[Keyvault] az keyvault key: sign and verify#29476
Closed
Conversation
It's not possible to provide data to az keyvault key sign and verify as found in Azure#27631, Azure#28027 We now allow for valid base64 data to be given as digest. ``` $ az keyvault key sign -a RS256 --digest @<(openssl dgst -binary -sha256 bar | base64) --id https://kvfrigo.vault.azure.net/keys/rsaex/0f322aba7573435a96acfba86b521c35 Algorithm KeyId Signature ----------- ----------------------------------------------------------------------------- -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- RS256 https://kvfrigo.vault.azure.net/keys/rsaex/0f322aba7573435a96acfba86b521c35 e7Wi7PCouEo8ZNlY1dL3IgDm8E63bc8ZE9VW0GQHglHPJjKGHpi9D0MfRFHZXCOHrRAas6JBz0iO5yJBuH+cczMpl+9+lFWNSi7I1efIrPS2NOlrtdhOCI5qLT/nWh++CvRh1+R2iCpVD1uxCkL9sjDwi6k5B+7ySkk9ikUGHG463TFq8/Oftk+mSlNBCd5j3wsva1BOTT1h9qY9eyHZCY319oVRM0jD92jtF2DNu0HF92uhUC8PT/6gjPd6vQtAWxF1LR7KLMx2zCxN9e7aV3bQXtKA4/KMYekE143IY2nMft+XNZ+DT7OIi0TT1ufwdNNjpUk/9LovN+XwYz1p+A== $ az keyvault key verify -a RS256 --digest @<(openssl dgst -binary -sha256 bar | base64) --id https://kvfrigo.vault.azure.net/keys/rsaex/0f322aba7573435a96acfba86b521c35 --signature e7Wi7PCouEo8ZNlY1dL3IgDm8E63bc8ZE 9VW0GQHglHPJjKGHpi9D0MfRFHZXCOHrRAas6JBz0iO5yJBuH+cczMpl+9+lFWNSi7I1efIrPS2NOlrtdhOCI5qLT/nWh++CvRh1+R2iCpVD1uxCkL9sjDwi6k5B+7ySkk9ikUGHG463TFq8/Oftk+mSlNBCd5j3wsva1BOTT1h9qY9eyHZCY319oVRM0jD92jtF2DNu0HF92uhUC8PT/6gjPd6vQtAWxF1LR7KLMx2zCxN9e7aV3bQXtKA4/KMYekE143IY2nMft+XNZ+DT7OIi0TT1ufwdNNjpUk/9LovN+XwYz1p+A== Algorithm IsValid KeyId ----------- --------- ----------------------------------------------------------------------------- RS256 True https://kvfrigo.vault.azure.net/keys/rsaex/0f322aba7573435a96acfba86b521c35 $ az keyvault key download --id https://kvfrigo.vault.azure.net/keys/rsaex/0f322aba7573435a96acfba86b521c35 -f rsa.pub $ openssl dgst -verify rsa.pub -sha256 -signature <(echo e7Wi7PCouEo8ZNlY1dL3IgDm8E63bc8ZE9VW0GQHglHPJjKGHpi9D0MfRFHZXCOHrRAas6JBz0iO5yJBuH+cczMpl+9+lFWNSi7I1efIrPS2NOlrtdhOCI5qLT/nWh++CvRh1+R2iCpVD1uxCkL9sjDwi6k5B+7ySkk9ikUGHG463TFq8/Oftk+mSlNBCd5j3wsva1BOTT1h9qY9eyHZCY319oVRM0jD92jtF2DNu0HF92uhUC8PT/6gjPd6vQtAWxF1LR7KLMx2zCxN9e7aV3bQXtKA4/KMYekE143IY2nMft+XNZ+DT7OIi0TT1ufwdNNjpUk/9LovN+XwYz1p+A== | base64 -d) ./bar Verified OK ``` This also works for EC keys, however openssl is not able to verify these keys so there is some other bug. ``` $ az keyvault key sign -a ES256 --digest @<(openssl dgst -binary -sha256 bar | base64) --id https://kvfrigo.vault.azure.net/keys/ecex/68ab9b9141524362bf10fb96e0158414 Algorithm KeyId Signature ----------- ---------------------------------------------------------------------------- ---------------------------------------------------------------------------------------- ES256 https://kvfrigo.vault.azure.net/keys/ecex/68ab9b9141524362bf10fb96e0158414 pj9a96b0En6/NbHSeRupa0cz26NicpgiUYRCQYXYikU5bPmaloJhDddkjFqxXUI9DaBLCZRI954UP1i9fGN8kA== $ az keyvault key verify -a ES256 --digest @<(openssl dgst -binary -sha256 bar | base64) --id https://kvfrigo.vault.azure.net/keys/ecex/68ab9b9141524362bf10fb96e0158414 --signature pj9a96b0En6/NbHSeRupa0cz26NicpgiUYRCQYXYikU5bPmaloJhDddkjFqxXUI9DaBLCZRI954UP1i9fGN8kA== Algorithm IsValid KeyId ----------- --------- ---------------------------------------------------------------------------- ES256 True https://kvfrigo.vault.azure.net/keys/ecex/68ab9b9141524362bf10fb96e0158414 $ az keyvault key download --id https://kvfrigo.vault.azure.net/keys/ecex/68ab9b9141524362bf10fb96e0158414 -f ec.pub $ openssl ec -pubin -in ec.pub -text -noout read EC key Public-Key: (256 bit) pub: 04:83:8f:93:9a:74:c3:0a:39:9d:f4:e5:27:f9:19: cd:42:71:1a:5e:c4:87:76:8b:6a:06:19:d3:60:73: 9f:66:8c:28:1c:ea:d1:1e:f4:c2:c9:90:48:79:85: a7:27:c6:ff:46:df:36:01:ce:3b:2e:db:1a:c1:a2: 68:3e:5e:d8:c5 ASN1 OID: prime256v1 NIST CURVE: P-256 $ openssl dgst -verify ec.pub -sha256 -signature <(echo pj9a96b0En6/NbHSeRupa0cz26NicpgiUYRCQYXYikU5bPmaloJhDddkjFqxXUI9DaBLCZRI954UP1i9fGN8kA== | base64 -d) ./bar Error verifying data ```
❌AzureCLI-FullTest
|
|
Hi @freedge, |
️✔️AzureCLI-BreakingChangeTest
|
Collaborator
|
Keyvault |
Contributor
|
Thank you for your contribution freedge! We will review the pull request and get back to you soon. |
Contributor
Author
|
(for the ecdsa verification this is due to https://github.com/Azure/azure-sdk-for-python/blob/c20cdc581cfb16052ebfec8a233b3fd4b73e4542/sdk/keyvault/azure-keyvault-keys/azure/keyvault/keys/crypto/_internal/_internal.py#L104-L116 , openssl just uses a different format to encode the signature and we need a few lines of python to convert it) |
Member
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
It's not possible to provide data to az keyvault key sign and verify as found in #27631, #28027
We now allow for valid base64 data to be given as digest.
This also works for EC keys, however openssl is not able to verify these keys so there is some other bug.
Related command
az keyvault key sign, verify}
Description
az keyvault key sign, verify, are unusable today as described in multiple bugs
Testing Guide
see commit message
History Notes
[Component Name 1] BREAKING CHANGE:
az command a: Make some customer-facing breaking change[Component Name 2]
az command b: Add some customer-facing featureThis checklist is used to make sure that common guidelines for a pull request are followed.
The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.