search

Azure / azure-sdk-for-js

This repository is for active development of the Azure SDK for JavaScript (NodeJS & Browser). For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/javascript/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-js.
MIT License
1.98k stars 1.15k forks source link

Unable to unwrap a key which was wrapped using key-vault API separately #30125

Open snehasish967 opened 1 week ago

snehasish967 commented 1 week ago

Describe the bug CryptographyClient.unwrapKey from @azure/keyvault-keys is not able to unwrap a key which was wrapped using Azure API. It throws the error Unable to decrypt specified value with this key. However, if I use cryptographyClient.wrapKey to wrap the key (say it gives wrappedDEKLib), the unwrapping works fine.

To Reproduce Steps to reproduce the behavior:

  1. Create a random string of 96 characters (e.g. 1a4cc8e6699527506...), let's call it orgDEK.
  2. Wrap orgDEK with a master key (say masterKey of type RSA, 2048-bit) and RSA1_5 algorithm, using wrapKey API of Azure Key-vault, let's say the result is wrappedDEK (342 characters).

  3. Try to unwrap wrappedDEK with CryptographyClient.unwrapKey, like the following:

            const { CryptographyClient } = require('@azure/keyvault-keys');

        const cryptographyClient = new CryptographyClient(masterKey, azureCredential, {
                        serviceVersion: keyVaultApiVersion
                    });
        const unwrappedDEK = await cryptographyClient.unwrapKey('RSA1_5', Buffer.from(wrappedDEK));

Expected behavior wrappedDEK should be unwrapped (unwrappedDEK) to provide orgDEK.

Additional context Note: Buffer.from(wrappedDEK) gives a buffer of 342 bytes, however, wrappedDEKLib.result is a buffer of 256 bytes. This is the StackOverflow question which corresponds to this issue.

github-actions[bot] commented 1 week ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @jlichwa @RandalliLama @schaabs.

timovv commented 1 week ago

Hi @snehasish967, thank you for opening this issue. To help my understanding, would you be able to explain in a little more detail how you are calling the wrapKey API when not using the SDK? The wrapped key value comes back from the service base64url-encoded. The SDK handles converting to and from raw bytes and the Base64 representation for you, but you won't get this functionality if you are calling the API directly. If you pass the Base64 encoded string you get from the REST API to the SDK without decoding it, things won't work as you would expect. Base64 encoded data take up more bytes than the number of bytes in the underlying data which would explain the discrepancy you are seeing.

Can you try using Buffer.from(wrappedDEK, "base64") when creating the buffer from the value you get from the REST API? This would decode the Base64 string properly into the underlying bytes.

github-actions[bot] commented 1 week ago

Hi @snehasish967. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

github-actions[bot] commented 5 days ago

Hi @snehasish967, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!