Description
Describe the bug
When using a valid, DigiCert issued, non-exportable Azure Key Vault certificate to sign a .jar file with jarsigner + jca 2.10.0, the certificate chain retrieval appears to fail. Referencing : #41303
The trace below shows a repeat loop of "getCertificateChain", but this might be in reference to each item in the chain: Signer > Intermediate > Root
Exception or Stack Trace
INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:01 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:02 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:02 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:03 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient <init>
INFO: Using Azure Key Vault: https://xxx.vault.azure.net/
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Getting login URI using: https://xxx.vault.azure.net/certificates?api-version=7.1
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getLoginUri
INFO: Obtained login URI: https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Feb 07, 2025 3:28:04 PM com.azure.security.keyvault.jca.implementation.utils.AccessTokenUtil getAccessToken
INFO: Getting access token using client ID / client secret
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getKey
INFO: Getting key for alias: Code-Signing
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificate
INFO: Getting certificate for alias: Code-Signing
Feb 07, 2025 3:28:05 PM com.azure.security.keyvault.jca.implementation.KeyVaultClient getCertificateChain
INFO: Getting certificate chain for alias: Code-Signing
jarsigner error: java.lang.RuntimeException: unable to instantiate keystore class: AZUREKEYVAULT not found
To Reproduce
Create a non-exportable code signing certificate from Azure Key Vault (RSA-HSM, 4096)
Sign the CSR through DigiCert
Merge the signing request with Azure Key Vault
Configure the app registration with secret, along with RBAC on Azure Key Vault for access
Install Amazon Corretto 17.0.14.7.1 on Windows
Open Powershell and run the Code Snippet below (With variables populated)
Code Snippet
jarsigner `
-keystore NONE `
-storetype AzureKeyVault `
-signedjar signed.jar D:\Cert-Sign\tosign.jar Code-Signing `
-verbose `
-storepass ' ' `
-tsa http://timestamp.digicert.com `
-providerName AzureKeyVault `
-providerClass com.azure.security.keyvault.jca.KeyVaultJcaProvider `
"-J--module-path=${PARAM_JCA_PROVIDER_JAR_PATH}" `
"-J--add-modules=com.azure.security.keyvault.jca" `
"-J-Dazure.keyvault.uri=${KEYVAULT_URL}" `
"-J-Dazure.keyvault.tenant-id=${TENANT}" `
"-J-Dazure.keyvault.client-id=${CLIENT_ID}" `
"-J-Dazure.keyvault.client-secret=${CLIENT_SECRET}"
Expected behavior
The Jar file should be signed using the code signing certificate held in Azure.
Setup (please complete the following information):
- OS: Windows
- IDE: N/A
- Library/Libraries: com.azure:azure-security-keyvault-jca:2.10.0
- Java version: Amazon Corretto 17.0.14.7.1
- App Server/Environment: N/A
- Frameworks: N/A
Additional context
I was able to sign a JAR with jca 2.8.2, but I experienced the exact same issue described in Issue: #41832, which should have been fixed in release 2.10.0 via #41303
Note that the validation tests use a "pkcs12-non-exportable-key.pfx" file, however pem/pfx cannot be exported from azure key vault when the certificate is generated with a non-exportable private key - Only the CER file can be exported from azure key vault.
Using jca 2.10.0, the call dies at "INFO: Getting certificate chain for alias: Code-Signing" with "unable to instantiate keystore class: AZUREKEYVAULT not found"
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
- Bug Description Added
- Repro Steps Added
- Setup information Added
Metadata
Metadata
Assignees
Labels
Type
Projects
Status