[Key Vault] Add new encryption algorithms for 7.2-preview

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/_enums.py

@@ -34,3 +34,4 @@ class KeyType(str, Enum):
     rsa = "RSA"
     rsa_hsm = "RSA-HSM"  #: RSA with a private key which is not exportable from the HSM
     oct = "oct"  #: Octet sequence (used to represent symmetric keys)
+    oct_hsm = "oct-HSM"  #: Octet sequence with a private key which is not exportable from the HSM

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_client.py

@@ -29,7 +29,7 @@ def _validate_arguments(operation, algorithm, **kwargs):
     # type: (KeyOperation, EncryptionAlgorithm, **Any) -> None
     """Validates the arguments passed to perform an operation with a provided algorithm.
 
-    :param KeyOperation operation: the type of operation being requested. Can be "encrypt" or "decrypt"
+    :param KeyOperation operation: the type of operation being requested
     :param EncyptionAlgorithm algorithm: the encryption algorithm to use for the operation
     :keyword bytes iv: initialization vector
     :keyword bytes authentication_tag: authentication tag returned from an encryption
@@ -45,9 +45,9 @@ def _validate_arguments(operation, algorithm, **kwargs):
             raise ValueError(
                 "iv should only be provided with AES-CBC algorithms; {} does not accept an iv".format(algorithm)
             )
-        if aad and "GCM" not in algorithm:
+        if aad and not ("CBC" in algorithm or "GCM" in algorithm):
             raise ValueError(
-                "additional_authenticated_data should only be provided with AES-GCM algorithms; {} does not accept an "
+                "additional_authenticated_data should only be provided with AES algorithms; {} does not accept an "
                 "aad".format(algorithm)
             )
 
@@ -62,9 +62,9 @@ def _validate_arguments(operation, algorithm, **kwargs):
                     algorithm
                 )
             )
-        if aad and "GCM" not in algorithm:
+        if aad and not ("CBC" in algorithm or "GCM" in algorithm):
             raise ValueError(
-                "additional_authenticated_data should only be provided with AES-GCM algorithms; {} does not accept an "
+                "additional_authenticated_data should only be provided with AES algorithms; {} does not accept an "
                 "aad".format(algorithm)
             )
 
@@ -175,10 +175,10 @@ def encrypt(self, algorithm, plaintext, **kwargs):
             :language: python
             :dedent: 8
         """
-        self._initialize(**kwargs)
         iv = kwargs.pop("iv", None)
         aad = kwargs.pop("additional_authenticated_data", None)
         _validate_arguments(operation=KeyOperation.encrypt, algorithm=algorithm, iv=iv, aad=aad)
+        self._initialize(**kwargs)
 
         if self._local_provider.supports(KeyOperation.encrypt, algorithm):
             raise_if_time_invalid(self._key)
@@ -229,11 +229,11 @@ def decrypt(self, algorithm, ciphertext, **kwargs):
             :language: python
             :dedent: 8
         """
-        self._initialize(**kwargs)
         iv = kwargs.pop("iv", None)
         tag = kwargs.pop("authentication_tag", None)
         aad = kwargs.pop("additional_authenticated_data", None)
         _validate_arguments(operation=KeyOperation.decrypt, algorithm=algorithm, iv=iv, tag=tag, aad=aad)
+        self._initialize(**kwargs)
 
         if self._local_provider.supports(KeyOperation.decrypt, algorithm):
             try:

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/__init__.py

@@ -20,7 +20,7 @@ def get_local_cryptography_provider(key):
         return EllipticCurveCryptographyProvider(key)
     if key.key_type in (KeyType.rsa, KeyType.rsa_hsm):
         return RsaCryptographyProvider(key)
-    if key.key_type == KeyType.oct:
+    if key.key_type in (KeyType.oct, KeyType.oct_hsm):
         return SymmetricCryptographyProvider(key)
 
     raise ValueError('Unsupported key type "{}"'.format(key.key_type))

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_providers/symmetric.py

@@ -18,8 +18,8 @@
 class SymmetricCryptographyProvider(LocalCryptographyProvider):
     def _get_internal_key(self, key):
         # type: (KeyVaultKey) -> Key
-        if key.key_type != KeyType.oct:
-            raise ValueError('"key" must be an oct (symmetric) key')
+        if key.key_type not in (KeyType.oct, KeyType.oct_hsm):
+            raise ValueError('"key" must be an oct or oct-HSM (symmetric) key')
         return SymmetricKey.from_jwk(key.key)
 
     def supports(self, operation, algorithm):

sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/aio/_client.py

@@ -127,10 +127,10 @@ async def encrypt(self, algorithm: "EncryptionAlgorithm", plaintext: bytes, **kw
             :language: python
             :dedent: 8
         """
-        await self._initialize(**kwargs)
         iv = kwargs.pop("iv", None)
         aad = kwargs.pop("additional_authenticated_data", None)
         _validate_arguments(operation=KeyOperation.encrypt, algorithm=algorithm, iv=iv, aad=aad)
+        await self._initialize(**kwargs)
 
         if self._local_provider.supports(KeyOperation.encrypt, algorithm):
             raise_if_time_invalid(self._key)
@@ -180,11 +180,11 @@ async def decrypt(self, algorithm: "EncryptionAlgorithm", ciphertext: bytes, **k
             :language: python
             :dedent: 8
         """
-        await self._initialize(**kwargs)
         iv = kwargs.pop("iv", None)
         tag = kwargs.pop("authentication_tag", None)
         aad = kwargs.pop("additional_authenticated_data", None)
         _validate_arguments(operation=KeyOperation.decrypt, algorithm=algorithm, iv=iv, tag=tag, aad=aad)
+        await self._initialize(**kwargs)
 
         if self._local_provider.supports(KeyOperation.decrypt, algorithm):
             try: