Update Key Vault EC Key SECP256K1 curve name to P-256K
Currently there exists a breaking discrepancy between Azure Portal and Azure CLI.
When you create an EC Key via the Portal, the curve name in question is labelled as SECP256K1, and expects the signing algorithm to be ECDSA256.
This is the legacy naming convention (keyvault-preview). See https://docs.microsoft.com/en-us/cli/azure/ext/keyvault-preview/keyvault/key?view=azure-cli-latest#ext-keyvault-preview-az-keyvault-key-create
When you create the same type of key via Azure CLI, the curve name is P-256K and expects the signing algorithm to be ES256. This is the "release" naming convention. See https://docs.microsoft.com/en-us/cli/azure/keyvault/key?view=azure-cli-latest#az-keyvault-key-create
Functionally, these keys are identical. But the discrepancy in the naming convention makes it difficult for a project to support keys created both via Azure CLI as well as via the Azure Portal.
Fernando Colombo commented
The standard name used to be P-256K on first draft: https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-00. It was renamed to SECP256K1 later.
Eyal Roth commented
"P-256K" is in fact the wrong name, where's "secp256k1" (lower case) is the correct one. This is per the latest IEFT draft[¹] and mailing list[²].
The discrepancy is not just between the CLI and the portal, but within the REST API itself: Version 7.0 returns the value "SECP256K1" (upper case) upon a GET KEY operation of a SECP256K1 key, even though the documentation lists "P-256K" [³].
Furthermore, trying to sign a secp256k1 key with the "ES256K" jws algorithm via the REST api results in an error:
Key and signing algorithm are incompatible. Key https://myvault.vault.azure.net/keys/mykey/version uses curve 'SECP256K1', and algorithm 'ES256K' can only be used with curve 'P-256K'.
which is a bug (perhaps worthy of its own ticket?).