From bfd1350460c437d437648f65acefc046e67bd3a4 Mon Sep 17 00:00:00 2001 From: vcolin7 Date: Tue, 27 Jan 2026 14:02:33 -0800 Subject: [PATCH 1/5] Updated `CryptographyClientImpl` to return a versioned `keyId` where applicable --- .../CryptographyClientImpl.java | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-keys/src/main/java/com/azure/security/keyvault/keys/cryptography/implementation/CryptographyClientImpl.java b/sdk/keyvault/azure-security-keyvault-keys/src/main/java/com/azure/security/keyvault/keys/cryptography/implementation/CryptographyClientImpl.java index d5d633cb079c..72e94129db39 100644 --- a/sdk/keyvault/azure-security-keyvault-keys/src/main/java/com/azure/security/keyvault/keys/cryptography/implementation/CryptographyClientImpl.java +++ b/sdk/keyvault/azure-security-keyvault-keys/src/main/java/com/azure/security/keyvault/keys/cryptography/implementation/CryptographyClientImpl.java @@ -159,7 +159,7 @@ private Mono encryptAsync(EncryptionAlgorithm algorithm, byte[] p .map(response -> { KeyOperationResult result = response.getValue().toObject(KeyOperationResult.class); - return new EncryptResult(result.getResult(), algorithm, keyId, result.getIv(), + return new EncryptResult(result.getResult(), algorithm, result.getKid(), result.getIv(), result.getAuthenticationTag(), result.getAdditionalAuthenticatedData()); }); } @@ -191,8 +191,8 @@ private EncryptResult encrypt(EncryptionAlgorithm algorithm, byte[] plainText, b .getValue() .toObject(KeyOperationResult.class); - return new EncryptResult(result.getResult(), algorithm, keyId, result.getIv(), result.getAuthenticationTag(), - result.getAdditionalAuthenticatedData()); + return new EncryptResult(result.getResult(), algorithm, result.getKid(), result.getIv(), + result.getAuthenticationTag(), result.getAdditionalAuthenticatedData()); } public Mono decryptAsync(EncryptionAlgorithm algorithm, byte[] ciphertext, Context context) { @@ -224,7 +224,7 @@ private Mono decryptAsync(EncryptionAlgorithm algorithm, byte[] c .map(response -> { KeyOperationResult result = response.getValue().toObject(KeyOperationResult.class); - return new DecryptResult(result.getResult(), algorithm, keyId); + return new DecryptResult(result.getResult(), algorithm, result.getKid()); }); } @@ -257,7 +257,7 @@ private DecryptResult decrypt(EncryptionAlgorithm algorithm, byte[] ciphertext, .getValue() .toObject(KeyOperationResult.class); - return new DecryptResult(result.getResult(), algorithm, keyId); + return new DecryptResult(result.getResult(), algorithm, result.getKid()); } public Mono signAsync(SignatureAlgorithm algorithm, byte[] digest, Context context) { @@ -272,7 +272,7 @@ public Mono signAsync(SignatureAlgorithm algorithm, byte[] digest, C .map(response -> { KeyOperationResult result = response.getValue().toObject(KeyOperationResult.class); - return new SignResult(result.getResult(), algorithm, keyId); + return new SignResult(result.getResult(), algorithm, result.getKid()); }); } @@ -289,7 +289,7 @@ public SignResult sign(SignatureAlgorithm algorithm, byte[] digest, Context cont .getValue() .toObject(KeyOperationResult.class); - return new SignResult(result.getResult(), algorithm, keyId); + return new SignResult(result.getResult(), algorithm, result.getKid()); } public Mono verifyAsync(SignatureAlgorithm algorithm, byte[] digest, byte[] signature, @@ -341,7 +341,7 @@ public Mono wrapKeyAsync(KeyWrapAlgorithm algorithm, byte[] key, Con .map(response -> { KeyOperationResult result = response.getValue().toObject(KeyOperationResult.class); - return new WrapResult(result.getResult(), algorithm, keyId); + return new WrapResult(result.getResult(), algorithm, result.getKid()); }); } @@ -358,7 +358,7 @@ public WrapResult wrapKey(KeyWrapAlgorithm algorithm, byte[] key, Context contex .getValue() .toObject(KeyOperationResult.class); - return new WrapResult(result.getResult(), algorithm, keyId); + return new WrapResult(result.getResult(), algorithm, result.getKid()); } public Mono unwrapKeyAsync(KeyWrapAlgorithm algorithm, byte[] encryptedKey, Context context) { @@ -374,7 +374,7 @@ public Mono unwrapKeyAsync(KeyWrapAlgorithm algorithm, byte[] encr .map(response -> { KeyOperationResult result = response.getValue().toObject(KeyOperationResult.class); - return new UnwrapResult(result.getResult(), algorithm, keyId); + return new UnwrapResult(result.getResult(), algorithm, result.getKid()); }); } @@ -392,7 +392,7 @@ public UnwrapResult unwrapKey(KeyWrapAlgorithm algorithm, byte[] encryptedKey, C .getValue() .toObject(KeyOperationResult.class); - return new UnwrapResult(result.getResult(), algorithm, keyId); + return new UnwrapResult(result.getResult(), algorithm, result.getKid()); } public Mono signDataAsync(SignatureAlgorithm algorithm, byte[] data, Context context) { From 60f2f4c037a2679887b09ce347c4e01544785257 Mon Sep 17 00:00:00 2001 From: vcolin7 Date: Tue, 27 Jan 2026 14:07:51 -0800 Subject: [PATCH 2/5] Updated CHANGELOG --- sdk/keyvault/azure-security-keyvault-keys/CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk/keyvault/azure-security-keyvault-keys/CHANGELOG.md b/sdk/keyvault/azure-security-keyvault-keys/CHANGELOG.md index 69c58f77e782..8d96ecee184c 100644 --- a/sdk/keyvault/azure-security-keyvault-keys/CHANGELOG.md +++ b/sdk/keyvault/azure-security-keyvault-keys/CHANGELOG.md @@ -9,6 +9,7 @@ ### Bugs Fixed - Fixed an issue where certain `HttpResponseException.getResponse()` calls could cause a `NullPointerException`. ([#47801](https://github.com/Azure/azure-sdk-for-java/issues/47801)) +- Fixed an issue where cryptographic operation results (`SignResult`, `EncryptResult`, `DecryptResult`, `WrapResult`, `UnwrapResult`) returned a versionless key ID instead of the full versioned key ID returned by the service. This caused issues when attempting roundtrip scenarios, as callers couldn't determine which key version was used for the original operation. ([#47822](https://github.com/Azure/azure-sdk-for-java/issues/47822)) ### Other Changes From 87f3a22e2ddc38623967b933d5e558a6aa7233b9 Mon Sep 17 00:00:00 2001 From: vcolin7 Date: Tue, 27 Jan 2026 16:44:50 -0800 Subject: [PATCH 3/5] Updated tests --- .../cryptography/CryptographyClientTest.java | 199 ++++++++++++------ 1 file changed, 136 insertions(+), 63 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java index 5ee4f5727ab7..542e434d36a9 100644 --- a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java +++ b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java @@ -7,11 +7,16 @@ import com.azure.core.util.logging.ClientLogger; import com.azure.core.util.logging.LogLevel; import com.azure.security.keyvault.keys.KeyClient; +import com.azure.security.keyvault.keys.cryptography.models.DecryptResult; import com.azure.security.keyvault.keys.cryptography.models.EncryptParameters; +import com.azure.security.keyvault.keys.cryptography.models.EncryptResult; import com.azure.security.keyvault.keys.cryptography.models.EncryptionAlgorithm; import com.azure.security.keyvault.keys.cryptography.models.KeyWrapAlgorithm; import com.azure.security.keyvault.keys.cryptography.models.SignResult; import com.azure.security.keyvault.keys.cryptography.models.SignatureAlgorithm; +import com.azure.security.keyvault.keys.cryptography.models.UnwrapResult; +import com.azure.security.keyvault.keys.cryptography.models.VerifyResult; +import com.azure.security.keyvault.keys.cryptography.models.WrapResult; import com.azure.security.keyvault.keys.models.CreateEcKeyOptions; import com.azure.security.keyvault.keys.models.JsonWebKey; import com.azure.security.keyvault.keys.models.KeyCurveName; @@ -38,6 +43,8 @@ import static com.azure.security.keyvault.keys.TestUtils.buildSyncAssertingClient; import static com.azure.security.keyvault.keys.cryptography.TestHelper.DISPLAY_NAME_WITH_ARGUMENTS; import static org.junit.jupiter.api.Assertions.assertArrayEquals; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertNotNull; import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.fail; @@ -75,8 +82,8 @@ public void encryptDecryptRsa(HttpClient httpClient, CryptographyServiceVersion JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKey", 20); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient - = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptoClient = + initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); List algorithms = Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP, EncryptionAlgorithm.RSA_OAEP_256); @@ -87,15 +94,23 @@ public void encryptDecryptRsa(HttpClient httpClient, CryptographyServiceVersion new Random(0x1234567L).nextBytes(plaintext); - byte[] ciphertext = cryptoClient.encrypt(algorithm, plaintext).getCipherText(); - byte[] decryptedText = cryptoClient.decrypt(algorithm, ciphertext).getPlainText(); + EncryptResult encryptResult = cryptoClient.encrypt(algorithm, plaintext); - assertArrayEquals(decryptedText, plaintext); + assertEquals(encryptResult.getAlgorithm(), algorithm); + assertNotNull(encryptResult.getCipherText()); - ciphertext = cryptoClient.encrypt(algorithm, plaintext).getCipherText(); - decryptedText = cryptoClient.decrypt(algorithm, ciphertext).getPlainText(); + String keyId = encryptResult.getKeyId(); - assertArrayEquals(decryptedText, plaintext); + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + + DecryptResult decryptResult = cryptoClient.decrypt(algorithm, encryptResult.getCipherText()); + + assertArrayEquals(decryptResult.getPlainText(), plaintext); } }); } @@ -105,8 +120,8 @@ public void encryptDecryptRsaLocal() throws Exception { encryptDecryptRsaRunner(keyPair -> { JsonWebKey key = JsonWebKey.fromRsa(keyPair, Arrays.asList(KeyOperation.ENCRYPT, KeyOperation.DECRYPT)); CryptographyClient cryptoClient = initializeCryptographyClient(key); - List algorithms - = Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP); + List algorithms = + Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP); for (EncryptionAlgorithm algorithm : algorithms) { // Test variables @@ -114,10 +129,10 @@ public void encryptDecryptRsaLocal() throws Exception { new Random(0x1234567L).nextBytes(plainText); - byte[] cipherText = cryptoClient.encrypt(algorithm, plainText).getCipherText(); - byte[] decryptedText = cryptoClient.decrypt(algorithm, cipherText).getPlainText(); + EncryptResult encryptResult = cryptoClient.encrypt(algorithm, plainText); + DecryptResult decryptResult = cryptoClient.decrypt(algorithm, encryptResult.getCipherText()); - assertArrayEquals(decryptedText, plainText); + assertArrayEquals(decryptResult.getPlainText(), plainText); } }); } @@ -131,10 +146,10 @@ public void wrapUnwrapRsa(HttpClient httpClient, CryptographyServiceVersion serv JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeyWrapUnwrap", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient - = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms - = Arrays.asList(KeyWrapAlgorithm.RSA1_5, KeyWrapAlgorithm.RSA_OAEP, KeyWrapAlgorithm.RSA_OAEP_256); + CryptographyClient cryptoClient = + initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms = + Arrays.asList(KeyWrapAlgorithm.RSA1_5, KeyWrapAlgorithm.RSA_OAEP, KeyWrapAlgorithm.RSA_OAEP_256); for (KeyWrapAlgorithm algorithm : algorithms) { // Test variables @@ -142,17 +157,24 @@ public void wrapUnwrapRsa(HttpClient httpClient, CryptographyServiceVersion serv new Random(0x1234567L).nextBytes(plaintext); - byte[] encryptedKey = cryptoClient.wrapKey(algorithm, plaintext).getEncryptedKey(); - byte[] decryptedKey = cryptoClient.unwrapKey(algorithm, encryptedKey).getKey(); + WrapResult wrapResult = cryptoClient.wrapKey(algorithm, plaintext); - assertArrayEquals(decryptedKey, plaintext); + assertEquals(wrapResult.getAlgorithm(), algorithm); + assertNotNull(wrapResult.getEncryptedKey()); - encryptedKey = cryptoClient.wrapKey(algorithm, plaintext).getEncryptedKey(); - decryptedKey = cryptoClient.unwrapKey(algorithm, encryptedKey).getKey(); + String keyId = wrapResult.getKeyId(); - assertArrayEquals(decryptedKey, plaintext); - } + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + + UnwrapResult unwrapResult = cryptoClient.unwrapKey(algorithm, wrapResult.getEncryptedKey()); + + assertArrayEquals(unwrapResult.getKey(), plaintext); + } }); } @@ -169,12 +191,11 @@ public void wrapUnwrapRsaLocal() throws Exception { new Random(0x1234567L).nextBytes(plainText); - byte[] encryptedKey = cryptoClient.wrapKey(algorithm, plainText).getEncryptedKey(); - byte[] decryptedKey = cryptoClient.unwrapKey(algorithm, encryptedKey).getKey(); + WrapResult wrapResult = cryptoClient.wrapKey(algorithm, plainText); + UnwrapResult unwrapResult = cryptoClient.unwrapKey(algorithm, wrapResult.getEncryptedKey()); - assertArrayEquals(decryptedKey, plainText); + assertArrayEquals(unwrapResult.getKey(), plainText); } - }); } @@ -188,12 +209,12 @@ public void signVerifyEc(HttpClient httpClient, CryptographyServiceVersion servi Map curveToSignature = signVerifyEcData.getCurveToSignature(); Map messageDigestAlgorithm = signVerifyEcData.getMessageDigestAlgorithm(); String keyName = testResourceNamer.randomName("testEcKey" + curve.toString(), 20); - CreateEcKeyOptions createEcKeyOptions - = new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) + CreateEcKeyOptions createEcKeyOptions = + new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) .setCurveName(curve); KeyVaultKey keyVaultKey = client.createEcKey(createEcKeyOptions); - CryptographyClient cryptographyClient - = initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptographyClient = + initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); try { byte[] data = new byte[100]; @@ -208,9 +229,20 @@ public void signVerifyEc(HttpClient httpClient, CryptographyServiceVersion servi SignResult signResult = cryptographyClient.sign(curveToSignature.get(curve), digest); - Boolean verifyStatus - = cryptographyClient.verify(curveToSignature.get(curve), digest, signResult.getSignature()) - .isValid(); + assertEquals(signResult.getAlgorithm(), curveToSignature.get(curve)); + assertNotNull(signResult.getSignature()); + + String keyId = signResult.getKeyId(); + + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + + Boolean verifyStatus = + cryptographyClient.verify(curveToSignature.get(curve), digest, signResult.getSignature()).isValid(); assertTrue(verifyStatus); } catch (NoSuchAlgorithmException e) { @@ -228,21 +260,34 @@ public void signDataVerifyEc(HttpClient httpClient, CryptographyServiceVersion s KeyCurveName curve = signVerifyEcData.getCurve(); Map curveToSignature = signVerifyEcData.getCurveToSignature(); String keyName = testResourceNamer.randomName("testEcKey" + curve.toString(), 20); - CreateEcKeyOptions createEcKeyOptions - = new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) + CreateEcKeyOptions createEcKeyOptions = + new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) .setCurveName(curve); KeyVaultKey keyVaultKey = client.createEcKey(createEcKeyOptions); - CryptographyClient cryptographyClient - = initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptographyClient = + initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); byte[] plaintext = new byte[100]; new Random(0x1234567L).nextBytes(plaintext); - byte[] signature = cryptographyClient.signData(curveToSignature.get(curve), plaintext).getSignature(); + SignResult signResult = cryptographyClient.signData(curveToSignature.get(curve), plaintext); + + assertEquals(signResult.getAlgorithm(), curveToSignature.get(curve)); + assertNotNull(signResult.getSignature()); + + String keyId = signResult.getKeyId(); - Boolean verifyStatus - = cryptographyClient.verifyData(curveToSignature.get(curve), plaintext, signature).isValid(); + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + + Boolean verifyStatus = + cryptographyClient.verifyData(curveToSignature.get(curve), plaintext, signResult.getSignature()) + .isValid(); assertTrue(verifyStatus); }); @@ -257,10 +302,10 @@ public void signVerifyRsa(HttpClient httpClient, CryptographyServiceVersion serv JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeySignVerify", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient - = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms - = Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); + CryptographyClient cryptoClient = + initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms = + Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); Map messageDigestAlgorithm = new HashMap<>(); @@ -281,9 +326,23 @@ public void signVerifyRsa(HttpClient httpClient, CryptographyServiceVersion serv byte[] digest = md.digest(); SignResult signResult = cryptoClient.sign(algorithm, digest); - Boolean verifyStatus = cryptoClient.verify(algorithm, digest, signResult.getSignature()).isValid(); - assertTrue(verifyStatus); + assertEquals(signResult.getAlgorithm(), algorithm); + assertNotNull(signResult.getSignature()); + + String keyId = signResult.getKeyId(); + + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), + "keyId does not contain key version."); + + VerifyResult verifyResult = cryptoClient.verify(algorithm, digest, signResult.getSignature()); + + assertTrue(verifyResult.isValid()); } catch (NoSuchAlgorithmException e) { fail(e); } @@ -300,20 +359,34 @@ public void signDataVerifyRsa(HttpClient httpClient, CryptographyServiceVersion JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeySignVerify", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient - = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms - = Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); + CryptographyClient cryptoClient = + initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms = + Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); for (SignatureAlgorithm algorithm : algorithms) { byte[] plaintext = new byte[100]; new Random(0x1234567L).nextBytes(plaintext); - byte[] signature = cryptoClient.signData(algorithm, plaintext).getSignature(); - Boolean verifyStatus = cryptoClient.verifyData(algorithm, plaintext, signature).isValid(); + SignResult signResult = cryptoClient.signData(algorithm, plaintext); - assertTrue(verifyStatus); + assertEquals(signResult.getAlgorithm(), algorithm); + assertNotNull(signResult.getSignature()); + + String keyId = signResult.getKeyId(); + + assertNotNull(keyId); + + // Ensure the keyId includes the key version + String[] keyIdParts = keyId.split("/"); + + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), + "keyId does not contain key version."); + + VerifyResult verifyResult = cryptoClient.verifyData(algorithm, plaintext, signResult.getSignature()); + + assertTrue(verifyResult.isValid()); } }); } @@ -345,8 +418,8 @@ public void signDataVerifyEcLocal() { } final KeyPairGenerator generator = KeyPairGenerator.getInstance(algorithmName, provider); - ECGenParameterSpec spec - = new ECGenParameterSpec(signVerifyEcData.getCurveToSpec().get(signVerifyEcData.getCurve())); + ECGenParameterSpec spec = + new ECGenParameterSpec(signVerifyEcData.getCurveToSpec().get(signVerifyEcData.getCurve())); generator.initialize(spec); @@ -359,8 +432,8 @@ public void signDataVerifyEcLocal() { return; } - JsonWebKey jsonWebKey - = JsonWebKey.fromEc(keyPair, provider, Arrays.asList(KeyOperation.SIGN, KeyOperation.VERIFY)); + JsonWebKey jsonWebKey = + JsonWebKey.fromEc(keyPair, provider, Arrays.asList(KeyOperation.SIGN, KeyOperation.VERIFY)); KeyCurveName curve = signVerifyEcData.getCurve(); Map curveToSignature = signVerifyEcData.getCurveToSignature(); CryptographyClient cryptographyClient = initializeCryptographyClient(jsonWebKey); @@ -369,11 +442,11 @@ public void signDataVerifyEcLocal() { new Random(0x1234567L).nextBytes(plainText); - byte[] signature = cryptographyClient.signData(curveToSignature.get(curve), plainText).getSignature(); - Boolean verifyStatus - = cryptographyClient.verifyData(curveToSignature.get(curve), plainText, signature).isValid(); + SignResult signResult = cryptographyClient.signData(curveToSignature.get(curve), plainText); + VerifyResult verifyResult = + cryptographyClient.verifyData(curveToSignature.get(curve), plainText, signResult.getSignature()); - assertTrue(verifyStatus); + assertTrue(verifyResult.isValid()); }); } From 7b3d8396ad0a5c0ed4630884cdf5c9b8a6b74c9a Mon Sep 17 00:00:00 2001 From: vcolin7 Date: Tue, 27 Jan 2026 19:17:02 -0800 Subject: [PATCH 4/5] Fixed formatting --- .../cryptography/CryptographyClientTest.java | 84 +++++++++---------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java index 542e434d36a9..a94107b11562 100644 --- a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java +++ b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java @@ -82,8 +82,8 @@ public void encryptDecryptRsa(HttpClient httpClient, CryptographyServiceVersion JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKey", 20); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient = - initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptoClient + = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); List algorithms = Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP, EncryptionAlgorithm.RSA_OAEP_256); @@ -102,7 +102,7 @@ public void encryptDecryptRsa(HttpClient httpClient, CryptographyServiceVersion String keyId = encryptResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); @@ -120,8 +120,8 @@ public void encryptDecryptRsaLocal() throws Exception { encryptDecryptRsaRunner(keyPair -> { JsonWebKey key = JsonWebKey.fromRsa(keyPair, Arrays.asList(KeyOperation.ENCRYPT, KeyOperation.DECRYPT)); CryptographyClient cryptoClient = initializeCryptographyClient(key); - List algorithms = - Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP); + List algorithms + = Arrays.asList(EncryptionAlgorithm.RSA1_5, EncryptionAlgorithm.RSA_OAEP); for (EncryptionAlgorithm algorithm : algorithms) { // Test variables @@ -146,10 +146,10 @@ public void wrapUnwrapRsa(HttpClient httpClient, CryptographyServiceVersion serv JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeyWrapUnwrap", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient = - initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms = - Arrays.asList(KeyWrapAlgorithm.RSA1_5, KeyWrapAlgorithm.RSA_OAEP, KeyWrapAlgorithm.RSA_OAEP_256); + CryptographyClient cryptoClient + = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms + = Arrays.asList(KeyWrapAlgorithm.RSA1_5, KeyWrapAlgorithm.RSA_OAEP, KeyWrapAlgorithm.RSA_OAEP_256); for (KeyWrapAlgorithm algorithm : algorithms) { // Test variables @@ -165,7 +165,7 @@ public void wrapUnwrapRsa(HttpClient httpClient, CryptographyServiceVersion serv String keyId = wrapResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); @@ -209,12 +209,12 @@ public void signVerifyEc(HttpClient httpClient, CryptographyServiceVersion servi Map curveToSignature = signVerifyEcData.getCurveToSignature(); Map messageDigestAlgorithm = signVerifyEcData.getMessageDigestAlgorithm(); String keyName = testResourceNamer.randomName("testEcKey" + curve.toString(), 20); - CreateEcKeyOptions createEcKeyOptions = - new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) + CreateEcKeyOptions createEcKeyOptions + = new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) .setCurveName(curve); KeyVaultKey keyVaultKey = client.createEcKey(createEcKeyOptions); - CryptographyClient cryptographyClient = - initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptographyClient + = initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); try { byte[] data = new byte[100]; @@ -235,14 +235,15 @@ public void signVerifyEc(HttpClient httpClient, CryptographyServiceVersion servi String keyId = signResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); - Boolean verifyStatus = - cryptographyClient.verify(curveToSignature.get(curve), digest, signResult.getSignature()).isValid(); + Boolean verifyStatus + = cryptographyClient.verify(curveToSignature.get(curve), digest, signResult.getSignature()) + .isValid(); assertTrue(verifyStatus); } catch (NoSuchAlgorithmException e) { @@ -260,12 +261,12 @@ public void signDataVerifyEc(HttpClient httpClient, CryptographyServiceVersion s KeyCurveName curve = signVerifyEcData.getCurve(); Map curveToSignature = signVerifyEcData.getCurveToSignature(); String keyName = testResourceNamer.randomName("testEcKey" + curve.toString(), 20); - CreateEcKeyOptions createEcKeyOptions = - new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) + CreateEcKeyOptions createEcKeyOptions + = new CreateEcKeyOptions(keyName).setKeyOperations(KeyOperation.SIGN, KeyOperation.VERIFY) .setCurveName(curve); KeyVaultKey keyVaultKey = client.createEcKey(createEcKeyOptions); - CryptographyClient cryptographyClient = - initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); + CryptographyClient cryptographyClient + = initializeCryptographyClient(keyVaultKey.getId(), httpClient, serviceVersion); byte[] plaintext = new byte[100]; @@ -279,14 +280,14 @@ public void signDataVerifyEc(HttpClient httpClient, CryptographyServiceVersion s String keyId = signResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); - Boolean verifyStatus = - cryptographyClient.verifyData(curveToSignature.get(curve), plaintext, signResult.getSignature()) + Boolean verifyStatus + = cryptographyClient.verifyData(curveToSignature.get(curve), plaintext, signResult.getSignature()) .isValid(); assertTrue(verifyStatus); @@ -302,10 +303,10 @@ public void signVerifyRsa(HttpClient httpClient, CryptographyServiceVersion serv JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeySignVerify", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient = - initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms = - Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); + CryptographyClient cryptoClient + = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms + = Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); Map messageDigestAlgorithm = new HashMap<>(); @@ -333,7 +334,7 @@ public void signVerifyRsa(HttpClient httpClient, CryptographyServiceVersion serv String keyId = signResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); @@ -359,10 +360,10 @@ public void signDataVerifyRsa(HttpClient httpClient, CryptographyServiceVersion JsonWebKey key = JsonWebKey.fromRsa(keyPair); String keyName = testResourceNamer.randomName("testRsaKeySignVerify", 25); KeyVaultKey importedKey = client.importKey(keyName, key); - CryptographyClient cryptoClient = - initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); - List algorithms = - Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); + CryptographyClient cryptoClient + = initializeCryptographyClient(importedKey.getId(), httpClient, serviceVersion); + List algorithms + = Arrays.asList(SignatureAlgorithm.RS256, SignatureAlgorithm.RS384, SignatureAlgorithm.RS512); for (SignatureAlgorithm algorithm : algorithms) { byte[] plaintext = new byte[100]; @@ -377,12 +378,11 @@ public void signDataVerifyRsa(HttpClient httpClient, CryptographyServiceVersion String keyId = signResult.getKeyId(); assertNotNull(keyId); - + // Ensure the keyId includes the key version String[] keyIdParts = keyId.split("/"); - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), - "keyId does not contain key version."); + assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); VerifyResult verifyResult = cryptoClient.verifyData(algorithm, plaintext, signResult.getSignature()); @@ -418,8 +418,8 @@ public void signDataVerifyEcLocal() { } final KeyPairGenerator generator = KeyPairGenerator.getInstance(algorithmName, provider); - ECGenParameterSpec spec = - new ECGenParameterSpec(signVerifyEcData.getCurveToSpec().get(signVerifyEcData.getCurve())); + ECGenParameterSpec spec + = new ECGenParameterSpec(signVerifyEcData.getCurveToSpec().get(signVerifyEcData.getCurve())); generator.initialize(spec); @@ -432,8 +432,8 @@ public void signDataVerifyEcLocal() { return; } - JsonWebKey jsonWebKey = - JsonWebKey.fromEc(keyPair, provider, Arrays.asList(KeyOperation.SIGN, KeyOperation.VERIFY)); + JsonWebKey jsonWebKey + = JsonWebKey.fromEc(keyPair, provider, Arrays.asList(KeyOperation.SIGN, KeyOperation.VERIFY)); KeyCurveName curve = signVerifyEcData.getCurve(); Map curveToSignature = signVerifyEcData.getCurveToSignature(); CryptographyClient cryptographyClient = initializeCryptographyClient(jsonWebKey); @@ -443,8 +443,8 @@ public void signDataVerifyEcLocal() { new Random(0x1234567L).nextBytes(plainText); SignResult signResult = cryptographyClient.signData(curveToSignature.get(curve), plainText); - VerifyResult verifyResult = - cryptographyClient.verifyData(curveToSignature.get(curve), plainText, signResult.getSignature()); + VerifyResult verifyResult + = cryptographyClient.verifyData(curveToSignature.get(curve), plainText, signResult.getSignature()); assertTrue(verifyResult.isValid()); }); From 7f64d11fbcbe976158030b311d90e064bfbbf07a Mon Sep 17 00:00:00 2001 From: vcolin7 Date: Tue, 27 Jan 2026 19:21:19 -0800 Subject: [PATCH 5/5] Applied PR feedback --- .../cryptography/CryptographyClientTest.java | 27 ++++++------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java index a94107b11562..c0cc876535b9 100644 --- a/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java +++ b/sdk/keyvault/azure-security-keyvault-keys/src/test/java/com/azure/security/keyvault/keys/cryptography/CryptographyClientTest.java @@ -22,6 +22,8 @@ import com.azure.security.keyvault.keys.models.KeyCurveName; import com.azure.security.keyvault.keys.models.KeyOperation; import com.azure.security.keyvault.keys.models.KeyVaultKey; +import com.azure.security.keyvault.keys.models.KeyVaultKeyIdentifier; + import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.MethodSource; @@ -104,9 +106,7 @@ public void encryptDecryptRsa(HttpClient httpClient, CryptographyServiceVersion assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); DecryptResult decryptResult = cryptoClient.decrypt(algorithm, encryptResult.getCipherText()); @@ -167,9 +167,7 @@ public void wrapUnwrapRsa(HttpClient httpClient, CryptographyServiceVersion serv assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); UnwrapResult unwrapResult = cryptoClient.unwrapKey(algorithm, wrapResult.getEncryptedKey()); @@ -237,9 +235,7 @@ public void signVerifyEc(HttpClient httpClient, CryptographyServiceVersion servi assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); Boolean verifyStatus = cryptographyClient.verify(curveToSignature.get(curve), digest, signResult.getSignature()) @@ -282,9 +278,7 @@ public void signDataVerifyEc(HttpClient httpClient, CryptographyServiceVersion s assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); Boolean verifyStatus = cryptographyClient.verifyData(curveToSignature.get(curve), plaintext, signResult.getSignature()) @@ -336,10 +330,7 @@ public void signVerifyRsa(HttpClient httpClient, CryptographyServiceVersion serv assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), - "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); VerifyResult verifyResult = cryptoClient.verify(algorithm, digest, signResult.getSignature()); @@ -380,9 +371,7 @@ public void signDataVerifyRsa(HttpClient httpClient, CryptographyServiceVersion assertNotNull(keyId); // Ensure the keyId includes the key version - String[] keyIdParts = keyId.split("/"); - - assertTrue(keyIdParts.length >= 5 && !keyIdParts[4].isEmpty(), "keyId does not contain key version."); + assertNotNull(new KeyVaultKeyIdentifier(keyId).getVersion(), "keyId does not contain key version."); VerifyResult verifyResult = cryptoClient.verifyData(algorithm, plaintext, signResult.getSignature());