az keyvault key sign rejects correctly encoded inputs for ES256 #28027
Description
Describe the bug
az keyvault key sign rejects SHA256 input, encoded as base64url, because of an incorrect size check applied before decoding.
Related command
az keyvault key sign
Errors
(BadParameter) Invalid length of 'value': 43 bytes. ES256 requires 32 bytes, encoded with base64url.
Code: BadParameter
Message: Invalid length of 'value': 43 bytes. ES256 requires 32 bytes, encoded with base64url.
Issue script & Debug output
Step 1: produce a SHA256, encode it to base64url:
$ cat README.md | openssl dgst -sha256 -binary | openssl base64 | sed 's/+/-/g; s,/,_,g; s,=,,g'
X_bj29D-XEwEt8VLg69uT9FNoCDWaUSSiTvVAMjn114
Step 2: try to sign:
$ az keyvault key sign --name $KEY_NAME --vault-name $AKV_NAME --algorithm ES256 --digest X_bj29D-XEwEt8VLg69uT9FNoCDWaUSSiTvVAMjn114
(BadParameter) Invalid length of 'value': 43 bytes. ES256 requires 32 bytes, encoded with base64url.
Code: BadParameter
Message: Invalid length of 'value': 43 bytes. ES256 requires 32 bytes, encoded with base64url.
Expected behavior
I should obtain a signature.
The binary representation of a SHA-256 is 32 bytes, but its base64 representation is necessarily longer, regardless of padding (not generally required for base64url). The size check is incorrectly applied to the base64 representation.
Environment Summary
$ az --version
azure-cli 2.55.0
core 2.55.0
telemetry 1.1.0
Extensions:
aks-preview 0.5.172
confcom 0.3.1
Dependencies:
msal 1.24.0b2
azure-mgmt-resource 23.1.0b2
Python location '/opt/az/bin/python3'
Extensions directory '/home/amchamay/.azure/cliextensions'
Python (Linux) 3.11.5 (main, Nov 29 2023, 03:42:00) [GCC 9.4.0]
Legal docs and information: aka.ms/AzureCliLegal
Your CLI is up-to-date.
Additional context
No response