[Key Vault] Remove OKP support (#28954)

sdk/keyvault/azure-keyvault-keys/CHANGELOG.md

@@ -7,6 +7,8 @@
   client's existing pipeline ([#25172](https://github.com/Azure/azure-sdk-for-python/issues/25172))
 
 ### Breaking Changes
+> These changes do not impact the API of stable versions such as 4.7.0. Only code written against a beta version such as 4.8.0b2 may be affected.
+- Removed support for octet key pair (OKP) keys and operations
 
 ### Bugs Fixed
 

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_client.py

@@ -298,50 +298,6 @@ def create_oct_key(self, name: str, **kwargs) -> KeyVaultKey:
         hsm = kwargs.pop("hardware_protected", False)
         return self.create_key(name, key_type="oct-HSM" if hsm else "oct", **kwargs)
 
-    @distributed_trace
-    def create_okp_key(self, name: str, **kwargs) -> KeyVaultKey:
-        """Create a new octet key pair or, if ``name`` is in use, create a new version of the key.
-
-        Requires the keys/create permission.
-
-        :param str name: The name for the new key.
-
-        :keyword curve: Elliptic curve name.
-        :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None
-        :keyword key_operations: Allowed key operations.
-        :paramtype key_operations: list[~azure.keyvault.keys.KeyOperation or str] or None
-        :keyword hardware_protected: Whether the key should be created in a hardware security module.
-            Defaults to ``False``.
-        :paramtype hardware_protected: bool or None
-        :keyword enabled: Whether the key is enabled for use.
-        :paramtype enabled: bool or None
-        :keyword tags: Application specific metadata in the form of key-value pairs.
-        :paramtype tags: dict[str, str] or None
-        :keyword not_before: Not before date of the key in UTC
-        :paramtype not_before: ~datetime.datetime or None
-        :keyword expires_on: Expiry date of the key in UTC
-        :paramtype expires_on: ~datetime.datetime or None
-        :keyword exportable: Whether the key can be exported.
-        :paramtype exportable: bool or None
-        :keyword release_policy: The policy rules under which the key can be exported.
-        :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None
-
-        :returns: The created key
-        :rtype: ~azure.keyvault.keys.KeyVaultKey
-
-        :raises: :class:`~azure.core.exceptions.HttpResponseError`
-
-        Example:
-            .. literalinclude:: ../tests/test_samples_keys.py
-                :start-after: [START create_okp_key]
-                :end-before: [END create_okp_key]
-                :language: python
-                :caption: Create an octet key pair (OKP)
-                :dedent: 8
-        """
-        hsm = kwargs.pop("hardware_protected", False)
-        return self.create_key(name, key_type="OKP-HSM" if hsm else "OKP", **kwargs)
-
     @distributed_trace
     def begin_delete_key(self, name: str, **kwargs) -> "LROPoller[DeletedKey]":
         """Delete all versions of a key and its cryptographic material.

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_enums.py

@@ -57,8 +57,6 @@ class KeyType(str, Enum, metaclass=CaseInsensitiveEnumMeta):
     rsa_hsm = "RSA-HSM"  #: RSA with a private key which is not exportable from the HSM
     oct = "oct"  #: Octet sequence (used to represent symmetric keys)
     oct_hsm = "oct-HSM"  #: Octet sequence with a private key which is not exportable from the HSM
-    okp = "OKP"  #: Octet key pair (https://tools.ietf.org/html/rfc8037)
-    okp_hsm = "OKP-HSM"  #: Octet key pair with a private key which is not exportable from the HSM
 
     @classmethod
     def _missing_(cls, value):

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/aio/_client.py

@@ -302,50 +302,6 @@ async def create_oct_key(self, name: str, **kwargs) -> KeyVaultKey:
         hsm = kwargs.pop("hardware_protected", False)
         return await self.create_key(name, key_type="oct-HSM" if hsm else "oct", **kwargs)
 
-    @distributed_trace_async
-    async def create_okp_key(self, name: str, **kwargs) -> KeyVaultKey:
-        """Create a new octet key pair or, if ``name`` is in use, create a new version of the key.
-
-        Requires the keys/create permission.
-
-        :param str name: The name for the new key.
-
-        :keyword curve: Elliptic curve name.
-        :paramtype curve: ~azure.keyvault.keys.KeyCurveName or str or None
-        :keyword key_operations: Allowed key operations.
-        :paramtype key_operations: list[~azure.keyvault.keys.KeyOperation or str] or None
-        :keyword hardware_protected: Whether the key should be created in a hardware security module.
-            Defaults to ``False``.
-        :paramtype hardware_protected: bool or None
-        :keyword enabled: Whether the key is enabled for use.
-        :paramtype enabled: bool or None
-        :keyword tags: Application specific metadata in the form of key-value pairs.
-        :paramtype tags: dict[str, str] or None
-        :keyword not_before: Not before date of the key in UTC
-        :paramtype not_before: ~datetime.datetime or None
-        :keyword expires_on: Expiry date of the key in UTC
-        :paramtype expires_on: ~datetime.datetime or None
-        :keyword exportable: Whether the key can be exported.
-        :paramtype exportable: bool or None
-        :keyword release_policy: The policy rules under which the key can be exported.
-        :paramtype release_policy: ~azure.keyvault.keys.KeyReleasePolicy or None
-
-        :returns: The created key
-        :rtype: ~azure.keyvault.keys.KeyVaultKey
-
-        :raises: :class:`~azure.core.exceptions.HttpResponseError`
-
-        Example:
-            .. literalinclude:: ../tests/test_samples_keys_async.py
-                :start-after: [START create_okp_key]
-                :end-before: [END create_okp_key]
-                :language: python
-                :caption: Create an octet key pair (OKP)
-                :dedent: 8
-        """
-        hsm = kwargs.pop("hardware_protected", False)
-        return await self.create_key(name, key_type="OKP-HSM" if hsm else "OKP", **kwargs)
-
     @distributed_trace_async
     async def delete_key(self, name: str, **kwargs) -> DeletedKey:
         """Delete all versions of a key and its cryptographic material.

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/__init__.py

@@ -21,8 +21,6 @@ def get_local_cryptography_provider(key: "JsonWebKey") -> LocalCryptographyProvi
         return RsaCryptographyProvider(key)
     if key.kty in (KeyType.oct, KeyType.oct_hsm):  # type: ignore[attr-defined]
         return SymmetricCryptographyProvider(key)
-    if key.kty in (KeyType.okp, KeyType.okp_hsm):  # type: ignore[attr-defined]
-        return NoLocalCryptography()
 
     raise ValueError(f'Unsupported key type "{key.kty}"')  # type: ignore[attr-defined]
 

sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client.py

@@ -222,28 +222,6 @@ def test_sign_and_verify(self, key_client, is_hsm, **kwargs):
         assert result.algorithm == SignatureAlgorithm.rs256
         assert verified.is_valid
 
-    @pytest.mark.parametrize("api_version,is_hsm", only_7_4_hsm)
-    @KeysClientPreparer()
-    @recorded_by_proxy
-    def test_sign_and_verify_okp(self, key_client, is_hsm, **kwargs):
-        key_name = self.get_resource_name("keysign")
-
-        md = hashlib.sha256()
-        md.update(self.plaintext)
-        digest = md.digest()
-
-        # Local crypto isn't supported for OKP, so operations will be remote even without explicit NO_GET permissions
-        key = key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519)
-        crypto_client = self.create_crypto_client(key.id, api_version=key_client.api_version)
-
-        result = crypto_client.sign(SignatureAlgorithm.eddsa, digest)
-        assert result.key_id == key.id
-
-        verified = crypto_client.verify(result.algorithm, digest, result.signature)
-        assert result.key_id == key.id
-        assert result.algorithm == SignatureAlgorithm.eddsa
-        assert verified.is_valid
-
     @pytest.mark.parametrize("api_version,is_hsm", no_get)
     @KeysClientPreparer(permissions=NO_GET)
     @recorded_by_proxy

sdk/keyvault/azure-keyvault-keys/tests/test_crypto_client_async.py

@@ -221,29 +221,6 @@ async def test_sign_and_verify(self, key_client, is_hsm, **kwargs):
         assert result.algorithm == SignatureAlgorithm.rs256
         assert verified.is_valid
 
-    @pytest.mark.asyncio
-    @pytest.mark.parametrize("api_version,is_hsm", only_7_4_hsm)
-    @AsyncKeysClientPreparer()
-    @recorded_by_proxy_async
-    async def test_sign_and_verify_okp(self, key_client, is_hsm, **kwargs):
-        key_name = self.get_resource_name("keysign")
-
-        md = hashlib.sha256()
-        md.update(self.plaintext)
-        digest = md.digest()
-
-        # Local crypto isn't supported for OKP, so operations will be remote even without explicit NO_GET permissions
-        key = await key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519)
-        crypto_client = self.create_crypto_client(key.id, is_async=True, api_version=key_client.api_version)
-
-        result = await crypto_client.sign(SignatureAlgorithm.eddsa, digest)
-        assert result.key_id == key.id
-
-        verified = await crypto_client.verify(result.algorithm, digest, result.signature)
-        assert result.key_id == key.id
-        assert result.algorithm == SignatureAlgorithm.eddsa
-        assert verified.is_valid
-
     @pytest.mark.asyncio
     @pytest.mark.parametrize("api_version,is_hsm",no_get)
     @AsyncKeysClientPreparer()

sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys.py

@@ -147,20 +147,6 @@ def test_example_create_oct_key(self, key_client, **kwargs):
         print(key.key_type)
         # [END create_oct_key]
 
-    @pytest.mark.parametrize("api_version,is_hsm",only_7_4_hsm)
-    @KeysClientPreparer()
-    @recorded_by_proxy
-    def test_example_create_okp_key(self, key_client, **kwargs):
-        key_name = self.get_resource_name("key")
-
-        # [START create_okp_key]
-        key = key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519, hardware_protected=True)
-
-        print(key.id)
-        print(key.name)
-        print(key.key_type)
-        # [END create_okp_key]
-
     @pytest.mark.parametrize("api_version,is_hsm",all_api_versions)
     @KeysClientPreparer()
     @recorded_by_proxy

sdk/keyvault/azure-keyvault-keys/tests/test_samples_keys_async.py

@@ -146,21 +146,6 @@ async def test_example_create_oct_key(self, key_client, **kwargs):
         print(key.key_type)
         # [END create_oct_key]
 
-    @pytest.mark.asyncio
-    @pytest.mark.parametrize("api_version,is_hsm",only_7_4_hsm)
-    @AsyncKeysClientPreparer()
-    @recorded_by_proxy_async
-    async def test_example_create_okp_key(self, key_client, **kwargs):
-        key_name = self.get_resource_name("key")
-
-        # [START create_okp_key]
-        key = await key_client.create_okp_key(key_name, curve=KeyCurveName.ed25519, hardware_protected=True)
-
-        print(key.id)
-        print(key.name)
-        print(key.key_type)
-        # [END create_okp_key]
-
     @pytest.mark.asyncio
     @pytest.mark.parametrize("api_version,is_hsm",all_api_versions)
     @AsyncKeysClientPreparer()