Search code examples
azureazure-logic-apps

Azure Key Vault Certificate Thumbprint Format Mismatch

I am attempting to retrieve an ssl certificate's thumbprint via Azure's REST API and convert it to a hex value from within a Logic App. The return value from the REST API includes a property x5t which contains the thumbprint:

{
  "id": "https://myvault.vault.azure.net/certificates/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
  "kid": "https://myvault.vault.azure.net/keys/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
  "sid": "https://myvault.vault.azure.net/secrets/selfSignedCert01/f60f2a4f8ae442cfb41ca2090bd4b769",
  "x5t": "a9gQzwmHiKJ3vHoKhXVTFuMohMX",
...

However, what I need is the thumbprint in the format that shows up in the portal, which says it is in hex:

Portal Screenshot

In text format:

X.509 SHA-1 Thumbprint (in hex)
54795FFE62D9088DD6D4AA47393...

This hex value is what I subsequently need to write to a separate secret. (Azure, why do you represent the thumbprint in this apparently non-standard format? This is also the format used in certificate stores when searching for certificates, which is why I ultimately need it. But I digress...)

How can I convert from the x5t string value returned by the REST API, which I believe is base64 encoded binary(?), to the hex value used in the portal as a Logic App step? I'm not finding a "base64 text to hex" conversion function.

EDIT: I can successfully use the baseto64String() function in a Compose step if I pad the value with '=' to a multiple of 4 characters. That gives me the binary representation like so:

Outputs:
k�� ���w�z
�uS�(��

Now I just need to figure out how to make that hex within the Logic App. Example in python that works:

import base64
base64.b64decode('a9gQzwmHiKJ3vHoKhXVTFuMohMX=').hex()
Solution

  • I ended up creating an Azure Function that can be called from the Logic App:

        /// <summary>
    /// This function takes a base64 encoded string and converts it to hex. This is useful for converting the x5t
    /// certificate thumbprint the key vault REST api returns to the hex thumbprint the .net API expects.
    /// </summary>
    /// <param name="logger"></param>
    /// <param name="base64value"</param>
    [FunctionName("Base64ToHex")]
    public static async Task<IActionResult> Base64ToHex(
            [HttpTrigger(AuthorizationLevel.Anonymous, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
    {
        log.LogInformation("C# HTTP trigger function processed a request for Base64ToHex.");
        var requestBody = await new StreamReader(req.Body).ReadToEndAsync();
        dynamic bodyData = JsonConvert.DeserializeObject(requestBody);
        var encodedString = bodyData?.encodedString;
        var responseMessage = "";
        if (string.IsNullOrEmpty(encodedString))
        {
            responseMessage = /*lang=json,strict*/ "{\"error\":\"No encodedString provided\"}";
        }
        else
        {
            encodedString = encodedString.Replace("-", "+").Replace("_", "/");
            encodedString = encodedString.PadRight(encodedString.Length + (encodedString.Length * 3 % 4), '=');
            byte[] data = Convert.FromBase64String(encodedString);
            responseMessage = $@"{{""hexString"":""{Convert.ToHexString(data)}""}}";
        }
        return new OkObjectResult(responseMessage);
    }