AzureSignTool
AzureSignTool copied to clipboard
vcsjones
ECDSA Support
Azure Key Vault seems to (finally) support ECDSA. We should support it, but the docs are scant on it and I don't see an announcement.
Update: Azure Key Vault won't let me import / create an ECDSA certificate. Though the error message seems to indicate they will have it soon. That taken in with the SDK changes leaves me hopeful this will be sooner rather than later.
Hi,
I know we can get EC Certificates in Azure Key Vault using the REST API or using the Az PowerShell module, although cannot generate them from the portal yet.
See MS KB. Verified this works for non Code Signing keys. Will update after testing with an ECC Signing key.
@vcsjones
While EC keys can be generated now, the tool can't use them. Will look into further later.
trce: AzureSignTool.Program[0]
Retrieving certificate KeyVault-TestSign-Test-CodeSigning.
trce: AzureSignTool.Program[0]
Acquiring access token from client id
trce: AzureSignTool.Program[0]
Acquired access token from client id
trce: AzureSignTool.Program[0]
Retrieved certificate KeyVault-TestSign-Test-CodeSigning.
trce: AzureSignTool.Program[0]
Creating context
Unhandled Exception: System.AggregateException: One or more errors occurred. (Object reference not set to an instance of an object.) ---> System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.Azure.KeyVault.KeyVaultContext..ctor(KeyVaultClient client, KeyIdentifier keyIdentifier, X509Certificate2 publicCertificate) in C:\projects\rsakeyvaultprovider\RSAKeyVaultProvider\KeyVaultContext.cs:line 38
at AzureSignTool.Program.<>c__DisplayClass0_1.<<Main>b__5>d.MoveNext() in D:\a\1\s\src\AzureSignTool\Program.cs:line 235
--- End of inner exception stack trace ---
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at Microsoft.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args)
at AzureSignTool.Program.Main(String[] args) in D:\a\1\s\src\AzureSignTool\Program.cs:line 306
@garrett-wood I think there is a bug in Window's SignerSignEx3 preventing ECDSA from fulling working, but it's been a while since I fulled looked at it. It will reported success (HRESULT = S_OK) but the actual signature will be all zeros. That was 2/3 years ago though... perhaps Windows has improved that.
I was able to wrap a block to determine whether the key was RSA or ECDsa, but there seems to be another issue (probably SignerSignEx3 as you note) , because while the certificates are successfully attached, the signature is empty.
https://github.com/leemeyrick/AzureSignTool/commit/e682340b60188bcf3422d027831c064765243400 - not sure if you want it as a PR?
I was able to wrap a block to determine whether the key was RSA or ECDsa, but there seems to be another issue (probably
SignerSignEx3as you note) , because while the certificates are successfully attached, the signature is empty. leemeyrick@e682340 - not sure if you want it as a PR?
Hi @leemeyrick About your code changes to wrap a block to determine the key (RSA or ECDsa), how is it working? Have you found any other issues? I'm currently having an issue with ECDsa signing cert when being used with AzureSignTool. Any helps or suggestions would be much appreciated. Thank you.
