[Key Vault] Add warnings on RSA1_5 and RSA_OAEP encryption algorithms (…

…Azure#48005)

* Add warnings on RSA1_5 and RSA_OAEP algorithms

* Replace REST constants with C# names

* missing '/' in XML see tag

* Chaning missing REST name to property name

* Update samples to use RsaOaep256

* Update code snippets

* Add Obsolete attribute

* Update API

* Revert "Update API"

This reverts commit ae38e80.

* Revert "Add Obsolete attribute"

This reverts commit 88e2a7c.

sdk/keyvault/Azure.Security.KeyVault.Keys/README.md

@@ -283,10 +283,10 @@ var cryptoClient = client.GetCryptographyClient(key.Name, key.Properties.Version
 byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
 // encrypt the data using the algorithm RSAOAEP
-EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 
 // decrypt the encrypted data.
-DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
 ```
 
 ### Create a key asynchronously

sdk/keyvault/Azure.Security.KeyVault.Keys/samples/Sample4_EncryptDecrypt.md

@@ -45,7 +45,7 @@ Note that RSA encryption algorithms have no chaining so they can only encrypt a
 
 ```C# Snippet:KeysSample4EncryptKey
 byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
-EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
 ```
 
@@ -54,7 +54,7 @@ Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm},
 Now decrypt the encrypted data. Note that the same algorithm must always be used for both encrypt and decrypt.
 
 ```C# Snippet:KeysSample4DecryptKey
-DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
 Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
 ```
 

sdk/keyvault/Azure.Security.KeyVault.Keys/src/Cryptography/EncryptionAlgorithm.cs

@@ -37,12 +37,26 @@ public EncryptionAlgorithm(string value)
         }
 
         /// <summary>
+        /// <para>
+        /// <b>[Not recommended]</b>
         /// Gets an RSA1_5 <see cref="EncryptionAlgorithm"/>.
+        /// </para><para>
+        /// Microsoft recommends using <see cref="EncryptionAlgorithm.RsaOaep256"/> or stronger algorithms for enhanced security.
+        /// Microsoft does <b>not</b> recommend <see cref="EncryptionAlgorithm.Rsa15"/>, which is included solely for backwards compatibility.
+        /// Cryptographic standards no longer consider RSA with the PKCS#1 v1.5 padding scheme secure for encryption.
+        /// </para>
         /// </summary>
         public static EncryptionAlgorithm Rsa15 { get; } = new EncryptionAlgorithm(Rsa15Value);
 
         /// <summary>
+        /// <para>
+        /// <b>[Not recommended]</b>
         /// Gets an RSA-OAEP <see cref="EncryptionAlgorithm"/>.
+        /// </para><para>
+        /// Microsoft recommends using <see cref="EncryptionAlgorithm.RsaOaep256"/> or stronger algorithms for enhanced security.
+        /// Microsoft does <b>not</b> recommend <see cref="EncryptionAlgorithm.RsaOaep"/>, which is included solely for backwards compatibility.
+        /// <see cref="EncryptionAlgorithm.RsaOaep"/> utilizes SHA1, which has known collision problems.
+        /// </para>
         /// </summary>
         public static EncryptionAlgorithm RsaOaep { get; } = new EncryptionAlgorithm(RsaOaepValue);
 

sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecrypt.cs

@@ -44,12 +44,12 @@ public void EncryptDecryptSync()
 
             #region Snippet:KeysSample4EncryptKey
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
-            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
             Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
             #endregion
 
             #region Snippet:KeysSample4DecryptKey
-            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
             #endregion
 

sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/Sample4_EncryptDecryptAsync.cs

@@ -47,11 +47,11 @@ public async Task EncryptDecryptAsync()
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
             // First encrypt the data using RSAOAEP with the created key.
-            EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = await cryptoClient.EncryptAsync(EncryptionAlgorithm.RsaOaep256, plaintext);
             Debug.WriteLine($"Encrypted data using the algorithm {encryptResult.Algorithm}, with key {encryptResult.KeyId}. The resulting encrypted data is {Convert.ToBase64String(encryptResult.Ciphertext)}");
 
             // Now decrypt the encrypted data. Note that the same algorithm must always be used for both encrypt and decrypt
-            DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = await cryptoClient.DecryptAsync(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             Debug.WriteLine($"Decrypted data using the algorithm {decryptResult.Algorithm}, with key {decryptResult.KeyId}. The resulting decrypted data is {Encoding.UTF8.GetString(decryptResult.Plaintext)}");
 
             // The Cloud RSA Key is no longer needed, need to delete it from the Key Vault.

sdk/keyvault/Azure.Security.KeyVault.Keys/tests/samples/SampleSnippets.cs

@@ -187,10 +187,10 @@ public void EncryptDecrypt()
             byte[] plaintext = Encoding.UTF8.GetBytes("A single block of plaintext");
 
             // encrypt the data using the algorithm RSAOAEP
-            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep, plaintext);
+            EncryptResult encryptResult = cryptoClient.Encrypt(EncryptionAlgorithm.RsaOaep256, plaintext);
 
             // decrypt the encrypted data.
-            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep, encryptResult.Ciphertext);
+            DecryptResult decryptResult = cryptoClient.Decrypt(EncryptionAlgorithm.RsaOaep256, encryptResult.Ciphertext);
             #endregion
         }