search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Key Vault: Elliptic curve name incompatible when using Azure CLI for importing keys. #18462

Open stigvoss opened 3 years ago

stigvoss commented 3 years ago

Describe the bug

When importing an elliptic curve key of the type SECP256K1 (it might also be the case for other types, but I have only tested this type) into a Key Vault through the Azure CLI, the Elliptic curve name is set to a value which is incompatible with the Azure.Security.KeyVault.Cryptography and Azure.Security.KeyVault.Keys libraries.

Importing the key through Azure.Security.KeyVault.Keys using a KeyClient or creating a P-256K key directly through the Key Vault, the Elliptic curve name will be set as P-256K, but when using the Azure CLI, the type will be set as SECP256K1.

Both P-256K and SECP256K1 refer to the same curve.

When using the Key Vault to perform operations with the ES256K algorithm through Azure.Security.KeyVault.Keys.Cryptography using the key, an exception will be thrown with the following error message:

Key and signing algorithm are incompatible. Key uses curve 'SECP256K1', and algorithm 'ES256K' can only be used with curve 'P-256K'.

To Reproduce

Generating a key:

openssl ecparam -name secp256k1 -genkey -noout -out private_key.pem

Importing the key through Azure CLI:

az keyvault key import --curve P-256K --kty EC --pem-file private.pem --vault-name <name> --name private_key

Importing the key through Azure.Security.KeyVault.Keys:

ECDsa ecdsa = ECDsa.Create();
string pemContent = File.ReadAllText("private_key.pem");
ecdsa.ImportFromPem(pemContent);

KeyClient keyClient = new KeyClient(uri, credential);
keyClient.ImportKey("private_key", new JsonWebKey(ecdsa));

The following code will throw an exception on the second line if the key was imported using Azure CLI:

CryptographyClient cryptographyClient = new CryptographyClient(keyId, credential);
cryptographyClient.Sign(SignatureAlgorithm.ES256K, hashedData);

Expected behavior

A valid SignResult without any exceptions thrown as when the key is imported through Azure.Security.KeyVault.Keys.

Environment summary

All .NET runs with:

.NET 5.0 SDK @ 5.0.301 Azure.Identity @ 1.4.0 Azure.Security.KeyVault.Keys @ 4.1.0

Ubuntu 20.04 Desktop:

az --version
azure-cli                         2.24.2

Windows 10 20H2:

az --version
azure-cli                         2.24.2

Ubuntu 20.04 on Windows 10 20H2 using WSL1:

az --version
azure-cli                         2.24.0 *

Additional context

yonzhan commented 3 years ago

keyvault