Skip to content

Updated CryptographyClientImpl to return a versioned keyId where applicable #47822

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vcolin7 wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Updated CryptographyClientImpl to return a versioned keyId where applicable #47822

vcolin7 wants to merge 6 commits into from

Conversation

@vcolin7
Copy link
Member

@vcolin7 vcolin7 commented Jan 27, 2026
edited
Loading

Description

Fixes: #43451

Fixed an issue where cryptographic operation results (SignResult, EncryptResult, DecryptResult, WrapResult, UnwrapResult) returned a versionless key ID instead of the full versioned key ID returned by the service. This caused issues when attempting roundtrip scenarios, as callers couldn't determine which key version was used for the original operation (e.g. Sign -> Verify).

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

Copilot AI review requested due to automatic review settings January 27, 2026 22:06
@vcolin7 vcolin7 requested review from a team as code owners January 27, 2026 22:06
@vcolin7 vcolin7 requested review from heaths and samvaity January 27, 2026 22:11
@vcolin7 vcolin7 self-assigned this Jan 27, 2026
Copilot AI reviewed Jan 27, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes Key Vault cryptography operation results to return the service-returned (versioned) key identifier (kid) instead of the client’s (potentially unversioned) keyId, enabling correct roundtrip scenarios when key rotation is used (e.g., sign→verify, wrap→unwrap).

Changes:

  • Updated EncryptResult to use KeyOperationResult.getKid() for keyId.
  • Updated DecryptResult to use KeyOperationResult.getKid() for keyId.
  • Updated SignResult, WrapResult, and UnwrapResult to use KeyOperationResult.getKid() for keyId.

heaths
heaths approved these changes Jan 27, 2026
View reviewed changes
Copy link
Member

@heaths heaths left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given your changelog entry, this would seem right but without seeing any tests or knowing your code from memory, does getKid() return the full URI including version? Might be good to add a test or even an assertion to existing tests to make sure you do indeed have a version.

@vcolin7
Copy link
Member Author

vcolin7 commented Jan 28, 2026

@heaths Added a few more check to our unit tests, including one for kid version

heaths
heaths approved these changes Jan 28, 2026
View reviewed changes
...keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java Outdated
// Ensure the keyId includes the key version
String[] keyIdParts = keyId.split("/");

assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version.");
Copy link
Member

@heaths heaths Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this works, but don't you have an ID parser like we added to all other languages? Might be nice to use that for maintainability so it's obvious that the version is being checked: parse it into its components, and check a version local. Just a suggestion. Non-blocking.

Copy link
Member Author

@vcolin7 vcolin7 Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, you're right! I forgot we had that. Thanks for reminding me :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@heaths heaths heaths approved these changes

@samvaity samvaity Awaiting requested review from samvaity

At least 1 approving review is required to merge this pull request.

Assignees

@vcolin7 vcolin7

Labels

KeyVault

Projects

Azure SDK for Key Vault
Status: Untriaged

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] SignResult keyId is missing the version information of the key used

3 participants

@vcolin7 @heaths