生成 JWT 令牌错误的 Azure 函数对存储在密钥库机密中的私钥进行消毒

Question

I am building a Azure Function to generate (and regenerate) a JWT token for me which I will then be using to call out to DocuSign API.

I have this working locally and the token being generated is working when calling out to the DocuSign API. I ran into an issue when I deploy this to an Azure Function.

Locally I am using the local Settings to store the key and then I am referencing it as an environment variable. On Azure I am using an Azure Key Vault to store this same key as a secret. But I am having an issue with the key and how it being stored.

I get this error when running the same code on the Azure Function:

Failure Exception: ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).

I believe this is an issue with character set the Azure Key Vault stores the data in but I have been unable to resolve this issue even with encoding it from UTF-8 to ANSI or ANSI to UTF-8.

import logging
import os
import azure.functions as func
import jwt

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    private_key = os.environ["servicePrivateKey"]

    payload = {"sub": "1234567890","name": "John Doe","iat": 1516239022}

    encoded = jwt.encode(payload, private_key, algorithm="RS256")

    return func.HttpResponse(
        encoded, status_code=200
    )

Followed the usage example here pyjwt example

My key locally is stored like this:

"servicePrivateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAK................m1T6yWn5MparGHIY=\n-----END RSA PRIVATE KEY-----"

On the Azure Key vault I have tried to save it a few different ways in the secret but here is one example of it (This is copied out from the secret value on Azure):

-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAK................m1T6yWn5MparGHIY= -----END RSA PRIVATE KEY-----

I have a hit a wall now as I can't figure out what I can do without storing the private key in the azure function as clear text or uploading it with the app files somehow.

Answer 1

I found the answer to this in the end. The way I resolved the error was uploading the key in a txt file as an ascii encoded secret.

Azure Docs: https://docs.microsoft.com/en-us/cli/azure/keyvault/secret?view=azure-cli-latest#az-keyvault-secret-set

az keyvault secret set --name
                       --vault-name
                       [--description]
                       [--disabled {false, true}]
                       [--encoding {ascii, base64, hex, utf-16be, utf-16le, utf-8}]
                       [--expires]
                       [--file]
                       [--not-before]
                       [--tags]
                       [--value]

Then when I read the secret it added in the \n (new line) character to the secret. But this was actually being read as a string and not a new line. I just replaced the string version with a newline character and this worked.

private_key = private_key.replace('\\n' , '\n')

So the final solution looks like this:

from dataclasses import replace
import logging
import os
import azure.functions as func
import jwt

def main(req: func.HttpRequest) -> func.HttpResponse:
    logging.info('Python HTTP trigger function processed a request.')

    private_key = os.environ["servicePrivateKey"]

    private_key = private_key.replace('\\n' , '\n')

    payload = {"sub": "1234567890","name": "John Doe","iat": 1516239022}

    encoded = jwt.encode(payload, private_key, algorithm="RS256")

    return func.HttpResponse(
        encoded, status_code=200
    )