-
Notifications
You must be signed in to change notification settings - Fork 4.2k
Expand file tree
/
Copy pathOctHsmKeyTests.ps1
More file actions
64 lines (55 loc) · 2.54 KB
/
OctHsmKeyTests.ps1
File metadata and controls
64 lines (55 loc) · 2.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<#
.SYNOPSIS
Scenario tests for oct-HSM (AES, HSM-backed) keys on a Premium Azure Key Vault.
oct-HSM keys require:
- Vault SKU = 'Premium'
- -KeyType oct
- -Destination HSM
- -Size in { 128, 192, 256 }
The service rewrites the key type to 'oct-HSM' on the wire.
Note: vaults are created with -DisableRbacAuthorization because the test
identity is a guest in the test tenant, so MS Graph UPN lookups fail. With
access-policy mode, New-AzKeyVault auto-adds a full-permission policy for the
caller, which is what these tests rely on for the data-plane calls.
#>
function Test-CreateOctHsmKey {
$resourceGroupLocation = Get-Location "Microsoft.Resources" "resourceGroups" "East US 2 EUAP"
$vaultLocation = Get-Location "Microsoft.KeyVault" "vaults" "East US 2 EUAP"
$resourceGroupName = (GetAssetName)
$vaultName = (GetAssetName)
$keyName = (GetAssetName)
try {
New-AzResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation
$vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $vaultLocation -Sku "Premium" -DisableRbacAuthorization
# Create an oct-HSM key with the default 256-bit size
$key = $vault | Add-AzKeyVaultKey -Name $keyName -KeyType oct -Destination HSM -Size 256
Assert-NotNull $key "Add-AzKeyVaultKey returned null"
Assert-AreEqual "oct-HSM" $key.Key.Kty "key type != 'oct-HSM'"
Assert-AreEqual $keyName $key.Name "key name mismatch"
# Get-AzKeyVaultKey must round-trip the same kty
$got = Get-AzKeyVaultKey -VaultName $vaultName -Name $keyName
Assert-NotNull $got "Get-AzKeyVaultKey returned null"
Assert-AreEqual "oct-HSM" $got.Key.Kty "round-tripped key type != 'oct-HSM'"
}
finally {
Remove-AzResourceGroup -Name $resourceGroupName -Force
}
}
function Test-CreateOctHsmKeyAllSizes {
$resourceGroupLocation = Get-Location "Microsoft.Resources" "resourceGroups" "East US 2 EUAP"
$vaultLocation = Get-Location "Microsoft.KeyVault" "vaults" "East US 2 EUAP"
$resourceGroupName = (GetAssetName)
$vaultName = (GetAssetName)
try {
New-AzResourceGroup -Name $resourceGroupName -Location $resourceGroupLocation
$vault = New-AzKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName -Location $vaultLocation -Sku "Premium" -DisableRbacAuthorization
foreach ($size in 128, 192, 256) {
$keyName = (GetAssetName)
$key = $vault | Add-AzKeyVaultKey -Name $keyName -KeyType oct -Destination HSM -Size $size
Assert-AreEqual "oct-HSM" $key.Key.Kty "size=${size}: key type != 'oct-HSM'"
}
}
finally {
Remove-AzResourceGroup -Name $resourceGroupName -Force
}
}