Skip to content

Server: Allow Azure Managed HSM to be used in the azurekeyvault key manager plugin#6751

Merged
sorindumitru merged 6 commits intospiffe:mainfrom
skeiffer:dev/fixMhsmKty
Apr 14, 2026
Merged

Server: Allow Azure Managed HSM to be used in the azurekeyvault key manager plugin#6751
sorindumitru merged 6 commits intospiffe:mainfrom
skeiffer:dev/fixMhsmKty

Conversation

@skeiffer
Copy link
Copy Markdown
Contributor

@skeiffer skeiffer commented Mar 16, 2026

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

Affected functionality
The azure keyvault key manager plugin does not work with Azure Managed HSM.

Description of change

  • Updated keyTypeFromKeySpec to allow RSA-HSM and EC-HSM as valid key types.
  • Updated keyVaultKeyToRawKey to normalize the kty, removing -HSM so data can be parsed by go-jose.
  • Created full unit tests for keyTypeFromKeySpec & keyVaultKeyToRawKey

Which issue this PR fixes
#6750

@skeiffer skeiffer changed the title Dev/fix mhsm kty Server: Allow Azure Managed HSM to be used in the azurekeyvault key manager plugin Mar 16, 2026
@MarcosDY MarcosDY requested a review from sorindumitru March 17, 2026 18:55
@nikotih
Copy link
Copy Markdown
Contributor

nikotih commented Mar 18, 2026

Hi @skeiffer since you are user of azurekeyvault plugin maybe have a look at
#6494
(bumps all azure libs)

in case you see any issues

@skeiffer
Copy link
Copy Markdown
Contributor Author

skeiffer commented Mar 19, 2026

Hi @skeiffer since you are user of azurekeyvault plugin maybe have a look at #6494 (bumps all azure libs)

in case you see any issues

I can merge this into my branch and give it a test.

sorindumitru
sorindumitru reviewed Mar 24, 2026
View reviewed changes
Comment thread pkg/server/plugin/keymanager/azurekeyvault/azure_key_vault.go Outdated
return nil, status.Error(codes.Internal, "key type is missing")
}
keyType := string(*keyVaultKey.Kty)
if strings.HasSuffix(keyType, "-HSM") {
Copy link
Copy Markdown
Collaborator

@sorindumitru sorindumitru Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good based on what they document about the key type, but could explicitly check for RSA-HSM and EC-HSM in case they add anything else in there that might be causing us issues in the future?

Copy link
Copy Markdown
Contributor Author

@skeiffer skeiffer Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay, I have made this change.

@skeiffer
Copy link
Copy Markdown
Contributor Author

skeiffer commented Mar 31, 2026
edited
Loading

Hi @skeiffer since you are user of azurekeyvault plugin maybe have a look at #6494 (bumps all azure libs)
in case you see any issues

I can merge this into my branch and give it a test.

@nikotih, I tested these changes (after fixing the changed constant names) and it appeared to work as expected. I did not however test all the plugins that had their libraries updated.

I have not included your changes in this PR to keep things clean.

@skeiffer
Copy link
Copy Markdown
Contributor Author

skeiffer commented Apr 13, 2026

@sorindumitru Can you please approve the workflows to run? An upstream change to master introduced some new problems that I had to fix. Need to run the tests again.

@skeiffer skeiffer force-pushed the dev/fixMhsmKty branch 4 times, most recently from 5b4c376 to 333a9fb Compare April 14, 2026 15:37
Scott Keiffer added 6 commits April 14, 2026 08:39
Normalize Azure Managed HSM kty values
8163c0a 
Signed-off-by: Scott Keiffer edkeiffer@microsoft.com
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
Readd removed comments
42bcb2c 
Signed-off-by: Scott Keiffer edkeiffer@microsoft.com
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
Explicit checks for -HSM key types
5fac323 
Signed-off-by: Scott Keiffer edkeiffer@microsoft.com
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
Pulled master and fixed new problems introduced upstream.
f29d4a4 
Signed-off-by: Scott Keiffer edkeiffer@microsoft.com
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
Commit test generated keys
12cc498 
Signed-off-by: Scott Keiffer edkeiffer@microsoft.com
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
fix linting
4f3e558 
Signed-off-by: Scott Keiffer <edkeiffe@microsoft.com>
@skeiffer
Copy link
Copy Markdown
Contributor Author

skeiffer commented Apr 14, 2026
edited
Loading

@sorindumitru, Third times a charm? I ran the workflows via my fork, should be good now.

sorindumitru
sorindumitru approved these changes Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sorindumitru sorindumitru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @skeiffer !

@sorindumitru sorindumitru added this to the 1.15.0 milestone Apr 14, 2026
@sorindumitru sorindumitru added this pull request to the merge queue Apr 14, 2026
Merged via the queue into spiffe:main with commit 5dcacb8 Apr 14, 2026
50 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sorindumitru sorindumitru sorindumitru approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@MarcosDY MarcosDY Awaiting requested review from MarcosDY MarcosDY is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.15.0

Development

Successfully merging this pull request may close these issues.

3 participants

@skeiffer @nikotih @sorindumitru