Implement secure key release (Azure#16794)

* Doc comment and scope name improvements

* Implement secure key release

Resolves Azure#14892 sans tests; see Azure#16789 and Azure#16792

* Update public APIs

sdk/keyvault/Azure.Security.KeyVault.Keys/api/Azure.Security.KeyVault.Keys.netstandard2.0.cs

@@ -13,8 +13,10 @@ public partial class CreateKeyOptions
         public CreateKeyOptions() { }
         public bool? Enabled { get { throw null; } set { } }
         public System.DateTimeOffset? ExpiresOn { get { throw null; } set { } }
+        public bool? Exportable { get { throw null; } set { } }
         public System.Collections.Generic.IList<Azure.Security.KeyVault.Keys.KeyOperation> KeyOperations { get { throw null; } }
         public System.DateTimeOffset? NotBefore { get { throw null; } set { } }
+        public Azure.Security.KeyVault.Keys.KeyReleasePolicy ReleasePolicy { get { throw null; } set { } }
         public System.Collections.Generic.IDictionary<string, string> Tags { get { throw null; } }
     }
     public partial class CreateRsaKeyOptions : Azure.Security.KeyVault.Keys.CreateKeyOptions
@@ -24,6 +26,7 @@ public CreateRsaKeyOptions(string name, bool hardwareProtected = false) { }
         public int? KeySize { get { throw null; } set { } }
         public Azure.Security.KeyVault.Keys.KeyType KeyType { get { throw null; } }
         public string Name { get { throw null; } }
+        public int? PublicExponent { get { throw null; } set { } }
     }
     public static partial class CryptographyModelFactory
     {
@@ -65,6 +68,7 @@ public ImportKeyOptions(string name, Azure.Security.KeyVault.Keys.JsonWebKey key
         public Azure.Security.KeyVault.Keys.JsonWebKey Key { get { throw null; } }
         public string Name { get { throw null; } }
         public Azure.Security.KeyVault.Keys.KeyProperties Properties { get { throw null; } }
+        public Azure.Security.KeyVault.Keys.KeyReleasePolicy ReleasePolicy { get { throw null; } set { } }
     }
     public partial class JsonWebKey
     {
@@ -106,6 +110,10 @@ public KeyClient(System.Uri vaultUri, Azure.Core.TokenCredential credential, Azu
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateKeyAsync(string name, Azure.Security.KeyVault.Keys.KeyType keyType, Azure.Security.KeyVault.Keys.CreateKeyOptions keyOptions = null, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> CreateRsaKey(Azure.Security.KeyVault.Keys.CreateRsaKeyOptions rsaKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> CreateRsaKeyAsync(Azure.Security.KeyVault.Keys.CreateRsaKeyOptions rsaKeyOptions, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> ExportKey(string name, string version, string environment, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey> ExportKey(string name, string environment, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> ExportKeyAsync(string name, string version, string environment, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
+        public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.KeyVaultKey>> ExportKeyAsync(string name, string environment, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Response<Azure.Security.KeyVault.Keys.DeletedKey> GetDeletedKey(string name, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual System.Threading.Tasks.Task<Azure.Response<Azure.Security.KeyVault.Keys.DeletedKey>> GetDeletedKeyAsync(string name, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
         public virtual Azure.Pageable<Azure.Security.KeyVault.Keys.DeletedKey> GetDeletedKeys(System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -178,6 +186,7 @@ public static partial class KeyModelFactory
         public KeyOperation(string value) { throw null; }
         public static Azure.Security.KeyVault.Keys.KeyOperation Decrypt { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyOperation Encrypt { get { throw null; } }
+        public static Azure.Security.KeyVault.Keys.KeyOperation Export { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyOperation Import { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyOperation Sign { get { throw null; } }
         public static Azure.Security.KeyVault.Keys.KeyOperation UnwrapKey { get { throw null; } }
@@ -200,17 +209,25 @@ public KeyProperties(System.Uri id) { }
         public System.DateTimeOffset? CreatedOn { get { throw null; } }
         public bool? Enabled { get { throw null; } set { } }
         public System.DateTimeOffset? ExpiresOn { get { throw null; } set { } }
+        public bool? Exportable { get { throw null; } set { } }
         public System.Uri Id { get { throw null; } }
         public bool Managed { get { throw null; } }
         public string Name { get { throw null; } }
         public System.DateTimeOffset? NotBefore { get { throw null; } set { } }
         public int? RecoverableDays { get { throw null; } }
         public string RecoveryLevel { get { throw null; } }
+        public Azure.Security.KeyVault.Keys.KeyReleasePolicy ReleasePolicy { get { throw null; } set { } }
         public System.Collections.Generic.IDictionary<string, string> Tags { get { throw null; } }
         public System.DateTimeOffset? UpdatedOn { get { throw null; } }
         public System.Uri VaultUri { get { throw null; } }
         public string Version { get { throw null; } }
     }
+    public partial class KeyReleasePolicy
+    {
+        public KeyReleasePolicy(byte[] data) { }
+        public string ContentType { get { throw null; } set { } }
+        public byte[] Data { get { throw null; } }
+    }
     [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
     public readonly partial struct KeyType : System.IEquatable<Azure.Security.KeyVault.Keys.KeyType>
     {

sdk/keyvault/Azure.Security.KeyVault.Keys/src/CreateKeyOptions.cs

@@ -38,6 +38,16 @@ public CreateKeyOptions()
         /// </summary>
         public bool? Enabled { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether the private key can be exported.
+        /// </summary>
+        public bool? Exportable { get; set; }
+
+        /// <summary>
+        /// Gets or sets the policy rules under which the key can be exported.
+        /// </summary>
+        public KeyReleasePolicy ReleasePolicy { get; set; }
+
         /// <summary>
         /// Gets a dictionary of tags with specific metadata about the key. Although this collection cannot be set, it can be modified
         ///  or initialized with a <see href="https://docs.microsoft.com/dotnet/csharp/programming-guide/classes-and-structs/how-to-initialize-a-dictionary-with-a-collection-initializer">collection initializer</see>.

sdk/keyvault/Azure.Security.KeyVault.Keys/src/CreateRsaKeyOptions.cs

@@ -26,6 +26,11 @@ public class CreateRsaKeyOptions : CreateKeyOptions
         /// </summary>
         public int? KeySize { get; set; }
 
+        /// <summary>
+        /// Gets or sets the public exponent for a RSA key.
+        /// </summary>
+        public int? PublicExponent { get; set; }
+
         /// <summary>
         /// Gets a value indicating whether to create a hardware-protected key in a hardware security module (HSM).
         /// </summary>

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/CryptographyClient.cs

@@ -34,7 +34,7 @@ protected CryptographyClient()
         /// Initializes a new instance of the <see cref="CryptographyClient"/> class.
         /// </summary>
         /// <param name="keyId">
-        /// The <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> which will be used for cryptographic operations.
+        /// The key identifier of the <see cref="KeyVaultKey"/> which will be used for cryptographic operations.
         /// If you have a key <see cref="Uri"/>, use <see cref="KeyVaultKeyIdentifier"/> to parse the <see cref="KeyVaultKeyIdentifier.VaultUri"/> and other information.
         /// </param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, like DefaultAzureCredential.</param>
@@ -48,7 +48,7 @@ public CryptographyClient(Uri keyId, TokenCredential credential)
         /// Initializes a new instance of the <see cref="CryptographyClient"/> class.
         /// </summary>
         /// <param name="keyId">
-        /// The <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> which will be used for cryptographic operations.
+        /// The key identifier of the <see cref="KeyVaultKey"/> which will be used for cryptographic operations.
         /// If you have a key <see cref="Uri"/>, use <see cref="KeyVaultKeyIdentifier"/> to parse the <see cref="KeyVaultKeyIdentifier.VaultUri"/> and other information.
         /// </param>
         /// <param name="credential">A <see cref="TokenCredential"/> used to authenticate requests to the vault, like DefaultAzureCredential.</param>

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/DecryptResult.cs

@@ -19,7 +19,7 @@ internal DecryptResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> used to decrypt.
+        /// Gets the key identifier of the <see cref="KeyVaultKey"/> used to decrypt.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptResult.cs

@@ -21,7 +21,7 @@ internal EncryptResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> used to encrypt. This must be stored alongside the <see cref="Ciphertext"/> as the same key must be used to decrypt it.
+        /// Gets the key identifier of the <see cref="KeyVaultKey"/> used to encrypt. This must be stored alongside the <see cref="Ciphertext"/> as the same key must be used to decrypt it.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/SignResult.cs

@@ -18,7 +18,7 @@ internal SignResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> used to sign. This must be stored alongside the <see cref="Signature"/> as the same key must be used to verify it.
+        /// Gets the key identifier of the <see cref="KeyVaultKey"/> used to sign. This must be stored alongside the <see cref="Signature"/> as the same key must be used to verify it.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/UnwrapResult.cs

@@ -18,7 +18,7 @@ internal UnwrapResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="Key"/> used to uwrap.
+        /// Gets the key identifier of the <see cref="Key"/> used to uwrap.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/VerifyResult.cs

@@ -18,7 +18,7 @@ internal VerifyResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> used to verify.
+        /// Gets the key identifier of the <see cref="KeyVaultKey"/> used to verify.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/WrapResult.cs

@@ -18,7 +18,7 @@ internal WrapResult()
         }
 
         /// <summary>
-        /// Gets the <see cref="KeyProperties.Id"/> of the <see cref="KeyVaultKey"/> used to wrap the <see cref="EncryptedKey"/>. This must be stored alongside the <see cref="EncryptedKey"/> as the same key must be used to unwrap it.
+        /// Gets the key identifier of the <see cref="KeyVaultKey"/> used to wrap the <see cref="EncryptedKey"/>. This must be stored alongside the <see cref="EncryptedKey"/> as the same key must be used to unwrap it.
         /// </summary>
         public string KeyId { get; internal set; }
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/ImportKeyOptions.cs

@@ -16,10 +16,12 @@ public class ImportKeyOptions : IJsonSerializable
         private const string KeyPropertyName = "key";
         private const string TagsPropertyName = "tags";
         private const string HsmPropertyName = "hsm";
+        private const string ReleasePolicyPropertyName = "release_policy";
 
         private static readonly JsonEncodedText s_keyPropertyNameBytes = JsonEncodedText.Encode(KeyPropertyName);
         private static readonly JsonEncodedText s_tagsPropertyNameBytes = JsonEncodedText.Encode(TagsPropertyName);
         private static readonly JsonEncodedText s_hsmPropertyNameBytes = JsonEncodedText.Encode(HsmPropertyName);
+        private static readonly JsonEncodedText s_releasePolicyPropertyNameBytes = JsonEncodedText.Encode(ReleasePolicyPropertyName);
 
         /// <summary>
         /// Initializes a new instance of the <see cref="ImportKeyOptions"/> class.
@@ -54,6 +56,11 @@ public ImportKeyOptions(string name, JsonWebKey keyMaterial)
         /// </summary>
         public bool? HardwareProtected { get; set; }
 
+        /// <summary>
+        /// Gets or sets the policy rules under which the key can be exported.
+        /// </summary>
+        public KeyReleasePolicy ReleasePolicy { get; set; }
+
         /// <summary>
         /// Gets additional properties of the <see cref="KeyVaultKey"/>.
         /// </summary>
@@ -88,6 +95,15 @@ void IJsonSerializable.WriteProperties(Utf8JsonWriter json)
             {
                 json.WriteBoolean(s_hsmPropertyNameBytes, HardwareProtected.Value);
             }
+
+            if (ReleasePolicy != null)
+            {
+                json.WriteStartObject(s_releasePolicyPropertyNameBytes);
+
+                ReleasePolicy.WriteProperties(json);
+
+                json.WriteEndObject();
+            }
         }
     }
 }

sdk/keyvault/Azure.Security.KeyVault.Keys/src/KeyAttributes.cs

@@ -15,10 +15,12 @@ internal struct KeyAttributes
         private const string UpdatedPropertyName = "updated";
         private const string RecoverableDaysPropertyName = "recoverableDays";
         private const string RecoveryLevelPropertyName = "recoveryLevel";
+        private const string ExportablePropertyName = "exportable";
 
         private static readonly JsonEncodedText s_enabledPropertyNameBytes = JsonEncodedText.Encode(EnabledPropertyName);
         private static readonly JsonEncodedText s_notBeforePropertyNameBytes = JsonEncodedText.Encode(NotBeforePropertyName);
         private static readonly JsonEncodedText s_expiresPropertyNameBytes = JsonEncodedText.Encode(ExpiresPropertyName);
+        private static readonly JsonEncodedText s_exportablePropertyNameBytes = JsonEncodedText.Encode(ExportablePropertyName);
 
         public bool? Enabled { get; set; }
 
@@ -34,7 +36,13 @@ internal struct KeyAttributes
 
         public string RecoveryLevel { get; internal set; }
 
-        internal bool ShouldSerialize => Enabled.HasValue && NotBefore.HasValue && ExpiresOn.HasValue;
+        public bool? Exportable { get; internal set; }
+
+        internal bool ShouldSerialize =>
+            Enabled.HasValue &&
+            NotBefore.HasValue &&
+            ExpiresOn.HasValue &&
+            Exportable.HasValue;
 
         internal void ReadProperties(JsonElement json)
         {
@@ -63,6 +71,9 @@ internal void ReadProperties(JsonElement json)
                     case RecoveryLevelPropertyName:
                         RecoveryLevel = prop.Value.GetString();
                         break;
+                    case ExportablePropertyName:
+                        Exportable = prop.Value.GetBoolean();
+                        break;
                 }
             }
         }
@@ -84,6 +95,11 @@ internal void WriteProperties(Utf8JsonWriter json)
                 json.WriteNumber(s_expiresPropertyNameBytes, ExpiresOn.Value.ToUnixTimeSeconds());
             }
 
+            if (Exportable.HasValue)
+            {
+                json.WriteBoolean(s_exportablePropertyNameBytes, Exportable.Value);
+            }
+
             // Created is read-only don't serialize
             // Updated is read-only don't serialize
             // RecoverableDays is read-only don't serialize