0

I am using Azure key vault for creating and storing my Secp256k1 keys. I am also using the sign API for getting my input string signed. I am working on a Secp256K1 blockchain network.These are steps I follow to get the signature in Golang.

  1. Converting my Hex string into Byte[]
  2. Sha256 of this Byte[]
  3. RawURL encoding of this Sha.
b64.RawURLEncoding.EncodeToString(sha)
  1. Sending this to Key vault for signature.
  2. Decoding the response using RawURLEncoding.
b64.RawURLEncoding.DecodeString(*keyOpsResp.Result)
  1. Doing Hex of the []Byte array returned from 5th Step.
  2. Sending the signature to the blockchain.

The problem I am facing is that signature is invalid sometimes. As in 2/5 times it works and other times signature verification fails. I am thinking there is some special chars or padding thing that I am missing. How can I resolve this?

PS: Azure uses non-deterministic signatures where as chains usually use deterministic signs. I did some reading and found out that for verification it does not matter both could be verified successfully. Let me know if I am wrong.

Jaswinder Singh
  • 31
  • 1
  • 4
  • Are you using Base64 encoding or Bsae64URL encoding? I see in the code that you are B64 then RawURL encoding but I don't know if that achieves the objective. – Matt Small Dec 08 '21 at 20:00

1 Answers1

0

• Since you are using base64 encode RawURL for encoding purposes, you can check whether the following parts are included in the token request for the keyvault signature validation. They are as follows: -

  1. aud (audience): The resource of the token. Notice that this is https://vault.azure.net. This token will NOT work for any resource that does not explicitly match this value, such as graph.
  2. iat (issued at): The number of ticks since the start of the epoch when the token was issued.
  3. nbf (not before): The number of ticks since the start of the epoch when this token becomes valid.
  4. exp (expiration): The number of ticks since the start of the epoch when this token expires.
  5. appid (application ID): The GUID for the application ID making this request.
  6. tid (tenant ID): The GUID for the tenant ID of the principal making this request. It is important that all the values be properly identified in the token for the request to work

• Also, please check the size of the block that is dependent on the target key and the algorithm to be used for validation of signature. In that, please check the ‘decryptParameters’, ‘algorithm’ and ‘ciphertext’ parameter for the returns that are displayed after the decrypt operation during signature validation.

Please find the below links for more details: -

https://learn.microsoft.com/en-us/java/api/com.azure.security.keyvault.keys.cryptography.cryptographyasyncclient.decrypt?view=azure-java-stable

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9