curl getting "bad header" when invoking call to azure keyvault.

[bjvetter]

I am not able to do a simple sign operation as shown in your examples - just get an unknown vault error. I put some debugging instructions in the code and I see that it is getting a bad request error (400). It says the request as an invalid header name.

I then dumped out the headers before the curl request and I see the following 4 (albeit redacted) headers:

d] AkvGetKey curl.c(461) header: Accept: application/json
[d] AkvGetKey curl.c(461) header: Content-Type: application/json
[d] AkvGetKey curl.c(461) header: Authorization: Bearer {
"accessToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyIsImtpZCI6Ii1LSTNROW5OUjdiUm9meG1lWm9YcWJIWkdldyJ9.eyJhdWQiOiJodHRwczovL3BiYS1wb3J0YWwudmF1bHQuYXp1cmUubmV0LyIsImlzcyI6Imh0dHBz.....
-BTK_Wn6zMjKqraHa9u9VmKxY3bu48kYiLg90I3ogND83BdYIVJxH7mcQ9eG6yBCjuQK89Nq-oM5QZnCkItg-HGB_qy7wwyqdDMuIODjftQ68Frn8cAZM3MoMHbjDE9YxXQtEYLcbXlsEewDzhGVvYwgJEY4wd9dctHQ",
"expiresOn": "2023-08-28 18:17:29.000000",
"tenant": "xxxxxxxx-xxx-xxxx-xxxx-xxxxxxxxxxxx",
"tokenType": "Bearer"
}

And the text from the https:// output is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>

I don't know exactly what needs to be in the header or the format of the header. Perhaps the "token type" for the Authorization header? I got that token by grabbing the output this way:

AZURE_CLI_ACCESS_TOKEN=``az account get-access-token --output json --tenant xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --resource https://xxxxxxxxx.vault.azure.net/``
(those ```` are single back-ticks - the formatter here is messing with things)

Can someone help me understand what I have done wrong or perhaps the azure key vault/managed hsm has changed things?

Oh,and all I was trying to do is get the public key for the key vault key:
openssl pkey -engine e_akv -inform engine -in "vault:vaultname:keyname" -pubout -text -out /tmp/leafpubkey.pem

[bjvetter]

Is this on the Azure website (https://learn.microsoft.com/en-us/azure/key-vault/general/common-parameters-and-headers):

The HTTP Host header must always be present and must specify the vault hostname. Example: Host: contoso.vault.azure.net. Note that most client technologies populate the Host header from the URI. For instance, GET https://contoso.vault.azure.net/secrets/mysecret{...} will set the Host as contoso.vault.azure.net. If you access Key Vault using raw IP address like GET https://10.0.0.23/secrets/mysecret{...}, the automatic value of Host header will be wrong, and you'll have to manually ensure that the Host header contains the vault hostname.

I see nothing in the code to create a "host" header, but I believe libcurl will do this automatically.