Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] jarsigner + jca unable to retrieve certificate chain for signing #44085

Open
3 tasks done
Rozzly opened this issue Feb 7, 2025 · 4 comments
Open
3 tasks done

[BUG] jarsigner + jca unable to retrieve certificate chain for signing #44085

Rozzly opened this issue Feb 7, 2025 · 4 comments
Assignees
@moarychan
Labels
azure-spring All azure-spring related issues azure-spring-jca customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-triage Workflow: This issue needs the team to triage. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Milestone
2025-03

Comments

@Rozzly
Copy link

Rozzly commented Feb 7, 2025
edited
Loading

Describe the bug
When using a valid, DigiCert issued, non-exportable Azure Key Vault certificate to sign a .jar file with jarsigner + jca 2.10.0, the certificate chain retrieval appears to fail. Referencing : #41303

The trace below shows a repeat loop of "getCertificateChain", but this might be in reference to each item in the chain: Signer > Intermediate > Root

Exception or Stack Trace

INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:01 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:02 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:02 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found

To Reproduce
Create a non-exportable code signing certificate from Azure Key Vault (RSA-HSM, 4096)
Sign the CSR through DigiCert
Merge the signing request with Azure Key Vault
Configure the app registration with secret, along with RBAC on Azure Key Vault for access
Install Amazon Corretto 17.0.14.7.1 on Windows
Open Powershell and run the Code Snippet below (With variables populated)

Code Snippet

jarsigner `
-keystore NONE `
-storetype AzureKeyVault `
-signedjar signed.jar D:\Cert-Sign\tosign.jar Code-Signing `
-verbose `
-storepass ' ' `
-tsa http://timestamp.digicert.com `
-providerName AzureKeyVault `
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider `
"-J--module-path=${PARAM_JCA_PROVIDER_JAR_PATH}" `
"-J--add-modules=com.azure.security.keyvault.jca" `
"-J-Dazure.keyvault.uri=${KEYVAULT_URL}" `
"-J-Dazure.keyvault.tenant-id=${TENANT}" `
"-J-Dazure.keyvault.client-id=${CLIENT_ID}" `
"-J-Dazure.keyvault.client-secret=${CLIENT_SECRET}"

Expected behavior
The Jar file should be signed using the code signing certificate held in Azure.

Setup (please complete the following information):

  • OS: Windows
  • IDE: N/A
  • Library/Libraries: com.azure:azure-security-keyvault-jca:2.10.0
  • Java version: Amazon Corretto 17.0.14.7.1
  • App Server/Environment: N/A
  • Frameworks: N/A

Additional context
I was able to sign a JAR with jca 2.8.2, but I experienced the exact same issue described in Issue: #41832, which should have been fixed in release 2.10.0 via #41303

Note that the validation tests use a "pkcs12-non-exportable-key.pfx" file, however pem/pfx cannot be exported from azure key vault when the certificate is generated with a non-exportable private key - Only the CER file can be exported from azure key vault.

Using jca 2.10.0, the call dies at "INFO: Getting certificate chain for alias: Code-Signing" with "unable to instantiate keystore class: AZUREKEYVAULT not found"

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@github-actions github-actions bot added customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Feb 7, 2025
@joshfree joshfree added azure-spring All azure-spring related issues azure-spring-jca labels Feb 11, 2025
@joshfree joshfree added needs-team-triage Workflow: This issue needs the team to triage. and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Feb 11, 2025
@joshfree
Copy link
Member

Thanks for reporting this, @Rozzly. someone from the Azure Spring team will follow up with you.

/cc @saragluna

@saragluna saragluna added this to the 2025-03 milestone Feb 12, 2025
@Rozzly
Copy link
Author

Rozzly commented Feb 12, 2025

I was able to get a temporary solution working by utilizing Java 8 and JCA 2.8.2. Using the solution found here, signing seems to work by adding the -certchain flag with the full PEM file/bundle downloaded from DigiCert.

I attempted using both Java 17 and 21 with JCA 2.10.0 with no luck. Reading through the bug comments, some suggested downloading the PEM file from DigiCert, and reversing the order of the certificates within, prior to merging the signed request with Azure Key Vault - this did not work for me.

@Netyyyy
Copy link
Member

Netyyyy commented Feb 14, 2025

Hi @Rozzly , you can find Java 9 or higher version usage by this blog

@Rozzly
Copy link
Author

Rozzly commented Feb 14, 2025
edited
Loading

Hi @Rozzly , you can find Java 9 or higher version usage by this blog

The blog link you posted is what I initially followed. This currently only works with Java 8 and JCA 2.8.1/2.8.2 when using the -certchain flag. (previous post)

JCA 2.10, which solves a few bugs (cert chain validation, key vault name), is not working with any of the java versions. (8,17,21).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@moarychan moarychan

Labels
azure-spring All azure-spring related issues azure-spring-jca customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-triage Workflow: This issue needs the team to triage. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Spring Cloud Azure
Status: Todo
Milestone
2025-03
Development

No branches or pull requests
5 participants
@Rozzly @joshfree @moarychan @saragluna @Netyyyy