Use Azure Sign API?

[JustinGrote]

This tool downloads the cert and the private key to the local machine. is it possible to use the Azure Sign API so the private key never leaves the keyvault?

[judge2020]

This tool downloads the cert and the private key to the local machine.

No, it doesn't. It specifically calls SignerSignExt3, Which is described in this blog post: https://vcsjones.dev/azure-signtool/.

I can verify this because multiple people have certified that they creates an HSM-backed key vault in Azure Key vault and gotten EV Code Signing certificates signed in https://github.com/vcsjones/AzureSignTool/issues/112#issuecomment-889104676. Given that EV code signing certificates require the inability to export the private key, and multiple CISSPs have affirmed that this is HSM-backed, I can safely affirm that this tool does not download the private key to the local machine.

[JustinGrote]

My bad! I must have read the code incorrectly, I just never saw it use the sign API call to the azure key vault. How does the sign work without access to the private key and not using the signing API then? Let me investigate some more and I'll reopen if I see an issue, thanks for the feedback.

[vcsjones]

The actual "signing" by AzureSignTool is done with the RSAKeyVaultProvider nuget package.

AzureSign.Core doesn't care what the actual RSA implementation is. It just accepts an RSA type. As long as the object can do RSA signing, it will use it.

AzureSignTool the CLI uses that package since it glues RSA and Azure together.

[JustinGrote]

@vcsjones so the actual signing process doesn't require access to the private key? What am I missing here? How does the signing interact with Azure Key vault at an API call level?

EDIT: Disregard, I see that the RSAKeyVaultProvider does the actual signing work, and it does in fact use the sign API. Cool beans.

[vcsjones]

so the actual signing process doesn't require access to the private key? What am I missing here? How does the signing interact with Azure Key vault at an API call level?

Ultimately what is happening is AzureSignTool (by way of RSAKeyVaultProvider uses CryptographyClient.Sign) from the Azure SDK.

We are saying, "Hey KeyVault, here is a digest. Please sign it. KeyVault then signs the digest and gives back a signature."

Azure KeyVault of course has access to the private key. But it never leaves Azure KeyVault. We don't see it, and as @judge2020 pointed out, it still works even if your key in Key Vault forbids exporting the private key.

[JustinGrote]

Right, it was that part I was missing, I misinterpreted one of the calls as downloading the PFX bundle and not using the sign api. Thanks for the clarification

[davidanthoff]

Are the permissions suggested in https://github.com/vcsjones/AzureSignTool/blob/main/WALKTHROUGH.md broader than what is needed? Ideally one would configure the Azure Key Vault such that a client can't access the secret, right? But the permissions as listed there to me look as if one is actually giving permissions to get the secret?