[BUG] NullPointerException thrown when calling JsonWebKey.toRsa()

[nachoge]

Describe the bug
Using azure-security-keyvault-keys: 4.2.2 with JDK11

//using the secretKey (keyClient.getKey(key))
JsonWebKey jSonWebKey1=VaultAgent.getKey("key").getKey(); // this is just a wrapper

the key is built both with openssl and azure vault generator (type RSA)

when KeyPair kp=jSonWebKey1.toRsa(true); a nullPointer exception occurs

Exception or Stack Trace
Add the exception log and stack trace if available

java.lang.NullPointerException
[2020-10-23T14:32:34.320] at com.azure.security.keyvault.keys.models.JsonWebKey.toBigInteger(JsonWebKey.java:633)
[2020-10-23T14:32:34.320] at com.azure.security.keyvault.keys.models.JsonWebKey.getRsaPrivateKeySpec(JsonWebKey.java:548)
[2020-10-23T14:32:34.320] at com.azure.security.keyvault.keys.models.JsonWebKey.getRsaPrivateKey(JsonWebKey.java:580)
[2020-10-23T14:32:34.320] at com.azure.security.keyvault.keys.models.JsonWebKey.toRsa(JsonWebKey.java:720)
[2020-10-23T14:32:34.321] at com.azure.security.keyvault.keys.models.JsonWebKey.toRsa(JsonWebKey.java:703)
[2020-10-23T14:32:34.321] at com.grupoica.core.utils.security.jwt.JWT.buildAndSignJWT(JWTAgent.java:145)
[2020-10-23T14:32:34.321] at com.grupoica.core.utils.security.jwt.JWT.(JWTAgent.java:100)
[2020-10-23T14:32:34.321] at com.grupoica.core.utils.security.jwt.JWT.getCredentials(JWTAgent.java:195)
[2020-10-23T14:32:34.321] at com.grupoica.core.utils.security.jwt.JWTAgent.getCredentials(JWTAgent.java:44)
[2020-10-23T14:32:34.321] at com.grupoica.core.OAuth.run(OAuth.java:55)
[2020-10-23T14:32:34.321] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[2020-10-23T14:32:34.321] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
[2020-10-23T14:32:34.321] at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[2020-10-23T14:32:34.321] at java.base/java.lang.reflect.Method.invoke(Method.java:566)
[2020-10-23T14:32:34.321] at com.microsoft.azure.functions.worker.broker.JavaMethodInvokeInfo.invoke(JavaMethodInvokeInfo.java:22)
[2020-10-23T14:32:34.321] at com.microsoft.azure.functions.worker.broker.EnhancedJavaMethodExecutorImpl.execute(EnhancedJavaMethodExecutorImpl.java:55)
[2020-10-23T14:32:34.321] at com.microsoft.azure.functions.worker.broker.JavaFunctionBroker.invokeMethod(JavaFunctionBroker.java:57)
[2020-10-23T14:32:34.322] at com.microsoft.azure.functions.worker.handler.InvocationRequestHandler.execute(InvocationRequestHandler.java:33)
[2020-10-23T14:32:34.322] at com.microsoft.azure.functions.worker.handler.InvocationRequestHandler.execute(InvocationRequestHandler.java:10)
[2020-10-23T14:32:34.322] at com.microsoft.azure.functions.worker.handler.MessageHandler.handle(MessageHandler.java:45)
[2020-10-23T14:32:34.322] at com.microsoft.azure.functions.worker.JavaWorkerClient$StreamingMessagePeer.lambda$onNext$0(JavaWorkerClient.java:92)
[2020-10-23T14:32:34.322] at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
[2020-10-23T14:32:34.322] at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
[2020-10-23T14:32:34.322] at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[2020-10-23T14:32:34.322] at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[2020-10-23T14:32:34.322] at java.base/java.lang.Thread.run(Thread.java:834)

To Reproduce
Steps to reproduce the behavior:

create/import a RSA key in azure vault

this is a fake (working) private rsa priv key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA4dUjwk6DqoJOFwsJV+ielsDASOYG5i7Ir/3PyJlKnH/SqAyj
VC0hEmS/EgQB5a2HsV8XVAFYTv0hN8Ghr0eUUA+rhScCVfmtr3yz5I0mKQV/Qk3A
NEprOBsX0sPCJLRp/eMLNVhOiAqxu1bbM/mSrhzJl51sSxOVQ9DKbLNOOTqwVyJ7
ExdiUpZwfiJUHC6d2EMSvOrRlNzBSm3VDsDFdLoz3ySTNUN9Div74aYOzl0KomU7
dOjvlXJM5rSC4xbmJ9UvOaN4pB4BUONr1SRNOfRlUvtbcKJ6CnO2dXkKP4/kShJk
EJsjmbKs7QfHc6SqDxJCRCmKnOzNpJ+igaFrEwIDAQABAoIBAAdKnnDzoAStWGAe
Fxsjg5tSdeLkqmxcLlagV0keye3rop2SauOY4Wx6nEC0qGsGA0+SxmoL8RH70kq+
kb3bDcrX9q3B6K1l9lmoKRbEB+tjJgy5/e6ySGvzU/2WHHqa6KEt53q9cyupTLvD
vigbcsT0YP3oM0rpQvSBlUeVMn1efDCT+YhYuQpoQ2gCtG22LK2vrC05/l8gSfs6
sOw4p/4SLZ0EAnX0pQt7SVjtJ3C6QbvrETZv1m/PddVlErOd4ylBODsoqz9YQqV5
2Fe3+6hxzzUvH8uOXrabOoONRjMjaAorf3Y42IUouxS+ZbXFsxxtIjkv+zXuL1Y5
wdSxQKECgYEA+v7GzSv7unxg+7ftQIB93jjILHbWHGNnfNZf3nEIffjgjIxj8HSv
rWKF8fmEwru5isd0TBviP7CJdLFWHDa/qMrbkMTLwqy5gNewOowbzc1cCAY1Mk99
cbLpyyjDJOrp+NvLdE+26XKs+b8On64okXl90dJjxsoLvJ9G2xoxQ60CgYEA5lXr
JtjNFz8QdTmclbxIafveXTZVHo4NFonACCtSJMtvtfBRZQ4dXmpHFnaWXURHQSo1
hDeB++oA157/ieqyXePyLiNu4/AxcraZkOokpCa7P+bdwT5nDoPTV10wmkVzsK8u
DwA/16vzw/BVxf8k4aSNV/eOEImi+EpqrXWVQb8CgYEA5jENkJO7DWAO7izUGWj+
hvTamPTwDx8XhUVyrSZLXIUJI72J1ridec22/KIToSjb1KxyO28DQ9gbaHtPdxa7
Fgnd7tqd6U/R3Zly1W8z/L5PnkhbN2XxrXohsyISPuR3arXh1S1amqWCgJY5yjbG
nAypWOq0eVdKBlapfD58Wg0CgYEAjqWJIx7DLPFedOrAAa+APTrBxIJghrK8gke/
CJAjqCvhPBDfp7DtGUrCSbQZfRtK8Z19VSu3MVcDPIX4heY2npULp+1DwKBBT2Ss
iCWpmYtvDa0hiorl8gRL/1/0OKZodnSXFq013JBeP+t4g012/tMUwfTLI4zJw/D6
TgBy9isCgYAGs3K9AKmnT7QemJSp7CoD16+vsRz4oQ10TrS+7iQUUBcVhaicsfwh
I6hNxxRIx7jss7X0wkVxr4MsoJQMNC3dzB3jhGoHjRCyIkcjfMehuoL7BBpXpu8K
XQ8xQKGoKqKY5qZeMirdzRCak7/APaXpgN2AIUqzQrbpTWXnCdhOMA==
-----END RSA PRIVATE KEY-----

access to the key via vualt key client and retrieve the JsonWebKey
keyClient.getKey(key))
JsonWebKey jSonWebKey1=VaultAgent.getKey("key").getKey(); // this is just a wrapper

when KeyPair kp=jSonWebKey1.toRsa(true); a nullPointer exception occurs

Code Snippet
Add the code snippet that causes the issue.

Expected behavior
a working keyPair with both keys

Screenshots

Setup (please complete the following information):

• OS: azure functions on Linux Centos 8
• IDE : Code
• Version of the Library used 4.2.2 (but also in 4.1.2 and 4.3.0-beta2)

Additional context
Add any other context about the problem here.

[vcolin7]

Hi @nachoge, thanks for filing this issue, I will look into it.

[vcolin7]

Hi again @nachoge,

The reason the JsonWebKey.toRsa(true) call fails is because, at the moment, Azure Key Vault does not support exporting a key pair's private key, meaning the following JWK components will be null: d, p, q, dp, dq, qi; which are all required to create an RSA key that includes both its public and private keys using the Key Vault SDK.

Secure key release support will be added in the upcoming months, but until then it's not possible to export a key's private key from a Key Vault.

For the time being, you can use JsonWebKey.toRsa() (which is the equivalent to calling JsonWebKey.toRsa(false)) to convert a key obtained from a Key Vault to an RSA key that contains a public key only.

[rselie]

@vcolin7 I face the same issue (used version 4.3.0-beta.4). When will this issue be solved? It is not very nice that the API looks like you can request the private key but it is not possible when calling it on runtime.

[vcolin7]

I understand it can make it confusing that the API appears to simply accept a KeyVaultKey while it can still throw a NullPointerException without much explanation. I think we can work in improving the error messaging for these cases, I will spend some time figuring out on what the best course of action here is.

Having said that, the "Secure Key Release" feature is not available at the moment and will be possibly included on the service until version 7.3, which might be more than a few months away from now. This means that currently there is no way to obtain a private key from a key stored in your Key Vault.

[rselie]

@vcolin7 Thanks for the info.