Description
openedon May 18, 2022
Bug Report
github.com/Azure/azure-sdk-for-go/services/keyvault/v7.0/keyvaultv39.0.0+incompatiblego version go1.16.15 linux/amd64
Problem description
This issue is being opened at the request of Azure Keyvault Support team as a follow up to a Sev 1 ticket opened against Azure Key Vault 2204280030001993. We use azure-sdk-for-go to send Sign requests to Azure keyvault to sign Ethereum transactions with Keys of Curve EC and type P-256K. Most of the signed payloads that are returned by Azure Keyvault can be verified and the public key extracted from the signature matches the public key of the keypair. However, there are a small number of requests that fail signature verification. Note that Azure KeyVault returns a signed payload in these cases (no error is returned by Azure keyvault), but when the public key is extracted from the signature, it does not match the public key of the keypair.
As part of the investigation for the ticket referenced above by Azure Key Vault support where the engineer helped analyze logs on the Key Vault side when such failures are encountered. He has arrived at the conclusion that he is unable to see such Sign() requests being processed by Azure KeyVault (request never arrived at Key Vault). It is quite surprising to me how this is possible when:
- Communication is occuring over a TLS session (backed by TCP)
- Azure Key Vault is returning a response to the Sign() request! If, as observed by Mr. Odom, the requests are not being received and processed by Azure Key Vault, I am at a loss to understand who is returning these responses to the Sign() requests.
- In order to eliminate any external aspects, we reproduced the issue to Azure support by running the client which uses the SDK in Azure cloud. It was initially suggested that the problem may be occurring because the client was running outside Azure cloud (which again, appears unlikely on the face of it).
Azure Keyvault support has come to the conclusion that the issue is in the Azure GO SDK, which is causing requests to get LOST (I'd be really interested to find out who is returning the responses, though!). Azure Key Vault support team also indicated that there is NO logging on the Key Vault side that can identify the base-64 encoded payload that is part of the KeySignParameters. We provided Azure support the sign requests, timestamps and the base-64 encoded payload string that is sent by the SDK to Azure Key Vault with the hope that they would be able to correlate it to request logs they see on their end.
We have a docker image with the client program that can launch a bunch of Sign() requests to any key vault and can demonstrat and log the failures to verify the signature. We would like to request you to reach out to Mr. Odom so he can provide further details of the investigation they conducted, so that you can investigate the bug in Azure Go SDK.