[API Proposal]: Provide means to construct a CoseSign1Message with private key in Azure Key Vault #110431
Comments
gaurav137
added
the
api-suggestion
dotnet-policy-service
bot
added
the
untriaged
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
|
You can use Azure Key Vault to sign a COSE message by using Something like this: using System.Security.Cryptography;
using System.Security.Cryptography.Cose;
using Azure.Core;
using Azure.Security.KeyVault.Keys.Cryptography;
TokenCredential credential = default; // Get a credential to AKV
CryptographyClient client = new(new Uri("key/id", UriKind.RelativeOrAbsolute), credential);
using RSA rsaKeyVault = await client.CreateRSAAsync();
CoseSigner signer = new(rsaKeyVault, RSASignaturePadding.Pkcs1, HashAlgorithmName.SHA256);
byte[] signedCoseMessage = CoseSign1Message.SignEmbedded("hello world"u8, signer);With the following package dependencies: <PackageReference Include="Azure.Security.KeyVault.Keys" Version="4.7.0" />
<PackageReference Include="System.Security.Cryptography.Cose" Version="9.0.0" /> |
|
Thanks @vcsjones. I didn't realize that support for using RSA keys in AKV existed. I didn't see a way to do it using elliptic curve cryptography/ECDsa. The scenario we have (as shown in the CCF links above) is to cose sign messages with secp384r1 elliptic curve key pairs. Can that be done? |
The Azure SDK did not appear to finish the ECDSA part of the implementation. Azure/azure-sdk-for-net#36069. Perhaps @heaths could be convinced to re-open the ECDSA pull request and eventually merge it. In the mean time, you can do this yourself. The This is generally the expected design of how other cryptographic implementations are supported in COSE as well as other formats like CMS. Whether it be from Azure Key Vault, a custom implementation of the algorithm, or similar, implementing the base type of the cryptographic algorithm is the supported way to do this. |
|
IIRC, no one was asking for it at the time so it'd have been an unnecessary cost. If people are interested, @jsquire may consider reopening it. I'm no longer on the Azure SDK for .NET team, focusing instead on the Rust SDK. |
Thanks! I'll try out this approach. |
|
Thanks for the heads-up, @heaths. I agree that we haven't seen strong enough demand at present to warrant the investment. But it does seem worth opening a discussion issue that we can link from this thread so that we have a place to collect feedback. @JonathanCrd: Would you please open an issue in the Azure SDK for .NET repository marked as "design-discussion" and link to it here? //fyi: @chlowell, @sandeep-sen |
|
CC me as well. I seem to recall there was a technical issue I discovered that made initial costs even higher compared to RSA (which was requested by a number of customers) but I'd have to dig through email and Teams threads. |
|
I have opened an issue in the Azure SDK for .NET repo to keep track of the discussion: Azure/azure-sdk-for-net#47515 |
Background and motivation
When using Azure Key Vault (AKV) HSM to store private keys as per https://microsoft.github.io/CCF/main/governance/hsm_keys.html we need a mechanism to create sign1 embedded messages similar to the steps laid down at https://microsoft.github.io/CCF/main/governance/hsm_keys.html#cose-signing. With the .NET Cose APIs its not possible to do such an orchestration where the private key to sign the message is not locally available but in AKV and the client wants to use AKV APIs to sign the data.
API Proposal
Can take inspiration from create_cose_sign1_prepare and create_cose_sign1_finish patterns.
API Usage
NA
Alternative Designs
No response
Risks
No response
The text was updated successfully, but these errors were encountered: