[KeyVault] - Add support for Secure Key Release #16150
Conversation
ghost
added
the
maorleger
force-pushed
the
keyvault-key-release
branch
from
86510f0 to
5594d60
Compare
|
This pull request is protected by Check Enforcer. What is Check Enforcer?Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass. Why am I getting this message?You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged. What should I do now?If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows: What if I am onboarding a new service?Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment: |
| @@ -71,5 +72,82 @@ onVersions({ minVer: "7.2" }).describe( | |||
| ); | |||
| }); | |||
| }); | |||
|
|
|||
| onVersions({ minVer: "7.3-preview" }).describe("releaseKey", () => { | |||
There was a problem hiding this comment.
To explain this test setup here:
with the service team's help I setup a mock service on Azure App Service that pretends to be an attestation service and returns mock data.
The managed HSM requires an attestation service that supports OIDC OpenID Connect Discovery. The minimal requirements for us are:
- It should be reachable by the MHSM
- It should respond to
https://server.com/.well-known/openid-configurationwith the jwks_uri - the jwks_uri value should be reachable by the MHSM
- The attestation we provided must have the right information
The last bit is where it gets interesting - we need to use the same keys to sign the JWT as the ones returned by jwks_uri.
So this should be something that is stood up by live test resources if we want to test this live. You can see what my mock service returns here:
https://skrattestation.azurewebsites.net/generate-test-token -> used by us to get an attestation signed JWT
https://skrattestation.azurewebsites.net/keys -> used by the MHSM to get the key used for signing the token
https://skrattestation.azurewebsites.net/.well-known/openid-configuration -> tells the MHSM where to go to get key
I'll investigate ways to make this part of our test resource deployment, but it's also possible to use this today to record tests for any language
maorleger
force-pushed
the
keyvault-key-release
branch
from
9e4a451 to
6c51ff8
Compare
| @@ -228,6 +232,7 @@ export class KeyClient { | |||
| listPropertiesOfKeys(options?: ListPropertiesOfKeysOptions): PagedAsyncIterableIterator<KeyProperties>; | |||
| listPropertiesOfKeyVersions(name: string, options?: ListPropertiesOfKeyVersionsOptions): PagedAsyncIterableIterator<KeyProperties>; | |||
| purgeDeletedKey(name: string, options?: PurgeDeletedKeyOptions): Promise<void>; | |||
| releaseKey(name: string, version: string, target: string, options?: ReleaseKeyOptions): Promise<ReleaseKeyResult>; | |||
There was a problem hiding this comment.
IIRC, the target is the environment they want to target. We might use environment instead, but talk with Hervey.
There was a problem hiding this comment.
Or maybe even targetEnvironment. Would be nice to align with the swagger, even if it means changing that (it's in preview).
maorleger
force-pushed
the
keyvault-key-release
branch
from
528b17e to
6ff928c
Compare
maorleger
requested review from
bterlson,
chradek,
sadasant and
xirzec
as code owners
| nonce?: string; | ||
|
|
||
| /** The {@link KeyExportEncryptionAlgorithm} to for protecting the exported key material. */ | ||
| algorithm?: KeyExportEncryptionAlgorithm; |
There was a problem hiding this comment.
I like the name, but should we have the service team change the x-ms-client-name? https://github.com/Azure/azure-rest-api-specs/blob/e7682aa897902920f3a95b2f358b6f7729d18666/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/keys.json#L1856
I think what is in swagger now - which changing won't change the wire format - is confusing with our existing EncryptionAlgorithm we have in cryptography.
/cc @lusitanian
| RsaAesKeyWrap384 = "RSA_AES_KEY_WRAP_384" | ||
| } | ||
|
|
||
| /* eslint-disable tsdoc/syntax */ |
There was a problem hiding this comment.
Is this necessary? Isn't there a way to make it look nice while this stays enabled?
There was a problem hiding this comment.
I tried various ways to make our tsdoc linter happy - it's not happy with the escaping of the newlines on lines 583-585 but they are necessary to display newlines correctly in VSCode. This is also how they are generated in the generated code so I feel it's reasonable to have them here. I was not able to get newlines rendered correctly without this but I am happy to make an issue to investigate that further
There was a problem hiding this comment.
I'm convinced to leave it as you have it here :)
What
exportableattribute andreleasePolicyto KV KeysreleaseKeymethod and all of its modelsWhy
The MHSM service is adding support for SKR in 7.3, as such we need to implement it in our client libraries.