Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] Failure importing EC-HSM Keypair into a HSM Keyvault

See original GitHub issue

Describe the bug Some inconsistency in the SDK leads to the impossibility to import an existing SECP256K1 Keypair in a HSM-enabled Azure Keyvault, due to :

  1. an EC-HSM JsonWebKey can not hold a private key (code proving it is next)
  2. inconsistency when checking the validity of a JsonWebKey – the isValid() method returns true but the call to the HSM results in a 400 error code, key must be valid.

Exception or Stack Trace Add the exception log and stack trace if available 1

JSON WEB KEY:is valid? false

2

JSON WEB KEY:is valid? true
com.microsoft.azure.keyvault.models.KeyVaultErrorException: Status code 400, {"error":{"code":"BadParameter","message":"The property \"key\" must be a valid JsonWebKey object."}}`

To Reproduce Use the following :

<dependency>
			<groupId>com.microsoft.azure</groupId>
			<artifactId>azure-keyvault</artifactId>
			<version>1.2.1</version>
		</dependency>
		<dependency>
			<groupId>com.microsoft.azure</groupId>
			<artifactId>azure-keyvault-cryptography</artifactId>
			<version>1.2.1</version>
		</dependency>
		<dependency>
			<groupId>com.microsoft.azure</groupId>
			<artifactId>azure-keyvault-extensions</artifactId>
			<version>1.2.1</version>
		</dependency>
		<dependency>
			<groupId>com.microsoft.azure</groupId>
			<artifactId>azure-keyvault-core</artifactId>
			<version>1.2.1</version>
		</dependency>
		<dependency>
			<groupId>com.microsoft.azure</groupId>
			<artifactId>azure-keyvault-webkey</artifactId>
			<version>1.2.1</version>
		</dependency>

Generate an Ethereum Keypair (secp256k1 curve) and try to add it to an HSM-enabled Keyvault as EC-HSM keys using this SDK.

Code Snippet 1.


Security.addProvider(new BouncyCastleProvider());
        ECNamedCurveParameterSpec spec = ECNamedCurveTable.getParameterSpec("secp256k1");
        ECDomainParameters domain = new ECDomainParameters(spec.getCurve(), spec.getG(), spec.getN());
        ECPublicKeyParameters publicKeyParams = new ECPublicKeyParameters(spec.getCurve().decodePoint(prefixedPubKey),
                domain);
        ECPrivateKeyParameters privateKeyParams = new ECPrivateKeyParameters(keypair.getPrivateKey(), domain);

JsonWebKey jwk = new JsonWebKey().withKty(JsonWebKeyType.EC_HSM).withCrv(new JsonWebKeyCurveName("SECP256K1"))
                .withX(publicKeyParams.getQ().getAffineXCoord().getEncoded())
                .withY(publicKeyParams.getQ().getAffineYCoord().getEncoded())
                .withD(privateKeyParams.getD().toByteArray()).withKeyOps(keyOps);

        LOG.debug("JSON WEB KEY:is valid? {}", jwk.isValid());

        if (!jwk.isValid()) {
            LOG.error("!! INVALID KEY !!");
            return null;
        }

I adapted the fromEC() method of the JsonWebKey class because I wanted to use EC-HSM as kty instead of EC. result shows !! INVALID KEY !! which is strange, how to import a Key that could sign without the private key? (and no way to recover the private key from the public key of course)

        Security.addProvider(new BouncyCastleProvider());
        ECNamedCurveParameterSpec spec = ECNamedCurveTable.getParameterSpec("secp256k1");
        ECDomainParameters domain = new ECDomainParameters(spec.getCurve(), spec.getG(), spec.getN());
        ECPublicKeyParameters publicKeyParams = new ECPublicKeyParameters(spec.getCurve().decodePoint(prefixedPubKey),
                domain);
        ECPrivateKeyParameters privateKeyParams = new ECPrivateKeyParameters(keypair.getPrivateKey(), domain);

        JsonWebKey jwk = new JsonWebKey().withKty(JsonWebKeyType.EC_HSM).withCrv(new JsonWebKeyCurveName("SECP256K1"))
                .withX(publicKeyParams.getQ().getAffineXCoord().getEncoded())
                .withY(publicKeyParams.getQ().getAffineYCoord().getEncoded())
                // .withD(privateKeyParams.getD().toByteArray())
                .withKeyOps(keyOps);

        LOG.debug("JSON WEB KEY:is valid? {}", jwk.isValid());

        if (!jwk.isValid()) {
            LOG.error("!! INVALID KEY !!");
            return null;
        }

        Builder builder = new Builder(URL_BASE, keyName, jwk).withHsm(true)
                .withAttributes(new KeyAttributes().withEnabled(true));

        this.client.importKey(builder.build());

Only the privateKey addition that is commented out. Strange that after that, the validity check passes but not when calling the Keyvault…

JSON WEB KEY:is valid? true
com.microsoft.azure.keyvault.models.KeyVaultErrorException: Status code 400, {"error":{"code":"BadParameter","message":"The property \"key\" must be a valid JsonWebKey object."}}`

Expected behavior I would have expected to be able to add the keypair (private + public) into the HSM.

Setup (please complete the following information):

  • OS: Ubuntu 16.04 LTS
  • IDE : Visual Studio Code
  • Version : 1.2.1

Additional context None

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Reactions:1
  • Comments:8 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
joshfreecommented, Jul 23, 2020

This issue is being investigated this week and next by @vcolin7

/cc @schaabs @AlexGhiondea as fyi

1reaction
kurtzeborncommented, Apr 19, 2019

Thank you for opening this issue! We are routing it to the appropriate team for follow up.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Creation of HSM Keyvault failed with ServiceUnavailable ...
I've got a powershell script which I've run successfully untill last monday. In this script I do an: New-AzKeyVaultManagedHsm -Name $name - ...
Read more >
How to create a Private Key, CSR and Import Certificate on ...
Purpose: How to create a Private Key, CSR and Import Certificate on Microsoft Azure KeyVault (Cloud HSM) User-added image. Requirements
Read more >
Support for Azure Key Vault | SSL offload and acceleration
An error does not appear if the HSM key and certificate do not match. While adding a certificate-key pair, ensure that the HSM...
Read more >
Deployment of Microsoft Azure Hardware Security Module on ...
Microsoft Azure Key Vault hardware security module (HSM) is a cloud service that ... You will receive an error error: Failed to generate...
Read more >
How to work with elliptic curve SECP256K1 key in Azure Key ...
In order to solve a similar scenario, I had an openssh pem format key pair generated using Putty Key Generator which I was...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[BUG] Face API library in Maven repository is outdated

Next page

Annotation to specify multiple UnexpectedResponseExceptionType