Skip to content

Commit c451539

Browse files
authored
Make key_Version optional for encrypt, sign, wrapKey (#4249)
After talking with the Key Vault and Managed HSM teams, we want to promote using the latest key version for encrypting, sign, and wrapping DEKs; however, encourage passing a version to their reverse operations. Requires Azure/azure-rest-api-specs#42571
1 parent 628dd0b commit c451539

12 files changed

Lines changed: 112 additions & 34 deletions

File tree

sdk/keyvault/assets.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,5 +2,5 @@
22
"AssetsRepo": "Azure/azure-sdk-assets",
33
"AssetsRepoPrefixPath": "rust",
44
"TagPrefix": "rust/keyvault",
5-
"Tag": "rust/keyvault_c9f2f1865c"
5+
"Tag": "rust/keyvault_e3dd11701a"
66
}

sdk/keyvault/azure_security_keyvault_certificates/CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@
1010

1111
### Other Changes
1212

13+
- Updated dependencies.
14+
1315
## 0.12.0 (2026-04-08)
1416

1517
### Other Changes

sdk/keyvault/azure_security_keyvault_certificates/README.md

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -234,7 +234,7 @@ use azure_security_keyvault_certificates::{
234234
ResourceExt,
235235
};
236236
use azure_security_keyvault_keys::{
237-
models::{SignParameters, SignatureAlgorithm},
237+
models::{KeyClientSignOptions, SignParameters, SignatureAlgorithm},
238238
};
239239
use openssl::sha::sha256;
240240

@@ -285,7 +285,14 @@ let body = SignParameters {
285285
};
286286

287287
let signature = key_client
288-
.sign("ec-signing-certificate", &certificate_version, body.try_into()?, None)
288+
.sign(
289+
"ec-signing-certificate",
290+
body.try_into()?,
291+
Some(KeyClientSignOptions {
292+
key_version: Some(certificate_version.clone()),
293+
..Default::default()
294+
}),
295+
)
289296
.await?
290297
.into_model()?;
291298

sdk/keyvault/azure_security_keyvault_certificates/tests/certificate_client.rs

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ use azure_security_keyvault_certificates::{
1919
CertificateClient, CertificateClientOptions, ResourceExt as _,
2020
};
2121
use azure_security_keyvault_keys::{
22-
models::{SignParameters, SignatureAlgorithm},
22+
models::{KeyClientSignOptions, SignParameters, SignatureAlgorithm},
2323
KeyClient, KeyClientOptions,
2424
};
2525
use azure_security_keyvault_test::Retry;
@@ -357,7 +357,14 @@ async fn sign_jwt_with_ec_certificate(ctx: TestContext) -> Result<()> {
357357
value: Some(digest),
358358
};
359359
let signature = key_client
360-
.sign(NAME, &certificate_version, body.try_into()?, None)
360+
.sign(
361+
NAME,
362+
body.try_into()?,
363+
Some(KeyClientSignOptions {
364+
key_version: Some(certificate_version.clone()),
365+
..Default::default()
366+
}),
367+
)
361368
.await?
362369
.into_model()?;
363370
assert!(signature.result.is_some());

sdk/keyvault/azure_security_keyvault_keys/CHANGELOG.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,12 @@
44

55
### Features Added
66

7+
- Added support for `ResourceIdExt` to `KeyOperationResult`.
8+
79
### Breaking Changes
810

11+
- Moved `key_version` parameter to be an optional parameter for `KeyClient::encrypt()`, `sign()`, and `wrapKey()`.
12+
913
### Bugs Fixed
1014

1115
### Other Changes

sdk/keyvault/azure_security_keyvault_keys/README.md

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -234,7 +234,7 @@ use azure_security_keyvault_keys::{
234234
models::{
235235
CreateKeyParameters, EncryptionAlgorithm, KeyOperationParameters, KeyType,
236236
},
237-
ResourceExt,
237+
ResourceExt, ResourceId,
238238
};
239239
use rand::random;
240240

@@ -249,7 +249,6 @@ let key = client
249249
.create_key("key-name", body.try_into()?, None)
250250
.await?
251251
.into_model()?;
252-
let key_version = key.resource_id()?.version.expect("key version required");
253252

254253
// Generate a symmetric data encryption key (DEK). You'd encrypt your data using this DEK.
255254
let dek = random::<u32>().to_le_bytes().to_vec();
@@ -261,16 +260,21 @@ let mut parameters = KeyOperationParameters {
261260
..Default::default()
262261
};
263262
let wrapped = client
264-
.wrap_key("key-name", &key_version, parameters.clone().try_into()?, None)
263+
.wrap_key("key-name", parameters.clone().try_into()?, None)
265264
.await?
266265
.into_model()?;
267266

268267
assert!(matches!(wrapped.result.as_ref(), Some(result) if !result.is_empty()));
269268

269+
// Retain the key ID that was used to wrap so you can unwrap using the same version later.
270+
// We'll parse the version to pass to `unwrap_key` below.
271+
let ResourceId { version, .. } = wrapped.resource_id()?;
272+
let key_version = version.as_deref().unwrap_or_default();
273+
270274
// Unwrap the DEK.
271275
parameters.value = wrapped.result;
272276
let unwrapped = client
273-
.unwrap_key("key-name", &key_version, parameters.try_into()?, None)
277+
.unwrap_key("key-name", key_version, parameters.try_into()?, None)
274278
.await?
275279
.into_model()?;
276280

sdk/keyvault/azure_security_keyvault_keys/src/generated/clients/key_client.rs

Lines changed: 27 additions & 18 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sdk/keyvault/azure_security_keyvault_keys/src/generated/models/method_options.rs

Lines changed: 9 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sdk/keyvault/azure_security_keyvault_keys/src/generated/models/models.rs

Lines changed: 8 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

sdk/keyvault/azure_security_keyvault_keys/src/resource.rs

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -123,7 +123,7 @@ fn deconstruct(url: &Url) -> Result<ResourceId> {
123123
}
124124

125125
mod private {
126-
use crate::models::{DeletedKey, DeletedKeyProperties, Key, KeyProperties};
126+
use crate::models::{DeletedKey, DeletedKeyProperties, Key, KeyOperationResult, KeyProperties};
127127

128128
pub trait AsId {
129129
fn as_id(&self) -> Option<&String>;
@@ -152,6 +152,12 @@ mod private {
152152
self.kid.as_ref()
153153
}
154154
}
155+
156+
impl AsId for KeyOperationResult {
157+
fn as_id(&self) -> Option<&String> {
158+
self.kid.as_ref()
159+
}
160+
}
155161
}
156162

157163
#[cfg(test)]

0 commit comments

Comments
 (0)