当密钥也被区块链使用时,如何在 Azure Key Vault 中使用椭圆曲线 SECP256K1 密钥 [英] How to work with elliptic curve SECP256K1 key in Azure Key Vault when the key is used also by a blockchain
问题描述
我想知道如何在 Azure Key Vault 中使用 SECP256K1 密钥,同时在区块链上创建帐户也需要密钥.
I'm wondering how to work with SECP256K1 keys within Azure Key Vault when at the same time the key is also required for account creation on a blockchain.
必须达到的目标
- 生成 SECP256K1 密钥对
- 使用公钥在区块链上创建账户
- 将私钥存储到 Key Vault 并将其用于签名目的
尝试 #1 - 生成外部密钥保管库并导入
我在 Key Vault 外生成了 SECP256K1 密钥对.因此,我有可以作为字符串使用的私钥和公钥.我的想法是在 Azure SDK for .NET wia 的帮助下将私钥导入到 Key Vault 中,代码如下(使用的 ECParameters 来自 Microsoft.Azure.KeyVault.WebKey.ECParameters 命名空间):
I have generated SECP256K1 key pair outside Key Vault. As a result I have private key and public key available as strings. My idea was to import the private key to Key Vault with help of Azure SDK for.NET wia following piece of code (ECParameters used are from Microsoft.Azure.KeyVault.WebKey.ECParameters namespace):
//this part of code is taken from https://www.scottbrady91.com/C-Sharp/JWT-Signing-using-ECDSA-in-dotnet-Core
var privateKeyBytes = Encoding.UTF8.GetBytes(privateKey);
var privateKeyInt =
new Org.BouncyCastle.Math.BigInteger(+1, privateKeyBytes);
var parameters = SecNamedCurves.GetByName("secp256k1");
var ecPoint = parameters.G.Multiply(privateKeyInt);
var privateKeyX = ecPoint.Normalize().XCoord.ToBigInteger()
.ToByteArrayUnsigned();
var privateKeyY = ecPoint.Normalize().YCoord.ToBigInteger()
.ToByteArrayUnsigned();
//the following part is my code
var ecParameters = new ECParameters();
ecParameters.Curve = "P-256K";
ecParameters.X = privateKeyX;
ecParameters.Y = privateKeyY;
ecParameters.D = privateKeyBytes;
var key = new JsonWebKey(ecParameters);
JsonWebKeyVerifier.Options options =
JsonWebKeyVerifier.Options.DenyIncompatibleOperations
| JsonWebKeyVerifier.Options.DenyExtraneousFields;
string error = (string) null;
JsonWebKeyVerifier.VerifyByKeyType(key, options, ref error);
await client.ImportKeyWithHttpMessagesAsync(vaultBaseUri, name, key);
导入的结果键看起来像这样(从 Visual Studio 变量视图复制,也许它被缩短了):
The resulting key for import looks like this (copied from Visual Studio variable view, maybe it's shortened):
{
"kty": "EC",
"crv": "P-256K",
"x": "vSUHj6deEhPI6QeILgfgf2I7VTgmiDon_5nsss560OA",
"y": "DK8DnzEOv57arN6f4Wou-vXkty7uje0n2xTHgGAehp8",
"d": "NUpoaEEzWTFVYXBKNWZuRWZNUkVxZkpKY29LWGdMcHpFUnVNQ2E2Wjd0YkNhY2NpQ3N5"
}
尽管 JsonWebKeyVerifier 没有返回错误并且对 key.IsValid() 的调用返回 true,但对 Key Vault 的调用失败并显示 HTTP 400 错误请求.我已打开 Key Vault 实例的登录功能,并在那里显示以下日志(ID、用户名、IP 地址和 GUID 是有意更改的,我不确定什么是机密;我可以按需提供):
Although JsonWebKeyVerifier returns no error and a call to key.IsValid() returns true, the call to Key Vault failed with HTTP 400 Bad Request. I have turn on logging on Key Vault instance and following log appears there (id, username, IP addresses and GUIDs are changed intentionally, I'm not sure what is confidential; I can provide them on demand):
{
"time": "2018-11-28T16:28:05.2034585Z",
"category": "AuditEvent",
"operationName": "KeyImport",
"resultType": "Success",
"resultDescription": "EC key is not valid - cannot instantiate crypto service.",
"correlationId": "5682a894-0150-484f-a398-6922efed4458",
"callerIpAddress": "XX.XX.XXX.XXX",
"identity": {
"claim": {
"http://schemas.microsoft.com/identity/claims/objectidentifier": "00000000-0000-0000-0000-000000000000",
"appid": "00000000-0000-0000-0000-000000000000",
"http://schemas.microsoft.com/identity/claims/scope": "user_impersonation",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn": "xxx.xxxxxx@xxxxxxxx.com",
"ipaddr": "XX.XX.XXX.XXX",
"http://schemas.microsoft.com/claims/authnmethodsreferences": "pwd"
}
},
"properties": {
"id": "https://xxxxxxx.vault.azure.net/keys/testJK1",
"clientInfo": "FxVersion/4.6.27019.06 OSName/Windows OSVersion/Microsoft.Windows.10.0.17134. Microsoft.Azure.KeyVault.KeyVaultClient/3.0.2.0",
"httpStatusCode": 400,
"requestUri": "https://xxxxxxxx.vault.azure.net/keys/testJK1?api-version=7.0",
"isAccessPolicyMatch": true,
"keyProperties": {
"type": "EC"
}
},
"resourceId": "/SUBSCRIPTIONS/00000000-0000-0000-0000-000000000000/RESOURCEGROUPS/XXXXXX-RG/PROVIDERS/MICROSOFT.KEYVAULT/VAULTS/XXXXXXX",
"operationVersion": "7.0",
"resultSignature": "Bad Request",
"durationMs": "259"
}
尝试 #2 - 在密钥保管库内生成并导出
即使我能够在 Key Vault 中生成 SECP256K1 EC 密钥,我也没有找到如何导出其公钥部分.
Even if I'm able to generate SECP256K1 EC key within Key Vault, I didn't find how to export its public key part.
编辑 11/23/2018
Azure Key Vault 上的 GetKey 方法返回包含 X 和 Y 坐标的 JsonWebKey.
GetKey method on Azure Key Vault returns JsonWebKey that contains X and Y coordinates.
问题
- 是否可以通过 Azure SDK for .NET 导入 SECP256K1 密钥?如果是,您能给我提供一个工作示例的链接吗?
- 在尝试将密钥导入 Key Vault 时,我是否在代码中做错了什么/不足?
- 是否可以从 Key Vault 导出 SECP256K1 公钥?
- 您对如何完成前面描述的成就还有其他想法吗?
编辑 11/29/2018
- 有没有办法根据 X 和 Y 坐标构造公钥(最好在 .NET 世界中)?
提前致谢.
问候,扬
PS:我最初将这个问题发布在 Azure Key Vault 博客,但这里的受众可能要广泛得多.一旦得到答复,我将链接两个来源,
PS: I originally posted this question on Azure Key Vault blog, but here is probably much broader audience. I'll link both sources once it will be answered,
推荐答案
为了解决类似的情况,我使用 Putty Key Generator 生成了一个 openssh pem 格式的密钥对,我可以使用以下代码将其导入 KeyVault.
In order to solve a similar scenario, I had an openssh pem format key pair generated using Putty Key Generator which I was able to import into KeyVault using the following code.
var client = new KeyClient(new Uri("https://myKeyVault.vault.azure.net"), new ClientSecretCredential("tenantid", "clientid", "clientSecret"));
var key = ECDsa.Create();
key.ImportFromPem(@"-----BEGIN EC PARAMETERS-----
....
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
");
JsonWebKey jwk = new JsonWebKey(key, true);
await client.ImportKeyAsync("MyKey", jwk);
您需要设置应用注册并在 Key Vault 中创建访问策略,以便能够按照此处所述进行导入https://www.c-sharpcorner.com/blogs/fetching-secrets-from-key-vault-in-net-console-app
You'll need to setup an app registration and create an access policy in the key vault in order to be able to do the import as described here https://www.c-sharpcorner.com/blogs/fetching-secrets-from-key-vault-in-net-console-app
这篇关于当密钥也被区块链使用时,如何在 Azure Key Vault 中使用椭圆曲线 SECP256K1 密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
