From 867fd3960d7c901517919fca9408cdc1da49542c Mon Sep 17 00:00:00 2001
From: ianhundere <138915+ianhundere@users.noreply.github.com>
Date: Thu, 21 Nov 2024 09:22:00 -0500
Subject: [PATCH] fix: fixes azurekms.

---
 main.go | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/main.go b/main.go
index 61d93b4..1fbdd53 100644
--- a/main.go
+++ b/main.go
@@ -148,10 +148,11 @@ func initKMS(ctx context.Context, config KMSConfig) (apiv1.KeyManager, error) {
 		}
 		return cloudkms.New(ctx, opts)
 	case "azurekms":
-		opts.URI = fmt.Sprintf("azurekms:///%s?vault-name=%s&tenant-id=%s",
-			config.KeyID,
-			config.Options["vault-name"],
-			config.Options["tenant-id"])
+		opts.URI = fmt.Sprintf("azurekms://%s.vault.azure.net/keys/%s",
+			config.Options["vault-name"], config.KeyID)
+		if config.Options["tenant-id"] != "" {
+			opts.URI += fmt.Sprintf("?tenant-id=%s", config.Options["tenant-id"])
+		}
 		return azurekms.New(ctx, opts)
 	default:
 		return nil, fmt.Errorf("unsupported KMS type: %s", config.Type)
@@ -166,9 +167,15 @@ func createCertificates(km apiv1.KeyManager, rootTemplatePath, intermediateTempl
 		return fmt.Errorf("error parsing root template: %w", err)
 	}
 
-	// Generate root key pair
+	rootKeyName := "sigstore-key"
+	if kmsType == "azurekms" {
+		// Format: azurekms:vault=vault-name;name=key-name
+		rootKeyName = fmt.Sprintf("azurekms:vault=%s;name=%s",
+			kmsVaultName, rootKeyName)
+	}
+
 	rootKey, err := km.CreateKey(&apiv1.CreateKeyRequest{
-		Name:               "root-key",
+		Name:               rootKeyName,
 		SignatureAlgorithm: apiv1.ECDSAWithSHA256,
 	})
 	if err != nil {
@@ -194,8 +201,16 @@ func createCertificates(km apiv1.KeyManager, rootTemplatePath, intermediateTempl
 		return fmt.Errorf("error parsing intermediate template: %w", err)
 	}
 
+	// Update intermediate key naming for Azure KMS
+	intermediateKeyName := "sigstore-key-intermediate"
+	if kmsType == "azurekms" {
+		// Format: azurekms:vault=vault-name;name=key-name
+		intermediateKeyName = fmt.Sprintf("azurekms:vault=%s;name=%s",
+			kmsVaultName, intermediateKeyName)
+	}
+
 	intermediateKey, err := km.CreateKey(&apiv1.CreateKeyRequest{
-		Name:               "intermediate-key",
+		Name:               intermediateKeyName,
 		SignatureAlgorithm: apiv1.ECDSAWithSHA256,
 	})
 	if err != nil {