Skip to content

Respect nbf and exp in local encrypt/wrap operations#11953

Merged
chlowell merged 6 commits intoAzure:masterfrom
chlowell:nbf-exp
Jun 15, 2020
Merged

Respect nbf and exp in local encrypt/wrap operations#11953
chlowell merged 6 commits intoAzure:masterfrom
chlowell:nbf-exp

Conversation

@chlowell
Copy link
Member

@chlowell chlowell commented Jun 10, 2020

When encrypting locally, CryptographyClient should enforce key validity periods with Key Vault's semantics to ensure that a user can't encrypt something Key Vault would refuse to decrypt. This PR adds that enforcement to encrypt and wrap operations. It should apply to sign as well, but CryptographyClient currently doesn't sign locally.

@chlowell chlowell added KeyVault Client This issue points to a problem in the data-plane of the library. labels Jun 10, 2020
@chlowell chlowell requested a review from schaabs as a code owner June 10, 2020 17:35
iscai-msft
iscai-msft approved these changes Jun 10, 2020
View reviewed changes
sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_client.py
return

now = datetime.now(_UTC)
if (nbf and exp) and not nbf <= now <= exp:
Copy link
Contributor

@iscai-msft iscai-msft Jun 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just one quick question: are you sure that you can use a key on its expiration date? Makes sense to me, just want to clarify because it can get a bit confusing given an expiration date whether you can't use it on that date, or after that date

Copy link
Member

@heaths heaths Jun 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as your datetime has second (or lower) resolution, it really wouldn't matter much.

@chlowell chlowell merged commit 743dea5 into Azure:master Jun 15, 2020
@chlowell chlowell deleted the nbf-exp branch June 15, 2020 17:36
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Jun 17, 2020
@iscai-msft
Merge branch 'master' of https://github.com/Azure/azure-sdk-for-python
6585bef 
…into regenerate_keys

* 'master' of https://github.com/Azure/azure-sdk-for-python: (26 commits)
  [formrecognizer] update formrecognizer links to new aka.ms naming (Azure#12079)
  changes in samples tests (Azure#12090)
  readme & sample updates (Azure#12095)
  Update Key Vault minimum azure-core to 1.4.0 (Azure#12074)
  [formrecognizer] test parity with other languages (Azure#12059)
  syncing missing changelog items (Azure#12089)
  updating doc references (Azure#12086)
  reserve 1 more version for storage and network (Azure#12082)
  Fix format in swagger_to_sdk_config.json (Azure#12083)
  modify changelog (Azure#12071)
  Update Cosmos CODEOWNERS (Azure#11500)
  Regenerate LUIS (Azure#12064)
  Enable track2 SDK Automation config on master branch (Azure#11654)
  Update KeyVaultPreparer with track 2 mgmt changes (Azure#12060)
  Increment version for storage releases (Azure#12034)
  AzureCliCredential correctly invokes /bin/sh (Azure#12056)
  [formrecognizer] reduce time for recorded tests runs (Azure#11970)
  disable some bandit warnings (Azure#12054)
  Respect nbf and exp in local encrypt/wrap operations (Azure#11953)
  add bug_bash template (Azure#12045)
  ...
iscai-msft added a commit to iscai-msft/azure-sdk-for-python that referenced this pull request Jun 17, 2020
@iscai-msft
Merge branch 'master' of https://github.com/Azure/azure-sdk-for-python
1b9a7c4 
…into regenerate_certs

* 'master' of https://github.com/Azure/azure-sdk-for-python: (21 commits)
  [formrecognizer] update formrecognizer links to new aka.ms naming (Azure#12079)
  changes in samples tests (Azure#12090)
  readme & sample updates (Azure#12095)
  Update Key Vault minimum azure-core to 1.4.0 (Azure#12074)
  [formrecognizer] test parity with other languages (Azure#12059)
  syncing missing changelog items (Azure#12089)
  updating doc references (Azure#12086)
  reserve 1 more version for storage and network (Azure#12082)
  Fix format in swagger_to_sdk_config.json (Azure#12083)
  modify changelog (Azure#12071)
  Update Cosmos CODEOWNERS (Azure#11500)
  Regenerate LUIS (Azure#12064)
  Enable track2 SDK Automation config on master branch (Azure#11654)
  Update KeyVaultPreparer with track 2 mgmt changes (Azure#12060)
  Increment version for storage releases (Azure#12034)
  AzureCliCredential correctly invokes /bin/sh (Azure#12056)
  [formrecognizer] reduce time for recorded tests runs (Azure#11970)
  disable some bandit warnings (Azure#12054)
  Respect nbf and exp in local encrypt/wrap operations (Azure#11953)
  add bug_bash template (Azure#12045)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iscai-msft iscai-msft iscai-msft approved these changes

@heaths heaths Awaiting requested review from heaths

@g2vinay g2vinay Awaiting requested review from g2vinay

@schaabs schaabs Awaiting requested review from schaabs

Assignees

No one assigned

Labels

Client This issue points to a problem in the data-plane of the library. KeyVault

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chlowell @heaths @iscai-msft