Skip to content
This repository has been archived by the owner on May 5, 2023. It is now read-only.

Incompatible signing algorithm for azure-keyvault #4603

Closed
mralbertchen opened this issue Jan 29, 2019 · 5 comments
Closed

Incompatible signing algorithm for azure-keyvault #4603

mralbertchen opened this issue Jan 29, 2019 · 5 comments
Assignees
@schaabs
Labels
customer-reported This issue was reported by a customer. KeyVault Service Attention

Comments

@mralbertchen
Copy link

Not sure if this is the SDK's issue but I'm getting this error:

Error: Key and signing algorithm are incompatible. Key <my-key> uses curve 'SECP256K1', and algorithm 'ES256K' can only be used with curve 'P-256K'.

My understanding is that SECP256K1 is P-256K.

https://docs.microsoft.com/en-us/azure/key-vault/about-keys-secrets-and-certificates
@jimthematrix
Copy link

any update? I'm getting the same error.

  • in key vault, added a key using EC and curve SECP256K1
  • calling the sign endpoint with a curl request like this:
curl -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{"alg":"ES256K","value":"abc"}' https://<vault-name>.vault.azure.net/keys/<key-name>/<key-version>/sign?api-version=7.0

and got:

{
  "error": {
    "code": "BadParameter",
    "message": "Key and signing algorithm are incompatible. Key https://photic-kv-test.vault.azure.net/keys/eth-signing-key-1/3c63feb0d41d458b9c02c8d23a6b3e88 uses curve 'SECP256K1', and algorithm 'ES256K' can only be used with curve 'P-256K'."
  }
}

@amarzavery amarzavery added KeyVault customer-reported This issue was reported by a customer. labels May 7, 2019
@schaabs
Copy link
Member

schaabs commented May 8, 2019

@mralbertchen @jimthematrix Thanks for reporting this issue. SECP256K1 was a curve name we had originally used while EC keys were in preview, and we renamed the curve to P-256K. You are right that these two are just different names for the same curve, and the service should allow the call.

@msfcolombo Could you please take a look at this error.

@msfcolombo
Copy link
Contributor

Keys created with the preview curve name SECP256K1 can only be signed with the preview algorithm name, which happens to be ECDSA256 (not ES256K). It's just a name change. Internally they do the exact same thing.

Therefore, you have two possible fixes:

  • Recreate or reimport the key, this time using the supported curve name P-256K, and keep using the ES256K algorithm; or
  • Change the algorithm name replacing ES256K by ECDSA256. This allows using keys created with SECP256K1 curve name. Again, it's just a name change - the internal algorithm is the same.

In case you have to support keys with the preview curve name, it's recommended to plan a migration to standard names. Since the names SECP256K1 and ECDSA256 are non-standard and undocumented, they might be unsupported in future protocol versions and other products that implement the Key Vault protocol.

@jimthematrix
Copy link

I got it working using ECDSA256 as the algo name, in the place of ES256K. Just FYI.

@mozehgir
Copy link
Collaborator

Looks like the issue has been fixed as the above user got it working. If the error persists feel free to re-open this issue in the azure-sdk-for-js repository.

@vdamle vdamle mentioned this issue Sep 11, 2020
Closed
@bowd bowd mentioned this issue Nov 4, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@schaabs schaabs

Labels
customer-reported This issue was reported by a customer. KeyVault Service Attention
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@amarzavery @jimthematrix @msfcolombo @mralbertchen @schaabs @mozehgir