Error when Encrypt secret value - Operation returned an invalid status code 'BadRequest'

Question

I am using KeyVaultClient for adding new secrets in key vault. When smaller secret value added , it's working perfectly. When we add a long secret value system is not accepting the value, response get "Operation returned an invalid status code 'BadRequest' ".

Code-

 var kv = new KeyVaultClient(AuthHelper.GetToken);
 var key = kv.GetKeyAsync("https://xxxxxxx.vault.azure.net/", "Key1").GetAwaiter().GetResult();

 var byteData = Encoding.Unicode.GetBytes("long data...........");//here long secret value 
 var encryptData = kv.EncryptAsync("https://xxxxxx.vault.azure.net/keys/Key123/98888xxxxxxxxxxxxx", JsonWebKeyEncryptionAlgorithm.RSAOAEP, byteData).GetAwaiter().GetResult();

Get exception in kv.EncryptAsync .

I noticed , when smaller secret value added , there is no error. Is there any secret value character limitations? How to handle these limitations?

Answer 1

Short Answer

Most probably you are getting an exception for long values (and not the short values) because you are exceeding the maximum length of message that can be encrypted using your key and chosen algorithm.

One way to solve this could be to use a higher length key with same algorithm, or else look at changing the combination of key length and algorithm. (details below)

Long Answer

Obvious question is what's the maximum length that you can encrypt. Microsoft's documentation on both,

• SDK method KeyVautltClient.EncryptAsync as well as
• Encrypt operation through REST API

simply states something like this

Note that the ENCRYPT operation only supports a single block of data, the size of which is dependent on the target key and the encryption algorithm to be used.

In your code you have chosen JsonWebKeyEncryptionAlgorithm.RSAOAEP for algorithm and key length is something you will know as you're pointing code to one of the keys in your vault.

Again, looking at Microsoft's documentation about using this algorithm RSA-OEAP Encrypt/Decrypt

Now,

1. Hashing Function used will be SHA-1
2. Mask Generation Algorithm used will be MGF1

You can read more details in RFC 3447. Search for "A.2.1 RSAES-OAEP"

Doing some math, based on a detailed crypto.stackexchange post

Disclaimer: Your condition would be something like this (I'm not an expert on this topic, so may be going wrong with exact calculation that will apply, but you'll follow the core idea about how the key length and algorithm will effect the max message size, by the end of this :))

SHA-1 will mean output size of 160 i.e. hlen = 20

Assuming, you are using key length of 1024 right now (you can change this based on your key size).

mLen = 1024 / 8 - 2 * 160 / 8 - 2 = 86

if you were to use a key length of 2048

mLen = 2048 / 8 - 2 * 160 / 8 - 2 = 214

Hopefully, all the explanation/links together give you some idea about how that important statement works - max length/size depends on the target key and encryption algorithm to be used.

Answer 2

Is there any secret value character limitations? How to handle these limitations?

Secrets in Azure Key Vault are octet sequences with a maximum size of 25k bytes each.

Azure Key Vault also supports a contentType field for secrets. Clients may specify the content type, contentType, of a secret to assist in interpreting the secret data when it is retrieved. The maximum length of this field is 255 characters. There are no pre-defined values. The suggested usage is as a hint for interpreting the secret data.

For more details, you could refer to this article.