public exponent does not work when use key vault to create a RSA-HSM key

Wang Echo 21 Reputation points
2022-11-26T15:08:39.473+00:00

In the process of using the key vault REST API to create a key, I used the following request to create a key, but no matter how I modify the value of public_exponent, the returned E is not the result I set.
I use the rest api of the key vault service to create an RSA key and set the public_exponent to 3, but the E in the returned result is AQAB, which is 65537 instead of the 3 I set.
I have tried to modify the key_size to 2048 3072 4096 Also try to modify kty to RSA, RSA-HSM, all unchanged.

#### Get token  
POST https://login.microsoftonline.com/{tenantId}/oauth2/token  
Content-Type: application/x-www-form-urlencoded  

grant_type=client_credentials&client_id={clientId}&client_secret={clientSecret}&resource=https://vault.azure.net  


### Create RSA-HSM key  
POST {vaultBaseUrl}/keys/{keyName}/create?api-version=7.3  
Content-Type: application/json  
Authorization: Bearer {token}  

{  
    "kty": "RSA",  
    "key_size": 3072,  
    "key_ops": [  
        "encrypt",  
        "decrypt",  
        "sign",  
        "verify",  
        "wrapKey",  
        "unwrapKey"  
    ],  
    "public_exponent": 3  
}  
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,180 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,531 Reputation points Microsoft Employee
    2022-11-30T23:13:15.337+00:00

    @Wang Echo
    Thank you for your time and patience throughout this issue!

    I received a response from our Key Vault engineering team and when it comes to the public_exponent property, this is only applicable when using the Azure Key Vault Managed HSM and not the Azure Key Vault. The public_exponent property doesn't exist in Key Vault's implementation of the Create Key REST API, we only use the key_size and crv (ECC keys).

    I've submitted feedback on the doc and created an internal doc-enhancement request to get this updated.

    Additional Links:
    Add public_exponent option to create_key #18016 - This is a related issue.
    Azure SDK for Python/Keys/_client.py - The Azure SDK for Python Key Vault repo also mentions this.
    Azure key management services - For more info on the different key management services.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful