[KeyVault] Update Keys with service version 7.6 (#50510)

* Move CkmAesKeyWrap to KeyWrapAlgorithm

* Update tests

* Update service version to 7.6

* Update CHANGELOG for breaking changes and default service version

* Export API

* Fix formatting

* nit: formatting

* nit: formatting

* Attempt: have different sizes for the KwyWrap and fix the Padding

* Hide CkmAesKeyWrap algorithm

* Updating implementation to remove local-only algorithm bits.  This should allow the new algorithms to fallback to remote-only paths, which are necessary since the client lacks insight into the keysize and other factors needed for local operations.

* Clean up AesKw type

* Make CkmAesKeyWrap public

* Export API

* Update changelog with new features for stable version

* Re-record tests, the new keywrap algorithm tests are failing tho.

* Add support for CkmAesKeyWrap and CkmAesKeyWrapPad algorithms in CreateTestKey

* Remove CKM_AES_KEY_WRAP for non-HSM and local tests.

* re-record after merging main

* Apply suggestions from code review

Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com>

* Reverting AesKw.cs

* Ignore KeyWrapAlgorithm.CkmAesKeyWrap for non-hsm test

---------

Co-authored-by: Jesse Squire <jesse.squire@gmail.com>
Co-authored-by: Charles Lowell <10964656+chlowell@users.noreply.github.com>

Author: 3 people

sdk/keyvault/Azure.Security.KeyVault.Keys/CHANGELOG.md

@@ -10,6 +10,11 @@ Thank you to our developer community members who helped to make the Key Vault cl
 
 ### Features Added
 
+- Added Hmac algorithms in `SignatureAlgorithm`
+- Added CkmAesKeyWrap algorithm in `KeyWrapAlgorithm`
+- Added Attestation property for Keys in Managed HSM Key Vaults.
+- Adde new `GetKeyAttestation` operation to get the public part of a stored key along with its attestation blob.
+
 ### Breaking Changes
 
 ### Bugs Fixed
@@ -18,6 +23,8 @@ Thank you to our developer community members who helped to make the Key Vault cl
 
 ### Other Changes
 
+- The default service version is now "7.6".
+
 ## 4.8.0-beta.1 (2025-04-08)
 
 ### Features Added

sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.net8.0.cs

@@ -169,7 +169,7 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
     }
     public partial class KeyClientOptions : Azure.Core.ClientOptions
     {
-        public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_6_Preview_2) { }
+        public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_6) { }
         public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
@@ -180,7 +180,7 @@ public enum ServiceVersion
             V7_3 = 3,
             V7_4 = 4,
             V7_5 = 5,
-            V7_6_Preview_2 = 6,
+            V7_6 = 6,
         }
     }
     [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
@@ -441,7 +441,7 @@ public CryptographyClient(System.Uri keyId, Azure.Core.TokenCredential credentia
     }
     public partial class CryptographyClientOptions : Azure.Core.ClientOptions
     {
-        public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_6_Preview_2) { }
+        public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_6) { }
         public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
@@ -452,7 +452,7 @@ public enum ServiceVersion
             V7_3 = 3,
             V7_4 = 4,
             V7_5 = 5,
-            V7_6_Preview_2 = 6,
+            V7_6 = 6,
         }
     }
     public partial class DecryptParameters
@@ -472,8 +472,6 @@ internal DecryptParameters() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256CbcPadParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256CbcParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256GcmParameters(byte[] ciphertext, byte[] iv, byte[] authenticationTag, byte[] additionalAuthenticatedData = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters CkmAesKeyWrapPadParameters(byte[] ciphertext, byte[] iv) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters CkmAesKeyWrapParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters Rsa15Parameters(byte[] ciphertext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters RsaOaep256Parameters(byte[] ciphertext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters RsaOaepParameters(byte[] ciphertext) { throw null; }
@@ -500,8 +498,6 @@ internal DecryptResult() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256Cbc { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256CbcPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256Gcm { get { throw null; } }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm CkmAesKeyWrap { get { throw null; } }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm CkmAesKeyWrapPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm Rsa15 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm RsaOaep { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm RsaOaep256 { get { throw null; } }
@@ -531,8 +527,6 @@ internal EncryptParameters() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256CbcPadParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256CbcParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256GcmParameters(byte[] plaintext, byte[] additionalAuthenticatedData = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters CkmAesKeyWrapPadParameters(byte[] plaintext, byte[] iv = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters CkmAesKeyWrapParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters Rsa15Parameters(byte[] plaintext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters RsaOaep256Parameters(byte[] plaintext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters RsaOaepParameters(byte[] plaintext) { throw null; }
@@ -566,6 +560,8 @@ public KeyResolver(Azure.Core.TokenCredential credential, Azure.Security.KeyVaul
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A128KW { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A192KW { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A256KW { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm CkmAesKeyWrap { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm CkmAesKeyWrapPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm Rsa15 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm RsaOaep { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm RsaOaep256 { get { throw null; } }

sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs

@@ -169,7 +169,7 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
     }
     public partial class KeyClientOptions : Azure.Core.ClientOptions
     {
-        public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_6_Preview_2) { }
+        public KeyClientOptions(Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion.V7_6) { }
         public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.KeyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
@@ -180,7 +180,7 @@ public enum ServiceVersion
             V7_3 = 3,
             V7_4 = 4,
             V7_5 = 5,
-            V7_6_Preview_2 = 6,
+            V7_6 = 6,
         }
     }
     [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
@@ -441,7 +441,7 @@ public CryptographyClient(System.Uri keyId, Azure.Core.TokenCredential credentia
     }
     public partial class CryptographyClientOptions : Azure.Core.ClientOptions
     {
-        public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_6_Preview_2) { }
+        public CryptographyClientOptions(Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion version = Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion.V7_6) { }
         public bool DisableChallengeResourceVerification { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.Cryptography.CryptographyClientOptions.ServiceVersion Version { get { throw null; } }
         public enum ServiceVersion
@@ -452,7 +452,7 @@ public enum ServiceVersion
             V7_3 = 3,
             V7_4 = 4,
             V7_5 = 5,
-            V7_6_Preview_2 = 6,
+            V7_6 = 6,
         }
     }
     public partial class DecryptParameters
@@ -472,8 +472,6 @@ internal DecryptParameters() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256CbcPadParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256CbcParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters A256GcmParameters(byte[] ciphertext, byte[] iv, byte[] authenticationTag, byte[] additionalAuthenticatedData = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters CkmAesKeyWrapPadParameters(byte[] ciphertext, byte[] iv) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters CkmAesKeyWrapParameters(byte[] ciphertext, byte[] iv) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters Rsa15Parameters(byte[] ciphertext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters RsaOaep256Parameters(byte[] ciphertext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.DecryptParameters RsaOaepParameters(byte[] ciphertext) { throw null; }
@@ -500,8 +498,6 @@ internal DecryptResult() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256Cbc { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256CbcPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm A256Gcm { get { throw null; } }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm CkmAesKeyWrap { get { throw null; } }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm CkmAesKeyWrapPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm Rsa15 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm RsaOaep { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptionAlgorithm RsaOaep256 { get { throw null; } }
@@ -531,8 +527,6 @@ internal EncryptParameters() { }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256CbcPadParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256CbcParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters A256GcmParameters(byte[] plaintext, byte[] additionalAuthenticatedData = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters CkmAesKeyWrapPadParameters(byte[] plaintext, byte[] iv = null) { throw null; }
-        public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters CkmAesKeyWrapParameters(byte[] plaintext, byte[] iv = null) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters Rsa15Parameters(byte[] plaintext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters RsaOaep256Parameters(byte[] plaintext) { throw null; }
         public static Azure.Security.KeyVault.Keys.Cryptography.EncryptParameters RsaOaepParameters(byte[] plaintext) { throw null; }
@@ -566,6 +560,8 @@ public KeyResolver(Azure.Core.TokenCredential credential, Azure.Security.KeyVaul
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A128KW { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A192KW { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm A256KW { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm CkmAesKeyWrap { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm CkmAesKeyWrapPad { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm Rsa15 { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm RsaOaep { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.Cryptography.KeyWrapAlgorithm RsaOaep256 { get { throw null; } }

sdk/keyvault/Azure.Security.KeyVault.Keys/assets.json

@@ -2,5 +2,5 @@
   "AssetsRepo": "Azure/azure-sdk-assets",
   "AssetsRepoPrefixPath": "net",
   "TagPrefix": "net/keyvault/Azure.Security.KeyVault.Keys",
-  "Tag": "net/keyvault/Azure.Security.KeyVault.Keys_8691bc60be"
+  "Tag": "net/keyvault/Azure.Security.KeyVault.Keys_1f1b6ed280"
 }

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/AesCbc.cs

@@ -15,12 +15,9 @@ internal class AesCbc
         public static readonly AesCbc Aes128Cbc = new AesCbc("A128CBC", 128, PaddingMode.Zeros);
         public static readonly AesCbc Aes192Cbc = new AesCbc("A192CBC", 192, PaddingMode.Zeros);
         public static readonly AesCbc Aes256Cbc = new AesCbc("A256CBC", 256, PaddingMode.Zeros);
-        public static readonly AesCbc CkmAesKeyWrap = new AesCbc("CKM_AES_KEY_WRAP", 192, PaddingMode.Zeros);
-
         public static readonly AesCbc Aes128CbcPad = new AesCbc("A128CBCPAD", 128, PaddingMode.PKCS7);
         public static readonly AesCbc Aes192CbcPad = new AesCbc("A192CBCPAD", 192, PaddingMode.PKCS7);
         public static readonly AesCbc Aes256CbcPad = new AesCbc("A256CBCPAD", 256, PaddingMode.PKCS7);
-        public static readonly AesCbc CkmAesKeyWrapPad = new AesCbc("CKM_AES_KEY_WRAP_PAD", 256, PaddingMode.PKCS7);
 
         private AesCbc(string name, int keySize, PaddingMode padding)
         {

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/AesKw.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
+// Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT License.
 
 using System;

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/CryptographyClientOptions.cs

@@ -16,7 +16,7 @@ public class CryptographyClientOptions : ClientOptions
         /// For more information, see
         /// <see href="https://docs.microsoft.com/rest/api/keyvault/key-vault-versions">Key Vault versions</see>.
         /// </summary>
-        internal const ServiceVersion LatestVersion = ServiceVersion.V7_6_Preview_2;
+        internal const ServiceVersion LatestVersion = ServiceVersion.V7_6;
 
         /// <summary>
         /// The versions of Azure Key Vault supported by this client
@@ -58,7 +58,7 @@ public enum ServiceVersion
             /// <summary>
             /// The Key Vault API version 7.6-preview.2.
             /// </summary>
-            V7_6_Preview_2 = 6,
+            V7_6 = 6,
 #pragma warning restore CA1707 // Identifiers should not contain underscores
         }
 
@@ -99,7 +99,7 @@ internal string GetVersionString()
                 ServiceVersion.V7_3 => "7.3",
                 ServiceVersion.V7_4 => "7.4",
                 ServiceVersion.V7_5 => "7.5",
-                ServiceVersion.V7_6_Preview_2 => "7.6-preview.2",
+                ServiceVersion.V7_6 => "7.6",
                 _ => throw new ArgumentException(Version.ToString()),
             };
         }

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/DecryptParameters.cs

@@ -105,16 +105,6 @@ public static DecryptParameters A192CbcParameters(byte[] ciphertext, byte[] iv)
         public static DecryptParameters A256CbcParameters(byte[] ciphertext, byte[] iv) =>
             new DecryptParameters(EncryptionAlgorithm.A256Cbc, ciphertext, iv);
 
-        /// <summary>
-        /// Creates an instance of the <see cref="DecryptParameters"/> class using the <see cref="EncryptionAlgorithm.CkmAesKeyWrap"/> encryption algorithm.
-        /// </summary>
-        /// <param name="ciphertext">The cipher text to decrypt.</param>
-        /// <param name="iv">The initialization vector used during encryption.</param>
-        /// <returns>An instance of the <see cref="DecryptParameters"/> class using the <see cref="EncryptionAlgorithm.CkmAesKeyWrap"/> encryption algorithm.</returns>
-        /// <exception cref="ArgumentNullException"><paramref name="ciphertext"/> or <paramref name="iv"/> is null.</exception>
-        public static DecryptParameters CkmAesKeyWrapParameters(byte[] ciphertext, byte[] iv) =>
-            new DecryptParameters(EncryptionAlgorithm.CkmAesKeyWrap, ciphertext, iv);
-
         /// <summary>
         /// Creates an instance of the <see cref="DecryptParameters"/> class for the <see cref="EncryptionAlgorithm.A128CbcPad"/> encryption algorithm with PKCS#7 padding.
         /// </summary>
@@ -145,16 +135,6 @@ public static DecryptParameters A192CbcPadParameters(byte[] ciphertext, byte[] i
         public static DecryptParameters A256CbcPadParameters(byte[] ciphertext, byte[] iv) =>
             new DecryptParameters(EncryptionAlgorithm.A256CbcPad, ciphertext, iv);
 
-        /// <summary>
-        /// Creates an instance of the <see cref="DecryptParameters"/> class for the <see cref="EncryptionAlgorithm.CkmAesKeyWrapPad"/> encryption algorithm with PKCS#7 padding.
-        /// </summary>
-        /// <param name="ciphertext">The ciphertext to decrypt.</param>
-        /// <param name="iv">The initialization vector used during encryption.</param>
-        /// <returns>An instance of the <see cref="DecryptParameters"/> class for the <see cref="EncryptionAlgorithm.CkmAesKeyWrapPad"/> encryption algorithm.</returns>
-        /// <exception cref="ArgumentNullException"><paramref name="ciphertext"/> or <paramref name="iv"/> is null.</exception>
-        public static DecryptParameters CkmAesKeyWrapPadParameters(byte[] ciphertext, byte[] iv) =>
-            new DecryptParameters(EncryptionAlgorithm.CkmAesKeyWrapPad, ciphertext, iv);
-
         internal DecryptParameters(EncryptionAlgorithm algorithm, byte[] ciphertext)
         {
             Argument.AssertNotNull(ciphertext, nameof(ciphertext));