Mofnmodel (#10195)

vasanthrajams · heaths · vasanthrajams · web-flow · commit 23a83bfbab7f · 2020-09-01T10:32:29.000-07:00
* Adding 7.2-preview version (#8397) * Adding 7.2-preview version Signed-off-by: vasanthrajams <vasanthrajams@microsoft.com> * Resolve PR feedback * Fix output-folder for go code generation Co-authored-by: Heath Stewart <heaths@outlook.com> * Change the number of certificates user provides for security domain This change modifies the number of certificates(containing public keys) customer needs to provide for encrypting the security domain to a M of N model. In this model, customer specifies the M certificates out of N certificates needed to restore the security domain. Signed-off-by: vasanthrajams <vasanthrajams@microsoft.com> * prettier check * remove readyonly * Security domain object specification Signed-off-by: vasanthrajams <vasanthrajams@microsoft.com> * internal review * prettier fix * model validation fixes * model validation * security domain id * Removing Security Domain ID * Fixed a few more specs * model validation failures * pretty check * changed tag * tag change Co-authored-by: Heath Stewart <heaths@outlook.com> Co-authored-by: vasanthrajams <vasanthrajams@microsoft.com>
diff --git a/custom-words.txt b/custom-words.txt
@@ -1876,3 +1876,4 @@ watchlist
 Watchlist
 Mibps
 ntfs
+shamir_share
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaindownloadpost-example.json
@@ -1,7 +1,7 @@
 {
   "parameters": {
     "vaultBaseUrl": "https://myvault.vault.azure.net/",
-    "Certificates": {
+    "CertificateInfoObject": {
       "certificates": [
         {
           "value": {
@@ -60,14 +60,48 @@
             "e": "AQAB"
           }
         }
-      ]
+      ],
+      "required": 2
     },
     "api-version": "7.2-preview"
   },
   "responses": {
     "200": {
       "body": {
-        "value": "{\"EncData\":{\"data\":[{\"compact_jwe\":\"ey$Jhb%232GciOiJkaXIiLCJlbmMiOiJBMjU2Q0JDLUhTNTEyIiwia2lkIjoiZW5jbGF2ZS$J9..5eVwZFlsZQeYXQ11HPC_JJg.4d32grvkQBMxyGmncd82VHOggiFbtuaKX2wXvjU-vKukMAtS7oLl9QsSZZJ5s94xAz7Atye93e6gA_2tbHW0QEzLOXiuV-vZ342zP46dxV56bEEjENIOgzBWAfxUkuUdnYE2UDahGSJSbhNxo8URa44CaSAX682q_otmwqh0jgxk5ZcbHRdwpbSFZnfQ6SgHBqrvQUUpKlWJMJQNuWeEjmWaPkCOUnwkJ1ZLOnVj1AB8rlfj0qnEtBotc4V5066vztRDaTLEOV99lp08WRcRPAY2QVBSfhZdzslQ2baRukk6WOTI5KxIl0cf7o0db_zgoT6vluewXgzTSe6NTcrparwVJ-r6kxw12gkYJtrr3ytvOT_lgip5-7H3PLAgDDRDjHd_PEdNyPqsg56QjtVXBUwutQrfh46s_ATm0dFrhAF6Icf9H2rLDGCiFmKUn-CrtM3vErNzu9BMC8ekuSOe0t0XTnsKOjdiabE95MoRIqQYWQGfi02Rp2XO_lSEUnQJTNomd1IATKPiqqktE5YUu0OzDrVCdSGBGg5IDedmGSp0QIf8m7kSc8xYUsU1PTdJoSzgiOAue0ur_P1i2xr_BSSI6I4BJekw9e58qqBbWN-kc3swgLddsCfXqyW9RnNBvjQmnwdffv1O_4zF0wGVnohs6PYu-9RqIzLxgfHvnlBQbsauWlqpNfw5h_JpnoKW287vPc2iXRONHlGdd-4Mp3323JFbISM6NgGg8y6nUAdKASjyXuqR7bTnr3pNTpjF4523buuzKG3Q4nzr-jnWGPIpxeyBV6unEK0Aw3-QQpY7CG_s3-76P484gJm4vPum03I_V3tmnNt}]}}"
+        "data": {
+          "EncData": {
+            "data": [
+              {
+                "compact_jwe": "<encrypted data1>",
+                "tag": "hsm_backup"
+              },
+              {
+                "compact_jwe": "<encrypted data2>",
+                "tag": "base_enclave_backup"
+              },
+              {
+                "compact_jwe": "<encrypted data3>",
+                "tag": "partition_enclave_backup"
+              }
+            ],
+            "kdf": "sp108_kdf"
+          },
+          "SharedKeys": {
+            "key_algorithm": "shamir_share",
+            "required": 2,
+            "enc_shares": [
+              {
+                "enc_key": "compact JWE wrapped share1",
+                "x5t_256": "bWFuZ2VkaHNtDQo"
+              },
+              {
+                "enc_key": "compact JWE wrapped share2",
+                "x5t_256": "bWFuZ2VkaHNta2V5dmF1bHQNCg"
+              }
+            ]
+          },
+          "version": 2
+        }
       }
     }
   }
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomaintransferkey-example.json
@@ -6,6 +6,7 @@
   "responses": {
     "200": {
       "body": {
+        "key_format": "jwk",
         "transfer_key": {
           "kid": "https://myvault.vault.azure.net/transfer_key",
           "kty": "RSA",
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/examples/securitydomainuploadoperation-example.json
@@ -2,7 +2,29 @@
   "parameters": {
     "vaultBaseUrl": "https://myvault.vault.azure.net/",
     "security_domain": {
-      "value": "<previously stored security domain>"
+      "value": {
+        "EncData": {
+          "data": [
+            {
+              "compact_jwe": "<encrypted data1>",
+              "tag": "hsm_backup"
+            },
+            {
+              "compact_jwe": "<encrypted data2>",
+              "tag": "base_enclave_backup"
+            },
+            {
+              "compact_jwe": "<encrypted data3>",
+              "tag": "partition_enclave_backup"
+            }
+          ],
+          "kdf": "sp108_kdf"
+        },
+        "WrappedKey": {
+          "enc_key": "eyJhbGciOiJ",
+          "x5t_256": "h8ObF2NU85MhzEEE2JrSSGcF7aK2CiNrffef1r8mY"
+        }
+      }
     },
     "api-version": "7.2-preview"
   },
diff --git a/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json b/specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.2-preview/securitydomain.json
@@ -37,20 +37,20 @@
         "parameters": [
           {
             "in": "body",
-            "name": "Certificates",
+            "name": "CertificateInfoObject",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/CertificateSet"
+              "$ref": "#/definitions/CertificateInfoObject"
             },
-            "description": "Security domain download operation requires customer to provide three certificates containing public key in JWK format."
+            "description": "Security domain download operation requires customer to provide N certificates (minimum 3 and maximum 10) containing public key in JWK format."
           },
           {
             "$ref": "#/parameters/ApiVersionParameter"
           }
         ],
         "responses": {
           "200": {
-            "description": "Security domain download response",
+            "description": "This is the specification of the security domain as downloaded from the new pool",
             "schema": {
               "$ref": "#/definitions/SecurityDomainObject"
             }
@@ -120,7 +120,7 @@
             "description": "security domain",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/SecurityDomainObject"
+              "$ref": "#/definitions/SecurityDomainUploadObject"
             }
           }
         ],
@@ -185,17 +185,24 @@
     }
   },
   "definitions": {
-    "CertificateSet": {
+    "CertificateInfoObject": {
       "properties": {
         "certificates": {
           "type": "array",
           "items": {
             "$ref": "#/definitions/SecurityDomainCertificateItem"
           },
           "minItems": 3,
-          "maxItems": 3,
+          "maxItems": 10,
           "uniqueItems": true,
-          "description": "Three certificates needed from customer"
+          "description": "Certificates needed from customer"
+        },
+        "required": {
+          "description": "Customer to specify the number of certificates (minimum 2 and maximum 10) to restore security domain",
+          "type": "integer",
+          "default": 2,
+          "minimum": 2,
+          "maximum": 10
         }
       },
       "required": [
@@ -215,8 +222,14 @@
     },
     "TransferKey": {
       "properties": {
+        "key_format": {
+          "type": "string",
+          "default": "jwk",
+          "description": "Specifies the format of the transfer key"
+        },
         "transfer_key": {
-          "$ref": "#/definitions/SecurityDomainJsonWebKey"
+          "$ref": "#/definitions/SecurityDomainJsonWebKey",
+          "description": "Specifies the transfer key in JWK format"
         }
       },
       "required": [
@@ -225,10 +238,113 @@
     },
     "SecurityDomainObject": {
       "properties": {
-        "value": {
-          "type": "string"
+        "data": {
+          "type": "object",
+          "properties": {
+            "EncData": {
+              "$ref": "#/definitions/EncDataSet",
+              "description": "Array of encrypted data set"
+            },
+            "SharedKeys": {
+              "properties": {
+                "key_algorithm": {
+                  "type": "string",
+                  "default": "shamir_share",
+                  "description": "The Algorithm used for shared keys"
+                },
+                "required": {
+                  "type": "integer",
+                  "minimum": 2,
+                  "maximum": 10,
+                  "description": "The number of keys (minimum 2 and maximum 10) required for security domain. "
+                },
+                "enc_shares": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/definitions/Key",
+                    "minItems": 3,
+                    "maxItems": 10
+                  },
+                  "uniqueItems": true,
+                  "description": "Compact JWE wrapped shares array"
+                }
+              },
+              "required": [
+                "key_algorithm",
+                "required",
+                "enc_shares"
+              ],
+              "description": "Array of shared keys"
+            },
+            "version": {
+              "type": "integer"
+            }
+          },
+          "required": [
+            "EncData",
+            "SharedKeys",
+            "version"
+          ]
         }
-      }
+      },
+      "description": "Security domain",
+      "required": [
+        "data"
+      ]
+    },
+    "EncDataSet": {
+      "properties": {
+        "data": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/EncDataSetItem",
+            "minItems": 2
+          },
+          "description": "Array of encrypted security domain",
+          "uniqueItems": true
+        },
+        "kdf": {
+          "type": "string",
+          "default": "sp108_kdf",
+          "description": "The key derivation function used"
+        }
+      },
+      "required": [
+        "data",
+        "kdf"
+      ]
+    },
+    "EncDataSetItem": {
+      "properties": {
+        "compact_jwe": {
+          "type": "string",
+          "description": "Encrypted data"
+        },
+        "tag": {
+          "type": "string",
+          "description": "hsm backup tag"
+        }
+      },
+      "required": [
+        "compact_jwe",
+        "tag"
+      ]
+    },
+    "Key": {
+      "properties": {
+        "enc_key": {
+          "type": "string",
+          "description": "Compact JWE wrapped share"
+        },
+        "x5t_256": {
+          "type": "string",
+          "description": "SHA 256 hash of certificate"
+        }
+      },
+      "required": [
+        "enc_key",
+        "x5t_256"
+      ]
     },
     "SecurityDomainOperationStatus": {
       "properties": {
@@ -258,15 +374,7 @@
         },
         "kty": {
           "type": "string",
-          "description": "JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. For security domain this value must be RSA",
-          "enum": [
-            "RSA",
-            "RSA-HSM"
-          ],
-          "x-ms-enum": {
-            "name": "JsonWebKeyType",
-            "modelAsString": true
-          }
+          "description": "JsonWebKey Key Type (kty), as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40. For security domain this value must be RSA"
         },
         "key_ops": {
           "type": "array",
@@ -310,12 +418,51 @@
       "required": [
         "kty",
         "key_ops",
+        "alg",
         "kid",
         "x5c",
         "x5t#S256",
         "n",
         "e"
       ]
+    },
+    "SecurityDomainUploadObject": {
+      "properties": {
+        "value": {
+          "type": "object",
+          "properties": {
+            "EncData": {
+              "$ref": "#/definitions/EncDataSet",
+              "description": "Array of encrypted data set"
+            },
+            "WrappedKey": {
+              "properties": {
+                "enc_key": {
+                  "type": "string",
+                  "description": "Encryption key used to encrypt the EncData"
+                },
+                "x5t_256": {
+                  "type": "string",
+                  "description": "Thumbprint used to determine which certificate was used to encrypt the enc_key field"
+                }
+              },
+              "required": [
+                "enc_key",
+                "x5t_256"
+              ],
+              "description": "Key object containing the encryption key used to encrypt EncData object"
+            }
+          },
+          "required": [
+            "EncData",
+            "WrappedKey"
+          ]
+        }
+      },
+      "description": "Security domain object uploaded to a new pool",
+      "required": [
+        "value"
+      ]
     }
   },
   "parameters": {
