CryptographyClient class
用于对 Azure Key Vault 密钥或本地 JsonWebKey执行加密作的客户端。
构造函数
| Cryptography |
在本地模式下为给定密钥构造加密客户端的新实例。 示例用法: |
| Cryptography |
为给定密钥构造加密客户端的新实例 示例用法: |
属性
| keyID | 用于执行客户端加密作的密钥的 ID。 |
| vault |
保管库的基 URL。 如果使用本地 JsonWebKey,vaultUrl 将为空。 |
方法
| decrypt(Decrypt |
使用指定的解密参数解密给定的密码文本。 根据解密参数中使用的算法,可能的解密参数集将更改。 Microsoft建议不要先使用 CBC,而无需先确保使用密码文本的完整性,例如 HMAC。 有关详细信息,请参阅 https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode。 示例用法: |
| decrypt(string, Uint8Array, Decrypt |
使用指定的加密算法解密给定的密码文本 示例用法: Microsoft建议不要先使用 CBC,而无需先确保使用密码文本的完整性,例如 HMAC。 有关详细信息,请参阅 https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode。 |
| encrypt(Encrypt |
使用指定的加密参数加密给定的纯文本。 根据加密参数中的算法集,可能的加密参数集将更改。 示例用法: |
| encrypt(string, Uint8Array, Encrypt |
使用指定的加密算法加密给定的纯文本 示例用法: |
| sign(string, Uint8Array, Sign |
对消息的摘要进行加密签名 示例用法: |
| sign |
对数据块进行加密签名 示例用法: |
| unwrap |
使用指定的加密算法解包给定的包装密钥 示例用法: |
| verify(string, Uint8Array, Uint8Array, Verify |
验证签名的消息摘要 示例用法: |
| verify |
验证已签名的数据块 示例用法: |
| wrap |
使用指定的加密算法包装给定密钥 示例用法: |
构造函数详细信息
CryptographyClient(JsonWebKey)
在本地模式下为给定密钥构造加密客户端的新实例。
示例用法:
import { CryptographyClient } from "@azure/keyvault-keys";
const jsonWebKey = {
kty: "RSA",
kid: "test-key-123",
use: "sig",
alg: "RS256",
n: new Uint8Array([112, 34, 56, 98, 123, 244, 200, 99]),
e: new Uint8Array([1, 0, 1]),
d: new Uint8Array([45, 67, 89, 23, 144, 200, 76, 233]),
p: new Uint8Array([34, 89, 100, 77, 204, 56, 29, 77]),
q: new Uint8Array([78, 99, 201, 45, 188, 34, 67, 90]),
dp: new Uint8Array([23, 45, 78, 56, 200, 144, 32, 67]),
dq: new Uint8Array([12, 67, 89, 144, 99, 56, 23, 45]),
qi: new Uint8Array([78, 90, 45, 201, 34, 67, 120, 55]),
};
const client = new CryptographyClient(jsonWebKey);
new CryptographyClient(key: JsonWebKey)参数
- key
- JsonWebKey
要在加密作期间使用的 JsonWebKey。
CryptographyClient(string | KeyVaultKey, TokenCredential, CryptographyClientOptions)
为给定密钥构造加密客户端的新实例
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
// Create or retrieve a key from the keyvault
const myKey = await client.createKey("MyKey", "RSA");
// Lastly, create our cryptography client and connect to the service
const cryptographyClient = new CryptographyClient(myKey, credential);
new CryptographyClient(key: string | KeyVaultKey, credential: TokenCredential, pipelineOptions?: CryptographyClientOptions)参数
- key
-
string | KeyVaultKey
在加密任务期间使用的密钥。 还可以在此处传递密钥的标识符,即密钥的 URL。
- credential
- TokenCredential
实现用于对服务的请求进行身份验证的 TokenCredential 接口的对象。 使用 @azure/identity 包创建符合需求的凭据。
- pipelineOptions
- CryptographyClientOptions
用于配置 Key Vault API 请求的管道选项。 省略此参数以使用默认管道配置。
属性详细信息
keyID
用于执行客户端加密作的密钥的 ID。
undefined | string keyID属性值
undefined | string
vaultUrl
方法详细信息
decrypt(DecryptParameters, DecryptOptions)
使用指定的解密参数解密给定的密码文本。 根据解密参数中使用的算法,可能的解密参数集将更改。
Microsoft建议不要先使用 CBC,而无需先确保使用密码文本的完整性,例如 HMAC。 有关详细信息,请参阅 https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode。
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
const decryptResult = await cryptographyClient.decrypt({
algorithm: "RSA1_5",
ciphertext: encryptResult.result,
});
console.log("decrypt result: ", decryptResult.result.toString());
function decrypt(decryptParameters: DecryptParameters, options?: DecryptOptions): Promise<DecryptResult>参数
- decryptParameters
- DecryptParameters
解密参数。
- options
- DecryptOptions
其他选项。
返回
Promise<DecryptResult>
decrypt(string, Uint8Array, DecryptOptions)
警告
现已弃用此 API。
Use decrypt({ algorithm, ciphertext }, options) instead.
使用指定的加密算法解密给定的密码文本
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
const decryptResult = await cryptographyClient.decrypt({
algorithm: "RSA1_5",
ciphertext: encryptResult.result,
});
console.log("decrypt result: ", decryptResult.result.toString());
Microsoft建议不要先使用 CBC,而无需先确保使用密码文本的完整性,例如 HMAC。 有关详细信息,请参阅 https://learn.microsoft.com/dotnet/standard/security/vulnerabilities-cbc-mode。
function decrypt(algorithm: string, ciphertext: Uint8Array, options?: DecryptOptions): Promise<DecryptResult>参数
- algorithm
-
string
要使用的算法。
- ciphertext
-
Uint8Array
要解密的文本。
- options
- DecryptOptions
其他选项。
返回
Promise<DecryptResult>
encrypt(EncryptParameters, EncryptOptions)
使用指定的加密参数加密给定的纯文本。 根据加密参数中的算法集,可能的加密参数集将更改。
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
function encrypt(encryptParameters: EncryptParameters, options?: EncryptOptions): Promise<EncryptResult>参数
- encryptParameters
- EncryptParameters
加密参数,以所选的加密算法为密钥。
- options
- EncryptOptions
其他选项。
返回
Promise<EncryptResult>
encrypt(string, Uint8Array, EncryptOptions)
警告
现已弃用此 API。
Use encrypt({ algorithm, plaintext }, options) instead.
使用指定的加密算法加密给定的纯文本
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey.id, credential);
const encryptResult = await cryptographyClient.encrypt({
algorithm: "RSA1_5",
plaintext: Buffer.from("My Message"),
});
console.log("encrypt result: ", encryptResult.result);
function encrypt(algorithm: string, plaintext: Uint8Array, options?: EncryptOptions): Promise<EncryptResult>参数
- algorithm
-
string
要使用的算法。
- plaintext
-
Uint8Array
要加密的文本。
- options
- EncryptOptions
其他选项。
返回
Promise<EncryptResult>
sign(string, Uint8Array, SignOptions)
对消息的摘要进行加密签名
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
import { createHash } from "node:crypto";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
let myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const signatureValue = "MySignature";
const hash = createHash("sha256");
const digest = hash.update(signatureValue).digest();
console.log("digest: ", digest);
const signResult = await cryptographyClient.sign("RS256", digest);
console.log("sign result: ", signResult.result);
function sign(algorithm: string, digest: Uint8Array, options?: SignOptions): Promise<SignResult>参数
- algorithm
-
string
要使用的签名算法。
- digest
-
Uint8Array
要签名的数据摘要。
- options
- SignOptions
其他选项。
返回
Promise<SignResult>
signData(string, Uint8Array, SignOptions)
对数据块进行加密签名
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const signResult = await cryptographyClient.signData("RS256", Buffer.from("My Message"));
console.log("sign result: ", signResult.result);
function signData(algorithm: string, data: Uint8Array, options?: SignOptions): Promise<SignResult>参数
- algorithm
-
string
要使用的签名算法。
- data
-
Uint8Array
要签名的数据。
- options
- SignOptions
其他选项。
返回
Promise<SignResult>
unwrapKey(KeyWrapAlgorithm, Uint8Array, UnwrapKeyOptions)
使用指定的加密算法解包给定的包装密钥
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const wrapResult = await cryptographyClient.wrapKey("RSA-OAEP", Buffer.from("My Key"));
console.log("wrap result:", wrapResult.result);
const unwrapResult = await cryptographyClient.unwrapKey("RSA-OAEP", wrapResult.result);
console.log("unwrap result: ", unwrapResult.result);
function unwrapKey(algorithm: KeyWrapAlgorithm, encryptedKey: Uint8Array, options?: UnwrapKeyOptions): Promise<UnwrapResult>参数
- algorithm
- KeyWrapAlgorithm
用于解包密钥的解密算法。
- encryptedKey
-
Uint8Array
要解包的加密密钥。
- options
- UnwrapKeyOptions
其他选项。
返回
Promise<UnwrapResult>
verify(string, Uint8Array, Uint8Array, VerifyOptions)
验证签名的消息摘要
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
import { createHash } from "node:crypto";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const hash = createHash("sha256");
hash.update("My Message");
const digest = hash.digest();
const signResult = await cryptographyClient.sign("RS256", digest);
console.log("sign result: ", signResult.result);
const verifyResult = await cryptographyClient.verify("RS256", digest, signResult.result);
console.log("verify result: ", verifyResult.result);
function verify(algorithm: string, digest: Uint8Array, signature: Uint8Array, options?: VerifyOptions): Promise<VerifyResult>参数
- algorithm
-
string
用于验证的签名算法。
- digest
-
Uint8Array
要验证的摘要。
- signature
-
Uint8Array
要验证摘要的签名。
- options
- VerifyOptions
其他选项。
返回
Promise<VerifyResult>
verifyData(string, Uint8Array, Uint8Array, VerifyOptions)
验证已签名的数据块
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const buffer = Buffer.from("My Message");
const signResult = await cryptographyClient.signData("RS256", buffer);
console.log("sign result: ", signResult.result);
const verifyResult = await cryptographyClient.verifyData("RS256", buffer, signResult.result);
console.log("verify result: ", verifyResult.result);
function verifyData(algorithm: string, data: Uint8Array, signature: Uint8Array, options?: VerifyOptions): Promise<VerifyResult>参数
- algorithm
-
string
用于验证的算法。
- data
-
Uint8Array
要验证的已签名数据块。
- signature
-
Uint8Array
要验证块的签名。
- options
- VerifyOptions
其他选项。
返回
Promise<VerifyResult>
wrapKey(KeyWrapAlgorithm, Uint8Array, WrapKeyOptions)
使用指定的加密算法包装给定密钥
示例用法:
import { DefaultAzureCredential } from "@azure/identity";
import { KeyClient, CryptographyClient } from "@azure/keyvault-keys";
const credential = new DefaultAzureCredential();
const vaultName = "<YOUR KEYVAULT NAME>";
const url = `https://${vaultName}.vault.azure.net`;
const client = new KeyClient(url, credential);
const myKey = await client.createKey("MyKey", "RSA");
const cryptographyClient = new CryptographyClient(myKey, credential);
const wrapResult = await cryptographyClient.wrapKey("RSA-OAEP", Buffer.from("My Key"));
console.log("wrap result:", wrapResult.result);
function wrapKey(algorithm: KeyWrapAlgorithm, key: Uint8Array, options?: WrapKeyOptions): Promise<WrapResult>参数
- algorithm
- KeyWrapAlgorithm
用于包装给定密钥的加密算法。
- key
-
Uint8Array
要包装的键。
- options
- WrapKeyOptions
其他选项。
返回
Promise<WrapResult>