Azure-sdk-for-net: Key Vault support for .NET RSA Crypto primitives

Ping?

Definitely something that would be worth having in the Azure SDK :+1:

@onovotny Hi Oren, we understand what you need but I think we'd implement this differently than you have. For example, most likely I'd modify the KeyVaultKeyResolver and KeyVaultKey from the AKV Extensions package to return a key that subclasses RSA (and also implements IKey). With this model, we could allow for Secrets that contain either public/private certificate or for direct references to Keys. So, basically:

IKey key = keyResolver.ResolveKeyAsync( keyIdentifier );
RSA rsa = key as RSA;

We are making some changes to the SDK at the moment and may be able to combine this work. I don't think we'd accept your code as-is because we already have the KeyResolver model.

Thanks. Is the work to do this the way you're suggesting something you'd do or is it something I can help with? At the end of the day, however the RSA impl gets done, long as it gets done, is all that counts.

What I have is just one way it could work.

We have some work going on in the SDK at present that this work should either merge with or build on top of. No ETA at present as we are resolving some compatibility issues.

This should now be implemented with PR #7662 which builds on #7176. Please feel free to reopen if not along with what you feel is missing.

@heaths I just looked at the PR/code/samples and it's not clear to me how I'd get an RSA-derived object back from the client that I can pass into other API's? The only ToRSA I see is on the JsonWebKey and that is a thin wrapper that has to contain the private parameters. What's needed is a proxy that calls Key Vault instead of containing the key itself locally.

The private parameters are only necessary if you need the private key, e.g. signing, decrypting, and unwrapping (for RSA). If you just need a raw RSA object, you can use KeyClient to get one, though the private key wouldn't be returned. For that, there's the new CryptographyClient we're introducing in preview 4. Not only does it provide simple methods for signing and encrypting with an RSA private key on Key Vault, for all corresponding public-key operations it can do so locally: better for throughput and controlling costs. Sending every request to the KV could get expensive and will certainly affect performance.

Seems like what you're wanting, then, is a wrapper around CryptographyClient that extends RSA?

Seems like what you're wanting, then, is a wrapper around CryptographyClient that extends RSA?

Yes, exactly. The scenario is that I have a key/certificate in Key Vault as an HSM key. Private bits can never leave -- so I need an RSA object that I can use in existing .NET API's that can delegate those signing/decrypt operations to Key Vault.

@heaths that's also what I've already written https://github.com/onovotny/RSAKeyVaultProvider/tree/master/RSAKeyVaultProvider -- with the added support for providing the public certificate and carrying that around efficiently. I think that kind of thing would be best provided by the SDK instead of a 3rd party library like mine.

Reopening. Apologies for the misunderstanding. I think what would make sense for both performance and cost-savings is to provide a wrapper around CryptographyClient that extends AsymmetricAlgorithm or SymmetricAlgorithm since we support RSA, EC, and - soon - AES.