1

I'm building a xml document signature API backed by Azure Key Vault (AKV).

I have an asymmetric certificate imported into AKV, which is stored as [Key, Secret and Certificate].

I've managed to sign the document, but I think that I'm not getting the right key.

The Java XML Digital Signature API need a key pair (private/public) to get some info.

I've modified a provider that I found here, and now the signature process is called from AKV instead of the java implementation.

The thing is, when I get a Key from AKV, only the public key is coming. The private key is stored as a Secret, and I run into trouble when I try to convert the value into an instance of PrivateKey.

How can I convert the SecretBundle value into an instance of java.security.PrivateKey ?

Thanks in advance.

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
DTodt
  • 380
  • 6
  • 19

1 Answers1

0

Below is how I had converted the Secret into a certificate file. You might be able to convert that into Java.

$kvSecret = Get-AzureKeyVaultSecret -VaultName 'VaultFromCode' -Name 'TestCertificate'
$kvSecretBytes = [System.Convert]::FromBase64String($kvSecret.SecretValueText)
$certCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$certCollection.Import($kvSecretBytes,$null,[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
$protectedCertificateBytes = $certCollection.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs12, 'test')
$pfxPath = 'C:\cert\test.pfx'
[System.IO.File]::WriteAllBytes($pfxPath, $protectedCertificateBytes)

You can find more details in my post - Manage Certificates in Azure Key Vault. You can also find some details on Exportable and Non-Exportable certificates in Key Vault and how those can be used to sign a PDF file.

Hope that helps

Rahul P Nath
  • 324
  • 4
  • 9