key_client, is_hsm, **kwargs):
key_name = self.get_resource_name("keysign")

md = hashlib.sha256()
md.update(self.plaintext)
digest = md.digest()

# Local crypto isn't supported for OKP, so operations will be remote even without explicit NO_GET permissions
key = await key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519)
crypto_client = self.create_crypto_client(key.id, is_async=True, api_version=key_client.api_version)

result = await crypto_client.sign(SignatureAlgorithm.eddsa, digest)
assert result.key_id == key.id

verified = await crypto_client.verify(result.algorithm, digest, result.signature)
assert result.key_id == key.id
assert result.algorithm == SignatureAlgorithm.eddsa
assert verified.is_valid

@pytest.mark.asyncio
@pytest.mark.parametrize("api_version,is_hsm",no_get)
@AsyncKeysClientPreparer()
Expand Down
14 changes: 0 additions & 14 deletions sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py
Original file line number Diff line number Diff line change
Expand Up @@ -147,20 +147,6 @@ def test_example_create_oct_key(self, key_client, **kwargs):
print(key.key_type)
# [END create_oct_key]

@pytest.mark.parametrize("api_version,is_hsm",only_7_4_hsm)
@KeysClientPreparer()
@recorded_by_proxy
def test_example_create_okp_key(self, key_client, **kwargs):
key_name = self.get_resource_name("key")

# [START create_okp_key]
key = key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519, hardware_protected=True)

print(key.id)
print(key.name)
print(key.key_type)
# [END create_okp_key]

@pytest.mark.parametrize("api_version,is_hsm",all_api_versions)
@KeysClientPreparer()
@recorded_by_proxy
Expand Down
15 changes: 0 additions & 15 deletions sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py
Original file line number Diff line number Diff line change
Expand Up @@ -146,21 +146,6 @@ async def test_example_create_oct_key(self, key_client, **kwargs):
print(key.key_type)
# [END create_oct_key]

@pytest.mark.asyncio
@pytest.mark.parametrize("api_version,is_hsm",only_7_4_hsm)
@AsyncKeysClientPreparer()
@recorded_by_proxy_async
async def test_example_create_okp_key(self, key_client, **kwargs):
key_name = self.get_resource_name("key")

# [START create_okp_key]
key = await key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519, hardware_protected=True)

print(key.id)
print(key.name)
print(key.key_type)
# [END create_okp_key]

@pytest.mark.asyncio
@pytest.mark.parametrize("api_version,is_hsm",all_api_versions)
@AsyncKeysClientPreparer()
Expand Down

0 comments on commit 4d14d78

Please sign in to comment.