azure-sdk-for-java: [BUG] Unable to retrieve Private key for an Certificate with exportable keys

Describe the bug Using the KeyVaultClient, we are unable to retrieve the private key from the Key Vault.

Exception or Stack Trace 2022-11-11 16:05:55,344 INFO | main | example.certificate.UserMgmtTest | Key Properties exportable ?: null 2022-11-11 16:05:55,344 INFO | main | example.certificate.UserMgmtTest | Private Key ?: false 2022-11-11 16:05:55,344 ERROR | main | com.azure.security.keyvault.keys.models.JsonWebKey | java.security.NoSuchAlgorithmException: no such algorithm: RSA for provider AzureKeyVault java.lang.IllegalStateException: java.security.NoSuchAlgorithmException: no such algorithm: RSA for provider AzureKeyVault at com.azure.security.keyvault.keys.models.JsonWebKey.getRsaPublicKey(JsonWebKey.java:583) at com.azure.security.keyvault.keys.models.JsonWebKey.toRsa(JsonWebKey.java:741)

To Reproduce Create a self signed certificate in Azure Key Vault, with Advanced option to enable export of keys. And try to download the private keys using the KeyVaultClient

Code Snippet

        KeyClient keyClient = new KeyClientBuilder()
                .credential(credential)
                .vaultUrl(kvURL)
                .buildClient();

        KeyVaultKey keyVaultKey = keyClient.getKey(keyId);
        log.info("Key Properties exportable ?: {}" , keyVaultKey.getProperties().isExportable());

        JsonWebKey webKey = keyVaultKey.getKey();
        log.info("Private Key ?: {}" , webKey.hasPrivateKey());

Expected behavior Should be able to extract the private key in this case.

Screenshots N/A Setup (please complete the following information):

OS: [e.g. iOS]
IDE: [e.g. IntelliJ]
Library/Libraries: com.azure:azure-security-keyvault-keys:4.5.1
Java version:17
App Server/Environment: [e.g. Tomcat, WildFly, Azure Function, Apache Spark, Databricks, IDE plugin or anything special]
Frameworks: [e.g. Spring Boot, Micronaut, Quarkus, etc]

If you suspect a dependency version mismatch (e.g. you see NoClassDefFoundError, NoSuchMethodError or similar), please check out Troubleshoot dependency version conflict article first. If it doesn’t provide solution for the problem, please provide:

verbose dependency tree (mvn dependency:tree -Dverbose)
exception message, full stack trace, and any available logs

Additional context While creating the certificate, the Private key was marked as exportable

Access permissions are set as

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

Bug Description Added
Repro Steps Added
Setup information Added

About this issue

Original URL
State: open
Created 2 years ago
Comments: 16 (5 by maintainers)

Most upvoted comments

@vcolin7 it is different key. You think about cryptographic key. It is private key of certificate. Certificates does not have release policy (based on screenshot it is certificate).

jlichwa on Nov 17, 2022

@jlichwa He’s using the new KeyClient (the deprecated one is called KeyVaultClient). @vtapadia one thing to note is that the code sample shared only works for getting a certificate’s private key.

@jlichwa, do you know if a KeyVaultKey’s private key (not part of a certificate) can even be exported from a Key Vault? I thought we only supported this for Managed HSMs.

vcolin7 on Nov 17, 2022