Azure · houk-ms · Jan 22, 2021 · Jan 20, 2021 · Jan 20, 2021 · Jan 20, 2021
@@ -20,7 +20,7 @@
     get_keyvault_name_completion_list, get_keyvault_version_completion_list)
 from azure.cli.command_modules.keyvault._validators import (
     datetime_type, certificate_type,
-    get_vault_base_url_type, get_hsm_base_url_type,
+    get_vault_base_url_type, get_hsm_base_url_type, validate_key_import_type,
     validate_key_import_source, validate_key_type, validate_policy_permissions, validate_principal,
     validate_resource_group_name, validate_x509_certificate_chain,
     secret_text_encoding_values, secret_binary_encoding_values, validate_subnet,
@@ -71,6 +71,12 @@ class CLIKeyTypeForBYOKImport(str, Enum):
         ec = "EC"  #: Elliptic Curve.
         rsa = "RSA"  #: RSA (https://tools.ietf.org/html/rfc3447)
 
+    class CLIJsonWebKeyCurveName(str, Enum):
+        p_256 = "P-256"  #: The NIST P-256 elliptic curve, AKA SECG curve SECP256R1.
+        p_256k = "P-256K"  #: The SECG SECP256K1 elliptic curve.
+        p_384 = "P-384"  #: The NIST P-384 elliptic curve, AKA SECG curve SECP384R1.
+        p_521 = "P-521"  #: The NIST P-521 elliptic curve, AKA SECG curve SECP521R1.
+
     (KeyPermissions, SecretPermissions, CertificatePermissions, StoragePermissions,
      NetworkRuleBypassOptions, NetworkRuleAction) = self.get_models(
          'KeyPermissions', 'SecretPermissions', 'CertificatePermissions', 'StoragePermissions',
@@ -347,8 +353,10 @@ class CLIKeyTypeForBYOKImport(str, Enum):
                    help='Elliptic curve name. For valid values, see: https://docs.microsoft.com/en-us/rest/api/keyvault/createkey/createkey#jsonwebkeycurvename')
 
     with self.argument_context('keyvault key import') as c:
-        c.argument('kty', arg_type=get_enum_type(CLIKeyTypeForBYOKImport),
+        c.argument('kty', arg_type=get_enum_type(CLIKeyTypeForBYOKImport), validator=validate_key_import_type,
                    help='The type of key to import (only for BYOK).')
+        c.argument('curve', arg_type=get_enum_type(CLIJsonWebKeyCurveName), validator=validate_key_import_type,
+                   help='The curve name of the key to import (only for BYOK).')
 
     with self.argument_context('keyvault key import', arg_group='Key Source') as c:
         c.argument('pem_file', type=file_type, help='PEM file containing the key to be imported.', completer=FilesCompleter(), validator=validate_key_import_source)

@@ -184,6 +184,16 @@ def validate_key_import_source(ns):
         raise ValueError('--pem-password must be used with --pem-file or --pem-string')
 
 
+def validate_key_import_type(ns):
+    # Default value of kty is: RSA
+    kty = getattr(ns, 'kty', None)
+    crv = getattr(ns, 'curve', None)
+
+    if (kty == 'EC' and crv is None) or (kty != 'EC' and crv):
+        from azure.cli.core.azclierror import ValidationError
+        raise ValidationError('parameter --curve should be specified when key type is EC.')
+
+
 def validate_key_type(ns):
     crv = getattr(ns, 'curve', None)
     kty = getattr(ns, 'kty', None) or ('EC' if crv else 'RSA')

@@ -1189,7 +1189,7 @@ def import_key(cmd, client, key_name=None, vault_base_url=None,  # pylint: disab
                hsm_name=None, identifier=None,  # pylint: disable=unused-argument
                protection=None, key_ops=None, disabled=False, expires=None,
                not_before=None, tags=None, pem_file=None, pem_string=None, pem_password=None, byok_file=None,
-               byok_string=None, kty='RSA'):
+               byok_string=None, kty='RSA', curve=None):
     """ Import a private key. Supports importing base64 encoded private keys from PEM files or strings.
         Supports importing BYOK keys into HSM for premium key vaults. """
     KeyAttributes = cmd.get_models('KeyAttributes', resource_type=ResourceType.DATA_KEYVAULT)
@@ -1234,6 +1234,7 @@ def import_key(cmd, client, key_name=None, vault_base_url=None,  # pylint: disab
 
         key_obj.kty = kty + '-HSM'
         key_obj.t = byok_data
+        key_obj.crv = curve
 
     return client.import_key(vault_base_url, key_name, key_obj, protection == 'hsm', key_attrs, tags)