Share via

How to request Azure Key Vault to sign a JSON with a secret

Fabrício Fortaleza 150 Reputation points
2024-01-25T14:26:03.4133333+00:00

I would like to create a code where I request Azure Key Vault to sign a JSON containing data and return the hash of the signed data with the secret. I will send this hash to an external API, and the API will 'unsign' the hash with the public part of the secret (Note: my secret is actually a private key). The purpose of this code is to ensure that the entity sending data to the external API does not have access to the value of my private key (secret). If anyone can explain the step-by-step process of this functionality or provide documentation, I would be very grateful. The language I am using is PHP, but it can be an example in Python as well.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,453 questions
Accepted answer
  1. Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator
    2024-01-30T07:23:06.8533333+00:00

    @Fabrício Fortaleza

    Thank you for your time and patience, as per above request you are looking for code to sign a JSON containing data with Azure Key Vault secret and return the hash of the signed data.

    • I was able to get the following Py code, kindly try this and you may either try to load json data from file 
    from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient
import json
import hashlib
import base64
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives import serialization

# Replace with your key vault name and secret name
key_vault_name = "<your-key-vault-name>"
secret_name = "<your-secret-name>"

# Create a SecretClient object to access the secret
credential = DefaultAzureCredential()
vault_uri = f"https://{key_vault_name}.vault.azure.net"
secret_client = SecretClient(vault_uri=vault_uri, credential=credential)

# Get the secret value
secret = secret_client.get_secret(secret_name)
secret_value = secret.value



# Create a hash of the JSON data

with open (r'C:\Users\Downloads\parameters.json')as file: # local path or URL of JSON file
    # Load JSON data from file
    data = json.load(file)
    
json_string = json.dumps(data)
hash_value = hashlib.sha256(json_string.encode()).hexdigest()
print(hash_value)


# Sign the hash with the secret value
private_key = serialization.load_pem_private_key(secret_value.encode(), password=None)
signature = private_key.sign(
    hash_value.encode(),
    padding.PKCS1v15(),
    hashlib.sha256()
)

# Return the hash of the signed data
print(hash_value)

    **Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik**

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.