search

microsoft / AzureKeyVaultManagedHSMEngine

Azure Key Vault and Managed HSM Engine, compatible with OpenSSL
MIT License
19 stars 18 forks source link

curl getting "bad header" when invoking call to azure keyvault. #19

Open bjvetter opened 1 year ago

bjvetter commented 1 year ago

I am not able to do a simple sign operation as shown in your examples - just get an unknown vault error. I put some debugging instructions in the code and I see that it is getting a bad request error (400). It says the request as an invalid header name.

I then dumped out the headers before the curl request and I see the following 4 (albeit redacted) headers:

d] AkvGetKey curl.c(461) header: Accept: application/json [d] AkvGetKey curl.c(461) header: Content-Type: application/json [d] AkvGetKey curl.c(461) header: Authorization: Bearer { "accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3BiYS1wb3J0YWwudmF1bHQuYXp1cmUubmV0LyIsImlzcyI6Imh0dHBz..... -BTK_Wn6zMjKqraHa9u9VmKxY3bu48kYiLg90I3ogND83BdYIVJxH7mcQ9eG6yBCjuQK89Nq-oM5QZnCkItg-HGB_qy7wwyqdDMuIODjftQ68Frn8cAZM3MoMHbjDE9YxXQtEYLcbXlsEewDzhGVvYwgJEY4wd9dctHQ", "expiresOn": "2023-08-28 18:17:29.000000", "tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx", "tokenType": "Bearer" }

And the text from the https:// output is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

I don't know exactly what needs to be in the header or the format of the header. Perhaps the "token type" for the Authorization header? I got that token by grabbing the output this way:

AZURE_CLI_ACCESS_TOKEN=``az account get-access-token --output json --tenant xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource https://xxxxxxxxx.vault.azure.net/`` (those ```` are single back-ticks - the formatter here is messing with things)

Can someone help me understand what I have done wrong or perhaps the azure key vault/managed hsm has changed things?

Oh,and all I was trying to do is get the public key for the key vault key: openssl pkey -engine e_akv -inform engine -in "vault:vaultname:keyname" -pubout -text -out /tmp/leafpubkey.pem

bjvetter commented 1 year ago

Is this on the Azure website (https://learn.microsoft.com/en-us/azure/key-vault/general/common-parameters-and-headers):

The HTTP Host header must always be present and must specify the vault hostname. Example: Host: contoso.vault.azure.net. Note that most client technologies populate the Host header from the URI. For instance, GET https://contoso.vault.azure.net/secrets/mysecret{...} will set the Host as contoso.vault.azure.net. If you access Key Vault using raw IP address like GET https://10.0.0.23/secrets/mysecret{...}, the automatic value of Host header will be wrong, and you'll have to manually ensure that the Host header contains the vault hostname.

I see nothing in the code to create a "host" header, but I believe libcurl will do this automatically.